Forum Thread: How to Protect Yourself:

How to Protect Yourself:

In this Post, I am talking about little Conceptual part of some of the technologies that developers are integrating into the software we commonly use to help protect our computers.

Sandboxes

A software sandbox is a way for computers to run programs in a controlled environment. The sandbox offers a constrained amount of memory and only allows very limited access to resources such as operating system files, disks and the network. In theory, the software cannot break out of the sandbox and affect other parts of the computer, so even if malicious software attempts to overwrite parts of the disk, the sandbox will prevent it from doing so.

In the sense of providing a highly controlled environment, sandboxes may be seen as a specific example of virtualization. Sandboxing is frequently used to test unverified programs that may contain a virus or other malicious code, without allowing the software to harm the host device

Sandboxing is widely used in modern web browsers, such as Internet Explorer 10 onwards, and Chrome, to prevent internet content causing damage to files on the computer. Similar sandboxes exist for most browser plugins and the Adobe Acrobat PDF viewer.

Examples of sandbox implementations :

  1. Virtual machines emulate a complete host computer, on which a conventional operating system may boot and run as on actual hardware. The guest operating system runs sandboxed in the sense that it does not function natively on the host and can only access host resources through the emulator.
  2. HTML5 has a "sandbox" attribute for use with iframes

Signed Programs

Code signing is a use of cryptography where software companies issue digitally signed copies of their programs that can be checked by recipients for its authenticity.

Code signing is used by the designers of all three major operating systems (Microsoft Windows, Mac OS X and Linux) to guarantee that operating system updates are genuine even if they are distributed using flash memory cards rather than directly from the publisher.

Microsoft Windows uses code signing on operating systems components, such as hardware drivers, which have direct access to the heart of the operating system. Apple has taken code signing even further. Versions of Mac OS X from 10.8 onwards can restrict users to only running programs that have been certified by the Apple App Store. While this does offer greater security against malware, it may also restrict choice and prevent users from running certain unsigned apps from third parties.

5 Responses

What can you offer as a solution to the following:

  1. Malware which disables itself when it detects a virtual environment?
  2. Malware with falsified yet valid signatures?

Your Answer :

1) In some cases, detection of a virtual environment just causes the malware to shut down its malicious functionality, so that it can not be property analyzed in the virtual environment. Of course, if you are using the VM for sandboxing, this is a good thing, as it means the malware more or less disables itself and therefore may not cause damage to the virtual OS.

2) If Malware is falsified to detect signature then it can be counted as FUD(Fully Undetectable).

Let's suppose that Avast! antivirus uses sandboxing to detect malware through heuristics... If the malware disables itself in that virtual environment, how will Avast! be able to complete its objective of detecting and safely removing the infected program?

Also, let me clarify the second part. The malware has been digitally signed illegitimately yet the system registers it as perfectly valid meaning it can access kernel space and perform SYSTEM-privileged actions. What solution(s) can you give to counteract this?

Hey dtm...
Your answer is hidden in white paper of SANS institute : Detecting Malware and Sandbox Evasion Techniques

Thanks for that, I'll have a look when I have the time!

Share Your Thoughts

  • Hot
  • Active