THIS WILL BE LONG BUT INFORMATIVE
I've used sandboxie, I've used Virtualbox etc. etc. as a computer programmer and a security consultant I can tell you a little bit about these areas lol.
Malware unfortunately can do anything within it's environment that software can, only in a malicious fashion. Computers only do what they are PROGRAMMED and told to do, nothing more, nothing less; there is no magic with computers.
That being said if you are using a virtual machine I think that is a very viable way to protect yourself while visiting unfamiliar sites etc. I have used a virtualbox FOR MALWARE ANALYSIS which is a little hobby of mine.
We run the malware within a vitrtual environment and if you are doing behavioral analysis you can see what registry keys are being changed, files created, internet connections being made etc. you can also sometimes decompile the malware to try and do code analysis.
Most malware is written in Languages like c++ but once compiled they turn to binary 1'2 and 0's 00001100 just like anything else, and some malware writers will deliberately screw with the code to make it deliberatly HARD TO UNDERSTAND or decompile.
In any case the malware creator would have had to have taken the virtualbox into consideration, and somehow would have to exploit that (I have yet to see this ACTUALLY happen after even deliberately downloading and running malware on a windows VM).
I'm sure it has happened, it's just very rare; thinking like a criminal and virus writer, why would they do this? Some hackers hack for information, but I'd say 90% of hackers now and 90% of malware is used to try and get $$$$. Surprise, surprise, this means if I was writing a hacking tool, virus etc. I'd want to infect the highest numbers of people I could using probability whilst not wasting my time on the what if's. This means the for small number of people using the "what if's", I"d be out of luck with, but why would I care?. Think about it most people don't even know what a Virtualbox or Sandbox is. IF I can't hack the person using a Virtulbox I will simply move on to the other 9 out of ten poor old ladies who don't know crap about computers and have their CC numbers in a text file waiting for me.
If I were hacking people using malware I'd
1.Choose windows since it still has well over 80% of the market; you have the greatest chance of infecting someone.
2. 90% of computer users probably aren't using sandboxes or virtual machines so why bother? You can't get them all, but that's not the point the point is getting a good chunk of people hacked so as to steal their information.
This all being said DON'T FEEL TOO COMFORTABLE YET USING A VIRTUAL MACHINE/SANDBOX!!!!
I frequently like to check a site called malwaredomainslist dot com, to see what projects and tools the best Internets criminals are up too next.
This site is used for people whom run into malware online can then post a link to where it is. Don't get me wrong there are some brilliant computer programmers/hackers out there. In fact I'd be willing some of the smartest criminals and people in the world are right here using the internet to do their bidding's on dumb people .
To give you an idea Ken Jennings from Jeopardy was a software engineer, and half the people I see on that show are. These people aren't stupid. IF one of them turns to the dark side so to speak, they will find a way into "Averagely protected computers". You don't have to worry, they will always figure out a way around all of it, since they are just as smart as the users making the protections like sandboxie, IF NOT SMARTER. There's no system someone can think of that you can't think of a way around it, this has been shown historically time and time again.
Note: "Averagely Protected Computers In There". When and if Windows 8 uses virtualization as part of the core OS what do you think will happen? When virtualization becomes the norm instead of the exception, Script Kiddies may very well have even LESS SUCCESS, but do you think this will stop the Ken Jennings, or brilliant programmers gone to the dark side equivellents? Brilliant programmers and viruses writers will then start creating ways around it "once it becomes the new norm". This is a no Duh right? IT's one of the reasons why Linux and Mac have almost no viruses; nobody cares at this point.
That's not to say you couldn't create a virus for a mac I'm sure you could it's just rearely something you bump into in the wild internet.
Suffice to leave you now and say that a hacker can gain access to your computer, if you're not taking the proper percautions JUST BY VISITING THE WRONG SITE. They could gain access to most computers out there now just BY THEM VISITING THE WRONG SITE. Yes I'll repeat that hackers can hack you just GOING TO a bad web site and have access to ALL YOUR FILES, web sites visited, documents etc on your computer. Pretty creepy eh?
One of the popular methods they use to employ this is a reverse command shell, so they can attain command line access to your computer. I know of sites right now on malware domains that when visited execute exploits THAT STILL haven't been fixed and will use shellcode to give the hacker access to your PC and most users WOULDN'T EVEN KNOW THIS WAS HAPPENING TO THEM.
The attacker simply says hey I found this cool site on the comment section of a web page or something, idiots visit it and BAM they have no idea the attacker now has full command like access to their files, computer etc. Then people wonder why identity theft is so prevellent. I will have you note that if you go to these exploit pages with SANDBOXIE they will spawn back a remote command shell but the command shell i.e. cmd.exe will be running under the supervision of SANDBOXIE.
What this means is that they can still potentially download your files i.e. steal them, however just like anything else running within the sandbox they can't delete or alter anything like add a new user or someting.
One thing I would definitely emphasize users and readers on here to do is go to SANDBOXIE edit in it's control to stop cmd.exe from running within the sandbox. What would happen then is if you go to these exploit pages for instance they would try to open cmd.exe and send that over a port to the attacker but it would simply just close it within the sandbox
There are ways of hardening sandboxie so as to prevent these types of attacks as well.