Can malware "cross" virtual machines?

I read this interesting thread:
https://www.wilderssecurity.com/showthread.php?t=249990

It got me wondering: are virtual machines bulletproof in the sense that malware cannot crosss the VM? Say for virtualbox.

 

If you run your vm in a host Standard (LUA) account, you should be pretty much bullet proof. I will gladly run any malware thrown my way in my vm without the least concern of it jumping, ninja-like, in to my host and infecting it.

 

If a security vulnerability in VM software is known to an attacker and is unpatched, it can be exploited like a vulnerability in any other type of software used for security (i.e., Sandboxie). Running as a restricted user in the guest VM can prevent attacks out to the host, depending on the nature of the vulnerability being exploited.

There are a few known security vulnerabilities in VirtualBox 3.x, but these aren't considered very serious.

 

I am a total newbie on those VMs, and what would have me concerned is to find a sure way to keep my second and external hard drives well protected anough of any infection possibly trying to jump aboard them.

 

You know, and some will consider this going too far, if you are really concerned about becoming infected, you can always run your VM on a machine that is protected by a lite VM program such as Returnil, ShadowDefender, etc.

I have done this in the past, activated ShadowDefender, then turned on VirtualBox. Also, inside of VB I run a Linux Distro, so an infection would have to get thru Linux, then VB, then a reboot of SD in order to infect my system. I don't want to say that is impossible because I don't want to become over confident and when you become over confident is when you get nailed, but still, I just don't see how an infection could get thru that many layers with each one layer being so potent. By the way, all of this runs quite smoothly on my system.

Acadia

 

Do you also run Selinux/AppArmor in the linux VM?

 

Keep an eye on Qubes from The Invisible Things Lab - its at alpha stage now (but awesome already) with a number of things and exploits that have presented themselves need ironed out.

I've had a few PoCs in the past concerning this although few and far between that get plugged very quickly.

edit : there's me telling you to keep an eye out for QubesOS and I noticed you've started a thread about it, lol .

 

Yes, so true, I had forgot about the use of Shadow Defender in those occasions to protect all my drives, great idea and thanks, Acadia.
But about running VM inside another VM, I would be too afraid to multiply (if not square or cubify) my nullities in that area by using this aproch.
And there is also available this other conceptual option going by unplugging those external drives that I could also try

 

Running the same type of vm inside a vm is quite useless and unneeded. Shadow Defender seems a nice insurance as Peter will testify and has extensively tested but running in LUA is also a nice solution.
I run VMWare Workstation on Windows and Linux (also have Fusion) but running VMWare on Linux with Windows guests is very safe.

 

Shadow defender like virtualisations may not be bulletproof as the following thread shows:
https://www.wilderssecurity.com/showthread.php?t=276210

 

shadow defender hasn't been update but seens still quite strong.

 

Yo, people, I do NOT run a VM inside of another VM; running VirtualBox on a system protected by ShadowDefender is not quite the same.

No, I do not use any protective software on my VM Linux other than NoScript running on Firefox when I surf on the VM Linux, but I do have Online Armor and Anti-Executable (along with the usual AV and AM) on my main system. Yes, I know some folks will think this is more than necessary, but as long as it all works so smoothly, and nothing is running slow, why not? I don't like RAM and processor cycles just sitting there doing nothing. I spent the money for all of this power, might as well put it to use and what better use than for security? (and besides, its just plain fun playing with all of this stuff)

Acadia

 

No, its not...I would also add LUA+SRP to the mix

 

Yo too goes to you, Acadia.

My (lexical handicap) fault.

I just mix an "ON" for an "IN" in reading
<< you can always run your VM on a machine >> !

Sorry for the confusion
o [

--
EDIT added an hat on my emoticon

 

That's why I use the sig that do, well, at least here at Wilder's.

Acadia

 

Oh yeah, I've forgot to mention, I do this ALL inside of Sandboxie, except for the ShadowDefender part.

IN SUMMARY (ignoring the average everyday folks protection like AV and AM which I also recommend and use myself), and I usually don't do all of this at the same time, just no need to, its just there if if I want it, MAXIMUM PROTECTION: first protect all 4 of my hard drives with ShadowDefender; then open up VirtualBox inside of Sandboxie; then surf using Firefox with NoScript inside of a Linux distro.

