I know it is unlikely but let us say host has got owned, ie a hacker has managed to break into the host. How would they go about breaking into a linux VM that uses full disk encryption? They can't mess with the .vmdk without damaging it - it is encrypted by the guest. They can't use vmrun because they do not know the guest passwords. They can't attach to processes in the guest with debugging tools because they cannot see individual guest processes. What can they do? And crucially, what can I do as a countermeasure?
Valid thing to think about. My main fear would be KSL on the host for when the VM is decrypted when you use it, or substituting rogue VM code. I would guess that -depending on the OS and encryption used, a rootkit could be written to the MBR code? Not sure how I feel about VM level encryption (which Vmware offers). Countermeasures are to harden the host generally, run an anti-keylogger utility, and avoid using the host for risky things - browsing, images, documents - but then you have VMs to do that, no? You could also run the VM from an encrypted container (e.g. Truecrypt or whatever), but that only improves the encryption at the expense of having the un-encrypted vm files open to other processes, so probably a bad idea.
If an attacker has control over your host, they can break into the encrypted VM by capturing the password the next time you type it in, using any of several methods not limited to a traditional keylogger. An anti-keylogger utility as mentioned above is quite frankly bs, it's a false sense of security, they could simply RDP into your system and that will allow them to see keystrokes after they're decrypted from the keystroke scrambler.
If the keyboard is a usb one and connected directly to the VM (so it does not appear in the hardware list of the host), and furthermore the anti-keylogger utility is installed in the VM, is the keylogging attack still possible?
Can they still do this when full disk encryption is used inside the VM so the entire disk image is encrypted?
Some thoughts on your questions: Generally, if the host is compromised, particularly at root, it's game over. For example, the connection to the usb is via the VM software, which is executing on the host. And vulnerable. There's lots of ways to attack the process as it boots up and runs. If you're not sufficiently confident in your host, then use of pendrives/LiveCD is an alternative.
Is that still the case if you use the " on-screen keyboard" ? And is there any real security advantage to using a virtual keyboard for online banking in a VM ?
Are any of these ways available as standard tools in the backtrack CD or are you talking about underground stuff?
Neither criminal hackers out to steal your bank account details nor governments rely on Backtrack/Kali, that's mainly just what teenagers play around with
They use what?... governments and hackers ? they have only better exploits, and they use Kali, Wireshark, Nmap, etc... like teenagers.
I don't think that I'm going out on a limb when I say that criminal types are relying on keyloggers/trojans spread mainly through spam emails and flash/java exploits (old ones are indeed likely to be in Metasploit but I don't think many if any will work on a fully up to date system besides XP), whereas governments are going to be using sophisticated malware spread through a multitude of hard to defend against ways. Wireshark and Nmap are simply networking utilities with many very legitimate uses, hardly the essence of a hacker's toolkit besides maybe the shady guy sitting next to you in Starbucks trying to get into your Facebook account
I doubt it, it'll most likely only protect against hardware keyloggers, software keyloggers should be able to capture all text regardless of whether it's from an on-screen keyboard. Maybe it will help against some percentage of poorly designed malware. My position is that if part of your host is owned, assume that everything is owned- only a full format/reinstall will help, trying to defend an already compromised system with virtual keyboards and anti-keyloggers seems to be an exercise in futility.
If the host is linux and you connect a usb keyboard directly to the VM, then there is not a single process for the usb port that you can attack as it boots up and runs, is there. You'd need to intercept the entire kernel and develop special software to intercept keystrokes in the form they appear in the usb port. Also there is no single process for the "onscreen keybaord" from the point of view of the host, the entire hypervisor would have to be intercepted, no?
The thing I've seen addressing this class of threat is the work being done in Qubes - you can assign Pci devices (including USB hub controllers) to a VM. I think this is relying on VT-d isolation mechanisms.
PCI devices definitely need VT-d to be assigned to a VM and it does not always work. But not usb devices: You connect the usb keyboard to the usb port and the hypervisor virtually connects it to the virtual usb port of the VM. From then on it does not appear in the hardware list of the host. In linux the kernel module for the usb keyboard is unloaded, if you type lsmod it is not there any more.
I'd like to point out the fact that the GRUB bootloader is unencrypted, and a reasonably sophisticated hacker would be able to inject a keylogger into that. It's too bad that you can't use hardware encryption on a VM as that would largely prevent this. Trusted Grub is something you might need to look into.
The point with Qubes is that you'd assign a pci-e USB controller card - the whole hub - to the VM using VT-d. Agree that if you hook the VM usb connection up normally, then they're known to the host.