Sandbox has been bypassed by malware again

Build *.828 at proactive profile on Win XP SP3

After letting the malware connect to the internet it is able to create a file outside of the sandbox:

http://img394.imageshack.us/img394/4022/windowsxpprofessional20.png


http://img693.imageshack.us/img693/5017/windowsxpprofessional20c.png


http://img693.imageshack.us/img693/9687/windowsxpprofessional20e.png

Download the malware sample:

It’s the “p.exe” of languy’s upload. Only “MRG” members can download the file, so no panic, dear mods. :wink:

it technically didn’t get bypasses, it just dropped a file and everyone knows that in the comodo sandbox programs can drop files, did you try to double click the new file to see if it would run, I would bet it would get sandboxed again.

Ok i have just analzyed it. It is not bypassing and actually the sandbox is protecting against a very nasty virus.

Normally, this malware drops the followng files to windows folder and messes up the system really bad.

c:\windows\system32\aokomon.dll
c:\windows\system32\drivers\nokomnt.sys

In your case, it just copies itself to the same folder where it resides. Thats it. It can not do anything else.

Automatic sandboxing, does NOT enable, file system virtualization but D+ analyzes the actions and automatically blocks them.

here is how you can see the real damage it could do without CIS:

1 - Set D+ to paranoid Mode,
2 - Disable AV,
3 - Execute the malware and observe D+ alerts.

Yep. It is not bypassing.

see egemen, that is why you guys have to jump on the files I submit, I submit pretty hardcore malware most of the time.

Ofcourse mate.

I do appreciate it.

Ok, the malware can’t do really harmful actions.

However, if I read “sandbox” I expect a sandbox. Sandbox means virtualization so that the real OS can’t get altered.
Comodo’s “automatic sandbox” is rather automatic restricting.

Tricky and a bit unfair to Sandboxie users. :wink:
I’m rather keeping with a real sandbox.

The key is : To get the job done! and to do it effectively, efficiently. That’s what we focus on.

Melih

It’s more like an “Automatic Defense+” without giving the user the opportunity to make the wrong choice… :wink:

And yes it’s also not SandboxIE… It’s there to have smart security for all, and it’s happened to be named “Sandbox”.

I’m sure that any sandboxed application can’t drop any file in %system it can do it in the current user folder and once it drops any executalbe it will also be added to the pending files and any executed application will also be sandboxed so and so , so far I couldn’t C any malware that actually defeats what so called ( automatic restricion )(which i personally love ) . So in conclusion , :comodorocks:

knk2006 :-*

Looks there could be different approaches to sandboxing whereas Chromium sandbox don’t make use of virtualization at all.

BTW Virtualization alone doesn’t necessarily mean sandboxing whereas is used to deploy and manage safe applications (eg SVS) which can be run virtualized but with administrative privileges…