Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

user-mode infections and sandboxed browsing


  • Please log in to reply
5 replies to this topic

#1 wibble2

wibble2

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 22 November 2010 - 08:09 AM

Thanks for your help quietman7 on the other thread re log files. However there were also a couple of GENERAL questions in that thread that has been closed, so I'm creating this thread to ask them again...

In one of the links posted yesterday, it mentioned that a user mode infection can get installed via the HKCU part of the registry so that some malware may start up when the same user logs in, and it can then write to all other processes run by that user (including Windows Explorer). This sounds serious, but it should be easier for anit-virus software to find - I suppose this is because it can only(?) start up by an entry in HKCU - and in that case, wouldn't a simple System Restore (to a date before the infection) be a reliable way to disable any user-mode infection ?

So if malware is designed to steal information while being sandboxed, it will be able to do so.


Right. So if using Chrome, it may be possible to get a malware infection that can read data and keystrokes from your PC; but when you close Chrome the malware will disappear permanently until the next time you visit a web site that causes another new infection?

If so, then I'm assuming that before using (say) online banking you should close all instances of Chrome, then open a new instance just for doing online banking ?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:18 PM

Posted 23 November 2010 - 10:49 PM

wouldn't a simple System Restore (to a date before the infection) be a reliable way to disable any user-mode infection ?


System Restore is the feature that protects your computer by monitoring a core set of system and application files and by creating backups (snapshots saved as restore points) of vital system configurations and files before changes are made. These restore points are stored in the System Volume Information (SVI) folder and can be used to "roll back" the computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. Keep in mind that System Restore will back up the good as well as malevolent files, so when malware is present on the system it may be included in some restore points.

Sometimes this method of recovery works but other times it may not since System Restore was not designed to be a virus or malware removal tool. Whether it will be successful depends on what type of infection you are dealing with, what damage the malware has already caused, whether it disabled System Restore and if not, and what is restored during the process.

This is what mvps.org has to say:

NO. System Restore was not designed to be a virus or spyware removal tool and should not be depended on to do so. Click here for more information on virus and spyware removal.

Can I use System Restore to remove virus or malware infection?

Generally it's better to leave System Restore alone until the machine is clean and stable. However, in some cases, using System Restore may return some system stability if you are having problems running disinfection tools or booting up. If you are able to successfully use System Restore to return to a previous state there is no guarantee your computer will not still be infected. As such, you should immediately perform scans with your anti-virus and anti-malware tools afterwards, then monitor your system for any signs of infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:18 PM

Posted 24 November 2010 - 03:44 PM

Right. So if using Chrome, it may be possible to get a malware infection that can read data and keystrokes from your PC; but when you close Chrome the malware will disappear permanently until the next time you visit a web site that causes another new infection?

If so, then I'm assuming that before using (say) online banking you should close all instances of Chrome, then open a new instance just for doing online banking ?

I'm not familiar enough with Chrome's sandboxing technology to answer your question, but for IE and Adobe sandboxes, reading files/reqistry is allowed, capturing keystrokes not.
I would guess it's the same for Chrome.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:03:18 PM

Posted 24 November 2010 - 10:18 PM

Chrome runs the renderer process (which renders the webpage) with NULL user privileges (with no access to anything). So how can malware infect from within Chrome?
Check the Security tab for Chrome.exe (child processes) in Process Explorer. You will find Deny everywhere except for NULL user who has no access. So a renderer process has no access to registry, files etc.
In addition the renderer process is run in "alternate desktop", so a malicious script/process started by it cannot do keylogging or take screenshots.

The only way a hacker or malware can go through is by finding an unknown bug

Or if the user naively opens an infected file (If you land on a page which gives a exe file download prompt and you click on Open.) For situations like this always run Chrome itself in lower privileges mode. suDown is a good method of running apps in lower privileges.

http://dev.chromium.org/developers/design-documents/sandbox
http://sudown.sourceforge.net/

#5 wibble2

wibble2
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 26 November 2010 - 10:34 AM

Thanks for the comments.

Also thanks for the link to SUDOWN. Although it is not needed for Vista, I'll be installing Windows XP on another PC in a few days, and I'll be sure to install SUDOWN on that.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:18 PM

Posted 26 November 2010 - 11:02 AM

You're welcome on behalf of the Bleeping Computer community.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users