malware affects host from inside V-box ?

[popcorn]

Hi
I have been running an instance of w7 in a virtualbox for maware detection,
after seriously breaking the guest OS I scanned and cleaned with hitman pro, during the removal process my host machine "flickered" and I lost internet connection from the host.
There is no malware signs on either machine (according to CCE,MBAM,HMP amd ES) so I'm not overly concerned about that, was just wondering if anyone can shed any light on this...

[Hungry Man]

Might have just been a glitch. There are local VM exploits that allow execution of code outside of the VM but it's unlikely you ran into one.

[ichito]

Quote:

Symantec reported new malware for Mac last month that we called OSX.Crisis. Kaspersky then reported that it arrives on the compromised computer through a JAR file by using social engineering techniques.

The JAR file contains two executable files for both Mac and Windows. It checks the compromised computer’s OS and drops the suitable executable file. Both these executable files open a back door on the compromised computer. However, we found two special functions in the Windows version of the threat that Symantec detects as W32.Crisis.

The threat uses three methods to spread itself: one is to copy itself and an autorun.inf file to a removable disk drive, another is to sneak onto a VMware virtual machine, and the final method is to drop modules onto a Windows Mobile device.

-http://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines

[Isso]

Quote:

Originally Posted by ichito

-http://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines

This link describes something completely different - malware spreading to guest from infected host.

I'm actually very interested if there is any malware that can affect host from guest, provided that shared folders, Virtual Machine tools etc are completely disabled.

[andyman35]

Quote:

Originally Posted by Isso

I'm actually very interested if there is any malware that can affect host from guest, provided that shared folders, Virtual Machine tools etc are completely disabled.

If your cpu supports virtualization then the isolation of the VM from the host is extremely secure.

As far as I'm aware the only way it could be compromised is via a targeted attack on a specific vulnerability within the VM software you're using.Even if this hypothetical exploit were to "escape" the VM,it would then have to adapt to the host environment in order to do it's thing.Then of course,it'd have to avoid/bypass any security arrangement on the host system,likely to be comprehensive due to the fact that only more advanced users really tend to utilize VMs.

I doubt that,even if it's feasable,such an exploit would be widespread since there's no real financial incentive (for common malware authors),to go after such high-tech security setups.Not while there's so many easy pickings from the vast swathe of inadequately secured systems/click-happy users out there.

[Isso]

Thank you andyman, sounds very reasonable!

[ComputerSaysNo]

OP nuke your box. Could be a glitch but I'd rather not take the chance especially if your doing malwarfe analysis.

Quote:

Originally Posted by andyman35

I doubt that,even if it's feasable,such an exploit would be widespread since there's no real financial incentive (for common malware authors),to go after such high-tech security setups.Not while there's so many easy pickings from the vast swathe of inadequately secured systems/click-happy users out there.

Watch this space. VMware's source code has been leaked and you can be sure bugs are going to come out of that to be used in exploits. With the amount of companies using VM's it's just to fertile ground to ignore.

[EncryptedBytes]

Quote:

Originally Posted by popcorn

Hi
I have been running an instance of w7 in a virtualbox for maware detection,
after seriously breaking the guest OS I scanned and cleaned with hitman pro, during the removal process my host machine "flickered" and I lost internet connection from the host.
There is no malware signs on either machine (according to CCE,MBAM,HMP amd ES) so I'm not overly concerned about that, was just wondering if anyone can shed any light on this...

Probably just a bug, I've done malware work in the past over a bridged virtual connection. Always was amusing to see the host OS HIPS go off when it monitored a malicious link using its NIC. If you kept the guest correctly isolated and it wasn't sharing folders, mouse, clipboard etc you should be fine.

My word of warning however is if this was on your personal network you should disconnect all other devices from the LAN during testing or keep the guest offline completely. While your host would be secure, the malware can propagate over your network and may infect other nonpatched machines on your LAN.

Quote:

Originally Posted by ComputerSaysNo

OP nuke your box. Could be a glitch but I'd rather not take the chance especially if your doing malwarfe analysis.

If you take proper precaution and know how to monitor your host, this isnt necessary at all.

[andyman35]

Quote:

Originally Posted by ComputerSaysNo

Watch this space. VMware's source code has been leaked and you can be sure bugs are going to come out of that to be used in exploits. With the amount of companies using VM's it's just to fertile ground to ignore.

That's why I prefer Virtualbox,more chance of any potential vulnerabilities being spotted by the white hats first.

[Flexigav]

Quote:

Originally Posted by andyman35

That's why I prefer Virtualbox,more chance of any potential vulnerabilities being spotted by the white hats first.

The extra precautions could always try to run VMware from a guest OS running under VirtualMachine and the host OS...Two tier visualization! Now that's a bit of a crooked path to get your head around lol!

[andyman35]

Quote:

Originally Posted by Flexigav

The extra precautions could always try to run VMware from a guest OS running under VirtualMachine and the host OS...Two tier visualization! Now that's a bit of a crooked path to get your head around lol!

That kind of thing just makes me dizzy,VMs within Sandboxes within VMs...I'm too old to try and work it out lol