Zaccess malware causes sandbox leak in recycler folder [M397] [v6]

A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic subject, NOT here.

  • Can U reproduce the problem & if so how reliably?:

yes

  • If U can, exact steps to reproduce. If not, exactly what U did & what happened:

(1) Before running the malware, the recycler …

(2) I ran a ZAccess malware.

http://camas.comodo.com/cgi-bin/submit?file=58c8544ae9955b9ad95c9e083b0839461f9d4adf16225279b9688b9f1367d36d

(3) It was sandboxed as fully-virtualized.

(4) After running the malware, the recycler …

(5) The malware can create the folders ouside the sandbox.

  • If not obvious, what U expected to happen:

Comodo sandbox should block the malware for creating the folders ouside the sandbox.

  • If a software compatibility problem have U tried the conflict FAQ?:
  • Any software except CIS/OS involved? If so - name, & exact version:
  • Any other information, eg your guess at the cause, how U tried to fix it etc:
  • Always attach - Diagnostics file, Watch Activity process list, dump if freeze/crash. (If complex - CIS logs & config, screenshots, video, zipped program - not m’ware)

logs:

2013-05-14 17:54:43 C:\1.exe.exe Sandboxed As Fully Virtualized

2013-05-14 17:54:55 C:\WINDOWS\system32\cmd.exe Sandboxed As Fully Virtualized

2013-05-14 17:55:05 C:\1.exe.exe Access Memory C:\WINDOWS\explorer.exe

[/ol]

B. YOUR SETUP (Likely the same for each issue, so you can copy forward)
[ol]- Exact CIS version & configuration:

version = 6.1 build 2813

configuration = internet security

  • Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:

HIPS=off, BBlocker=fully-virtualized, Firewall=Safe, AV=cloud is off

  • Have U made any other changes to the default config? (egs here.):

The sandbox level was set as fully-virtualized.

  • Have U updated (without uninstall) from a CIS 5?:

no

[li]if so, have U tried a a clean reinstall - if not please do?:
[/li]- Have U imported a config from a previous version of CIS:

no

[li]if so, have U tried a standard config - if not please do:
[/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:

Windows XP Pro, SP3, 32bit, UAC=off, admin, Real

  • Other security/s’box software a) currently installed b) installed since OS: a= b=

none
[/ol]

[attachment deleted by admin]

Can you please test what happens if you reset the sandbox? It would be very helpful to see if that particular folder outside the sandbox survives even a reset.

Also, am I understanding correctly that this piece of malware is able to create a new folder within the recycle bin, which is inside the C-drive?

Also, after running the malware but before resetting, could you please open KillSwitch and choose the option to Save Current View? This will create a spreadsheet with every process running on your computer. Then, put this in a zip file and attach it to your post. This may help the devs to figure out what’s happening.

Thank you.

The folders outside the sandbox still exist.

Also, am I understanding correctly that this piece of malware is able to create a new folder within the recycle bin, which is inside the C-drive?

This piece of malware is able to create new folders within the recycler.

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again.

I forwarded this as it is obviously a serious bug. However, I do still have another question.

Is the recycler the same as the recycle bin?

In XP, it is called “recycler”. :slight_smile:

i tested this on win 7 64 bit and it was not able to bypass the sandbox. maybe its another xp only vulnerability.

Hi a256886572008,
Could you send this virus sample to me(jackwang(#)comodo{.}com)? We will analyze it.

Thanks a lot.

Hi mate,

Thank you for reporting CIS bugs.
Fix will be included in next release:)

Regards
Haibo

Can you please check and see if this is fixed with the newest version (6.2.282872.2847)? Please let us know whether it is fixed or you are still experiencing the problem.

Thank you.

PM sent.

The devs have flagged this as fixed. Thus, I will move this to Resolved.

Please let me know if you are still experiencing the issue.

Thank you.