Virtual Machines

Well basically the live cd is a fully implemented OS in itself,usually Linux distro,but can be Windows too that runs entirely in RAM.Since it's read only it's immune to infection and these can also be run within a VM if required.There's no need for the system it's used from to have a pre-installed OS,or even a hard disk for that matter.

 

Yes fair enough it could happen in theory but statistically astronomical odds against it.All we can do is to make ourselves a tiny target and hope for the best after that.Anyway online banking hasn't any appeal to me especially since this gorgeous blonde started on the counter at my local branch.

 

Wouldnt this be mitigated if you are behind a router?

 

Yes, it could be, depending on what you allow through your router. But against browser vulnerabilities the router wouldn't help - but not browsing infected sites would.

 

So based on what Ive read, and what you and windchild are telling me, I can just pop a Live CD into any of my computers, and presuming the bios is set to boot from disk, it will boot the OS from the CD. Since the CD is read-only, it cant be infected. So it will be free of any infections. I can then use this to do my online banking and when Im done shut it down. Since its running on RAM all info will be lost right? Absolutely no trace of anything Ive done, not even on the harddrive or the OS installed on it, right?

And since the host OS isnt activated even if it has key/screen/etc loggers, they wont be active and cant steal my info right?

Hell based on what you're saying I can just load the Live CD onto a system with no harddrive, do whatever I want and poof, its all gone when I finish, right?

Now lets say I want to use the Live CD to download attachments, etc from sensitive e-mail, I assume that I can download and view/make changes to these attachments using the RAM right? And if I permanently wanted to make any changes, I could then save said attachments to a usb stick, etc right?

Although, if by some coincidence I were to get infected, then there is the possibility that the malware may find its way onto the storage media in question, and if I were to load said storage media onto the Live OS the next time I used it before doing any banking, then there is the possibility that my OS would get re-infected and my info may be stolen, right?

 

So if I go directly to my banking site, I should be safe. Unless off course my bank's site has been compromised or my homepage was compromised and some thing downloaded before I could stop the homepage from loading.

 

But if I were to run the Live CD in a vm, and the host was compromised, would key/screen/etc loggers on the host be able to capture my data?

 

Yes. So, extremely good chances that you'd be safe. Stuff like attacks against your ISP's DNS servers and such might work, but aren't exactly commonplace.

Yes.

Yes. Live CDs don't write to the HD on their own - there may not even be a HD in the system which they could write to! Everything happens in RAM, so unless one can recover something from RAM (good luck with that), there won't be traces of your data or what you've done on the system.

Correct. Nothing on the "host OS" will affect the live CD in any way. Actually, there isn't even a host OS, unless you're using virtual machines to run the live CD. The OS that may be on the hard drive (there does not need to be an OS installed there for you to use a live CD on the system, and there doesn't need to be a hard drive either) is doing absolutely nothing when you've booted from the live CD. It's like it doesn't exist, and even if it's infested will all kinds of malware it won't do anything to the live CD environment. Kernel-mode rootkits, even MBR infections - none of these will matter at all, and won't affect the live CD in any way.

Precisely!

Yep. If the live CD supports USB, you could use USB sticks, or you could mount an existing hard drive and write files there.

Right. That would require, though, that the infected files on the storage media could be executed somehow. Generally, it would require you to execute them manually. So, not very likely.


It's not all dancing on roses, though. Once you try a live CD, you may notice that they can be painfully slow in many tasks. But doing light tasks like browsing works just fine, even if the system may not be the snappiest in the world.

 

It's quite complicated. You'd have to read the vulnerability descriptions to know what they can be used to do, and I've not done that since I don't use Virtualbox and saw the vulnerability reports at a glance at Secunia or some place like that a long time ago. But my (uneducated) guess in this case is that denial of service means malicious code running in the virtual machine could crash the host OS and affect DoS in that way, and that privilege escalation means someone logged into the real host OS with a nonprivileged account can exploit the installed or running virtualization software to gain root/admin privileges on the host OS. So that wouldn't be malicious code breaking out of the virtual environment and infecting the host OS, but that's just my guess without knowing more of the vulnerabilities. I'm not really familiar with all the terminology of vulnerabilities when applied to virtualization software. It's complex enough when applied to other software! So, one would have to see the descriptions of the vulnerabilities to be sure of the impact.