Sorry to repeat this, I can't believe that I left out Sandboxie, one of my favorites: In order to be infected if I surfed in this ultra safe mode first the "bug" would have to get thru Firefox protect by Noscript, then survive the unfriendly environment of Linux, then survive being dissolved by VirtualBox, then being dissolved by Sandboxie, then being dissolved by ShadowDefender when I reboot.

Do I even need to mention Online Armor, Anti-Executable, and my AV and AM at this point?

Again to repeat myself, I know that this is extreme, but my system can easily handle this, and nothing beats knowing that I can surf freely without fear.

But most of all, I enjoy all of this stuff, I know, you're all saying "Acadia, you really do need to get yourself a life."

Acadia

 

I'm not sure that analysis is correct, in that its not like the malware has to first penetrate (he he he I said penetrate...) linux then virtualbox etc. More likely, a bug can directly hook into the windows disk drivers and go right through each security measure.

I'm curious Acadia, why dont you also do this in LUA, and maybe use SRP?

 

Whoa Acadia, someone needs a break in all seriousness though what parts of the web do you surf that needs this biohazard level containment? Maybe the NSA should use your security setup on their machines --The only thing wrong with this setup my friend is the massive potential for security software conflicts which can undermine your cyber fort knox.

all this kernel hooking on the host can cause breaches due to software bugs as I recall with what happened before with AVs and sandboxie etc. There is also the sandboxie and SD folder excclusion causing unshadowed file to appear outside of sandbox. part of the exercise here, is to strike a balance of robust security with no potential, fatal conflicts that outdo the setup.

Maybe Linux is ok for browsing but besides that you cant really do much else. Part of having a vm is appreciating the fact that you can have the full functionality of windows while enjoying higher security. but even then, I personally would never utilize a vm connected for a browsing sandbox because driveby worms could infect the host via vm networking hence rendering all of this fisco useless. I regard securing the host is actual priority, it should be secure enough for any risky surfing anyways -- hence not requiring I do not require a vm for that purpose. this is becuase everything on the host s default deny.
testing viruses in a isolated vm is best -- no shared folders/ networking at all. Even though vm are disposable, their being part of the host (being installed on your real system) will always open room for possibilities of infection.

 

LOL!! Believe it or not I don't surf anywhere that I would not want my wife to see, I just love this stuff (I know, I know, someone really has to get a life). Like stated before, all this stuff plays quite nicely together on my system. The only reason that I am using Linux is because I was not about to purchase another license for Windows when I could get Linux for free. All that I use Linux for is surfing; I do not mind the wasted hard drive space, most of my drive is still empty anyways.

To repeat, I know this is extreme but I enjoy the playing. (And it is sort of a cozy feeling that I do not need to worry about getting a drive-by-download from a friendly site that had been hacked).

I don't trust VM to totally protect me which is why I open the VM inside of Sandboxie: layers. By the way, Sandboxie and VirtualBox work perfectly together on my system as if they were made for each other.

Acadia

 

I am a little confused as to how a program that has drivers like vbox can run unencumbered in sandboxie. I had read once that if something was to exploit a flaw in the driver component of a sandboxed program ( thats installed on the original OS ) then it had a free pass to reach the outside.

 

I don't know what to tell you, I just know that it works. I've been using VB inside of SB for over a year now, never a problem. I don't remember my settings in Sandboxie but I probably had to allow VB startup permission and access to the Internet, or something like that. When I get home I can check if you want me to. This is on a WinXP 32bit system.

Acadia

 

Eh..no..actually can do quite a lot

IIRC, cant install any tool with kernel drivers in SBoxie, but can run any previously installed tools. ??
( with tweaks as noted )

 

I do everything in Linux

 

Ok take it easy guys, I am NOT going to initiate an OS debate of Linux vs windows . I was talking from my perspective of the apps I need working which only function on windows. (and yes I know about WINE but apprently it doesnt cut it)

However, I am looking forward to those who can respond to my former inquiry of wht exploiting a sandboxed driver implicates.

Peace out