Sandboxing FTW

Posted on by

After I reminded people that I offer a complimentary attachment checking service through my office I got a submission from one of our warehouse operators in Texas. It was an oddly-named attachment called UmjSJCk.zip. I saved it to my Mac and opened Terminal. Then unpacked the zip file and it unpacked to Quotation.exe. I giggled a bit when I ran the file command on it and saw that it was a Windows executable. Exactly what I expected. So I put it in a folder called sandbox and started my copy of Windows XP that I have in VirtualBox. The OS has it’s hard drive set to immutable, so any changes or write activities that the OS does is not sent to the VHD image, but rather to a “snapshot” VHD image on the side. Each time I start the OS, it’s as if I am starting it for the first time, because when an immutable VM finds something (anything) in the snapshot folder, it dumps it first then creates a new snapshot image for writes. I make sure the sandbox can’t see anything beyond my Mac by assigning it’s LAN connection as a Host-Only Adapter. That means that the VM can only see VirtualBox’es fake network host and nothing else.

So start this sandbox Windows XP, mount the sandbox folder as a drive to the sandbox – set as Read Only also, by the way, no baby-backwash here… and then double-clicked on Quotation.exe. It loaded a process and started to grope the network connection. Of course it did. So, with the bug trying it’s best to reach out and fetch it’s payload I clicked on the little red close control and told VirtualBox to power off the virtual machine.

Poof. All gone. Changes and everything. Then I dumped the sandbox contents.

I think whats more concerning here is that my scan using ClamAV on my Mac in regards to this data showed no infected data. Well, it certainly was trying to be nasty.

Then I start to wonder about the inherent usefulness of VirtualBox when it comes to airgapped computing when it comes to privacy and really being paranoid about encryption. But then I realize that when I turn off my Airport on my MBP, that it’s just as good as anything I could screw around with in VirtualBox. An infection in my MBP? Heh… piff.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.