Sandboxed malware restarts computer & causes cis.exe to crash [M1479]

hjlbx · December 29, 2014, 3:14am

Can you reproduce the problem & if so how reliably?:
Yes. On every instance of running Trojan.Shutdowner in Sandbox system will shutdown/cis.exe crashes.

If you can, exact steps to reproduce. If not, exactly what you did & what happened:
1: Right click on Shutdowner zipped file and select Run in COMODO Sandbox in Context Menu
2: File sent to Sandbox and extracted, then run executable in Sandbox
3: System immediately restarts/cis.exe crashes

One or two sentences explaining what actually happened:
I downloaded a Shutdowner file to the desktop. I right-clicked on the zipped folder and selected “Run in COMODO Sandbox” from Context Menu. The zipped folder was extracted within the Sandbox (green border). I then right-clicked on the executable file and selected Open. The Shutdowner proceeded to open a command window, immediately the sandbox and cis.exe crashed, and then forced system restart.

I would expect that a more aggressive Shutdowner may attempt to infect, corrupt, overwrite, and/or delete files.

One or two sentences explaining what you expected to happen:
I expected that an executable run inside the Sandbox would not be able to shut down the system. In other words, I would expect CIS 8 to protect itself, and the system, against any unauthorized system shutdown - especially one from within the Sandbox or Virtual Kiosk.

If a software compatibility problem have you tried the advice to make programs work with CIS?:
Not Applicable

Any software except CIS/OS involved? If so - name, & exact version:
Malware

Any other information, eg your guess at the cause, how you tried to fix it etc:
Not Applicable

B. YOUR SETUP
Exact CIS version & configuration:
8.2.0.4591, Internet Security configuration

Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
AV, Viruscope, Firewall - enabled HIPS, Auto-Sandbox - disabled

Have you made any other changes to the default config? (egs here.):
Enhanced Protection (for x86-64 systems) - enabled
Scan computer memory at startup - enabled

Have you updated (without uninstall) from CIS 5 or CIS6?:
No
if so, have you tried a a a clean reinstall - if not please do?:
Not Applicable

Have you imported a config from a previous version of CIS:
No
if so, have you tried a standard config - if not please do:
Not Applicable

OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 8.1 x86-64 OEM, UAC “Alert me when make changes to system,” Administrator privileges, No virtual machine used

Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a= Windows Defender - disabled b= Windows Firewall - disabled

[attachment deleted by admin]

wasgij6 · January 15, 2015, 6:23am

can you try disabling enhanced protection mode in the HIPS settings and see if you still get the crash?

Also can you send me a download link to the malware?

Thanks

hjlbx · January 16, 2015, 12:58am

Hello wasgij6,

Unfortunately CIS is not installed on my system at this time nor do I have a copy of the WinKill/Shutdowner file.

My system is AMD and there have been serious incompatibility issues between AMD and CIS.

I checked the download link for the file, but it is blocked.

Best Regards,

hjlbx

wasgij6 · January 21, 2015, 6:50am

Im afraid that i will not be able to forward this to the devs without the malware sample. The devs need the malware sample to repo and fix the problem.

For the time being im going to move this to the incomplete section. If you or someone else later finds a piece of malware that does the same thing fill free to PM me and I will forward this bug.

Thanks

hjlbx · April 9, 2015, 3:27pm

Hello wasgij6,

Found equivalent Shutdowner file that does the same as initially reported.

Attached in zip format.

Password “Infected”.

[attachment deleted by admin]

qmarius · June 22, 2015, 6:51pm

Please test this issue with version <8.2.0.4591>.

Thanks.

hjlbx · June 22, 2015, 11:19pm

Hello qmarius,

Unfortunately, not fixed in v. 8.2.0.4591.

Best Regards,

HJLBX

qmarius · June 23, 2015, 3:52pm

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time, availability, and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again.

futuretech · June 24, 2015, 4:18pm

I tested this malware and it seems to execute an infinite amount of the windows registry editor (regedit.exe) which consumes system memory with each instance of regedit. Because there is no limit of the amount of processes that can be executed from a fully virtualized application, it causes a DoS condition via memory exhaustion leading to applications and windows to crash. Therefore, I think the sandbox is working as intended and to prevent such DoS, the options ‘Limit program execution time to N seconds’ and ‘Limit maximum memory consumption to N MB’ are available to use when running programs in the sandbox. Also when programs are sandboxed as Limited or higher it can not execute more than 10 processes at a time because of the built-in restrictions of those sandboxing levels.

qmarius · June 24, 2015, 4:42pm

futuretech post:9:

I tested this malware and it seems to execute an infinite amount of the windows registry editor (regedit.exe) which consumes system memory with each instance of regedit. Because there is no limit of the amount of processes that can be executed from a fully virtualized application, it causes a DoS condition via memory exhaustion leading to applications and windows to crash. Therefore, I think the sandbox is working as intended and to prevent such DoS, the options ‘Limit program execution time to N seconds’ and ‘Limit maximum memory consumption to N MB’ are available to use when running programs in the sandbox. Also when programs are sandboxed as Limited or higher it can not execute more than 10 processes at a time because of the built-in restrictions of those sandboxing levels.

It’s just another test to simulate an environment under low resources. Often, these crash due to bad allocation of memory.
This kind of unexpected behavior should be prevented.

futuretech · June 24, 2015, 5:04pm

Oh I agree, however they can be prevented using the available aforementioned options, it just that there is no way to predict ahead of time if a sandboxed application is going to consume so much memory or execute a lot of processes. Which is why running an application as fully virtualized AND setting restriction level to Limited provides a higher level of protection.

BuketB · June 24, 2015, 5:06pm

Hi guys,

Thank you very much for your feedback. We’re gonna check the sample asap.

@hjlbx shall we use the one you’ve posted ?

Kind Regards
Buket

hjlbx · June 24, 2015, 9:25pm

Hello BuketB,

Yes. Use the sample that I have attached to the thread.

Unfortunately, I lost the original sample - and I do not know its mechanism of operation precisely. The second sample duplicates the overall Windows crash, but I am not 100% sure it is completely identical to the original sample. That’s an honest answer…

Very Best Regards,

HJLBX

BuketB · June 25, 2015, 6:30am

Hello hjlbx,

OK, thank you very much for the information.

We will update you .

Kind Regards
Buket

BuketB · June 25, 2015, 8:24am

Hello Guys,

According to our QA, we had below steps to reproduce the problem with the sample you provide:

1.Download sample in VM
2.Disabled AV, Auto-Sandbox,Cloud Lookup
3.Launch zip archive in Sandbox via right click
4.Launnch sample in Sandbox

We had no crash or freeze.

@hjbx, QA will send you a PM with the video and screenshots, please kindly have a check and get back to us.

Kind Regards
Buket

qmarius · July 16, 2016, 2:24pm

Since the OP has not replied, I’m assuming this is fixed with version <10.0.0.5144>.

Thank you.