It's not something that I would do. I would rather concentrate my efforts on running the actual, real system safely instead of using virtual machines on top of it as some kind of a security layer between the world of malware and the real system. But then, some people do use virtual machines for security purposes and have success with that, and it's fine if you know the limitations (like resource impact and possibility of adding vulnerabilities that affect the real system as well). Running Linux in a virtual machine on a Windows host should be "safer" than many other configurations that run Windows only, since the brunt of malware and exploits in the wild is targeted against Windows and there aren't exactly loads of ITW attacks against virtualization software. But if one is inclined to Linux, I'd just install Linux on the hard drive, or at least use a Linux live CD. I personally don't really like virtual machines for any security purposes. For security, simpler is often better (because less software means less attack surface, less vulnerabilities in the system) and virtualization isn't really that simple stuff. And then, I consider myself a rather heavy user of hardware power, and try to save on that, so I wouldn't run virtualization for anything other than on some specific system for testing something. There's also that virtualization only "protects" one way: you can most often protect the host OS from bad stuff going on in the virtual machine unless there are vulnerabilities in the virtualization software, but you can't reliably protect the virtual machine from bad stuff running in the host OS, so you still have to secure the host OS.

Depends on the distro. (tm) If the distro is reasonably hardened and doesn't have everything wide open to the world, and/or you put it behind a firewall, I'd claim it's safer to run Linux without any added security software than it is to run Windows with most any AV or HIPS product. That would be due to things like there being very little malware for Linux and loads for Windows.

 

Here have is a look at the CPU monitor to the right! Just click on the picture.

TH

 

Hi Windchild,

Thanks for your response, you've helped me greatly understand the workings of Live CDs.

So where can I get one of these Live CDs? Do I download the files and burn them myself? I think the downloaded installation files for Ubuntu can be used to create a Live CD/DVD as well.

What happens if my pc has an infection, what are the chances that any malware might find its way onto the CD/DVD as I am burning it?

I assmue having plenty of RAM will help the performance of a LIVE CD? How well can Ubuntu perform on 4gigs of RAM? Is it worthwhile upgrading the ram to 8 gigs? Will I see an improvement in the performance of the LIVE CD?

 

Many routers today have full OS linux. Malicious code loaded into the memory of it's system, leaving a MIM situation. Most people never turn off their router to empty the ram, leaving reinfection of any connected system easy. Ram infections will persist until power is removed. <br /> If you like to surf risky sites this is a real possibility, haha .

 

My point is routers are computers too.
Most don't think to check their router after an infection.
After going to any risky sites, I reset and give it all new info, including releasing the dhcp for a new IP.
This makes the router an infection vector outside your secure, haha, VM, allowing you to be middled.

I think you are one of the rare few who remove all power from all devices.

 

This is off topic but...My router stays on when I turn my PC off. I do however reboot it every now and then or unplug it and plug it back in. I had no idea that a router could be infected. I have mine password protected and assumed that was enough. With that said my pc never gets infected (knock on wood) anyway. I ought to start a thread about how a router gets infected because that is a new one on me.

 

Unfortunately, the answer to questions like that is "it depends." Security is a complicated issue - there's a load of things to consider from the amount of vulnerabilities in the software in question to the amount of in-the-wild exploits against those vulnerabilities, from the amount of malware in-the-wild to ease of configuring the system for security and so on and so ad nauseam. And therefore there aren't always very simple, 100 % clear answers. You can run some pretty darn secure Windows configurations when you do it right. The often repeated mantra that Windows is just somehow fundamentally insecure as compared to other modern operating systems and that no-one can be even reasonably safe in Windows is just a lot of hot air.

Now, on the other hand, you could look at it like this: there is a boatload of malware for Windows, but very little for Linux. So, if Joe User starts randomly downloading stuff from the web and executing them with superuser privileges, there's a really good chance he'll get infected with something rather bad in Windows, but most likely he won't be infected with anything at all in Linux. There just isn't much Linux malware around to be found that you could infect yourself with. So, for users that are inclined to execute anything they see, Linux is safer than any Windows configuration that allows the user to execute "unknown" files. Right now, at least. Some day in the future, who knows how things will be.

That's really one of the reasons why so few people use an AV in Linux. There isn't much for the AV to scan, except Windows malware and macros in common office programs and such. And since Linux folks as a rule don't do everything as root, it's not trivial to infect the whole system like it is in Windows where most people happily run as admin all the time.

But again, I wouldn't bother to run Linux in a VM on top of Windows. I just install Linux on the hard drive. Plenty of good Linux distros around, and I want to be able to use them without virtualization slowing things down. And for those who don't want to install Linux on the HD, there's always live CDs. For those who really want to use Linux in a VM, you can do it, and it's pretty safe. Oh, and you can't attack the Windows host OS from the Linux VM without exploiting some serious vulnerability in the virtualization software, and it'll be hard to find those exploits in the wild. (Well, of course, you could make a mistake yourself, and bring some file from the virtual machine into the host, and if you then execute it, and it's malware... But the solution is: don't do that.)

Practically nothing is bullet-proof. VMs certainly aren't. On the other hand, they are tough enough for most users, so in that sense one could say they're "bullet-proof enough, even if not absolutely bullet-proof." For testing malware or exploits, there are two problems with virtual machines: 1) If you're unlucky and there's a serious vulnerability in your virtualization software, the malicious code may be able to get out of the virtual machine and into the host OS, which could be bad, depending on what you do with the host. 2) If the malware happens to be aware of virtualization software, it might realize it's been executed in one, and might behave unexpectedly - such as, it might not do anything malicious at all, instead opting to play nice until it thinks its safely outside any virtual machines. Number two is one of the reasons why "testers" sometimes get things wrong, thinking some file that was sent to them as suspicious isn't malicious just because it didn't do anything in VMware - the malware was clever, noticed it was running in VMware and pretended to be nice.

It all depends. Windows and software for Windows are a favourite target to many bad guys. On the other hand, some open-source stuff gets frequently attacked: like Apache, since it's almost everywhere where people are running webservers. But then, getting beaten either kills you or makes you tougher, and Apache got tougher. As for "genuine malware", I'm not sure what that means. Windows Genuine Advantage, maybe? But of course, while Linux malware is rare, it still exists. And some people have been unlucky enough to get infected with one. I personally know one guy who got his Red Hat system owned by the Ramen worm way back when Windows 2000 was the latest and greatest Windows. He thought that couldn't be possible, since he wasn't using, "any ridiculous DOS-based Windoze by Mickeysoft" (that's how he said it, except of course that's a translation to English that has lost much of its original comedy value)

Oh, and sorry for the long answer.

Yeah, you download them and burn the isos on a CD or DVD, depending on the size. Live CDs are hosted by a lot of places. I think Ubuntu's was here: https://help.ubuntu.com/community/LiveCD

Distrowatch ( http://distrowatch.com/ ) is a good place to visit when looking for Linux distros, live CDs included. There's a wide range of live CDs in existence: Damn Small Linux is a miniature live CD less than a hundred megs in size and on the other end of the scale there's stuff like the hugely large Knoppix live DVD with a lot of software on it. Here's a little list: http://distrowatch.com/dwres.php?resource=cd

If your Windows PC has an infection, the chances of that infection spreading to the Linux live CD you are burning are very close to zero. So close that I wouldn't worry about that. I haven't ever heard of anything like that happening.

And yeah, more RAM seldom hurts. If you have lots of RAM, you may even be able to load the entire live CD into RAM and still have free RAM left for other things, which would translate to blazing fast speeds.

But I guess I'm getting a little off-topic from "virtual machines".

 

No, except I thought of this concept jokingly, especially a vm within a vm within a sandbox...etc However, I can't believe I'm trying this but I am posting this using Virtualbox (guest is XP pro) running within Sandboxie just to try for kicks and, as it is for you, it is also working extremely well for me too. Honestly, my feeling is this is probably way overkill, but it is working. ssj, have you though of doing the reverse and running Sandboxie within Virtualbox? I might try it. Security-wise, there is probably little or no difference, but what the heck, I want to give it a try anyways

 

I enjoy the seamless and full window modes of virtualbox

Full window mode, because I can turn it on and let kids screw around as much as they want and it won't affect my host system.

Seamless mode is just fun to play around with programs in.

 

Yea I had thought of this but then shrugged it off. Good to see that it can be done. Though one wonders if sandboxing a vm may introduce any complications or new vulnerabilities because of the manner in which the vm interacts with the sandbox, which may in turn reduce the effectiveness of the protection provided either with the vm or the sandbox?

If a sandboxed vm can work without reducing the protection provided by either the sandbox or the vm then my security policy having DW untrust everything coming out of the sandbox will be virtually bullet-proof.

Also one wonders if a key/screen/etc logger on the windows host will be able to steal info from a linux vm? Anyone have any ideas?

 

Thanks for all your responses windchild!

A Live CD seems like a very secure way of doing sensitive things (eg online banking).

Oh and 2 last questions:

1) does IE work on Linux? I ask because some sites work best on IE.

2) How much RAM can x32 live cd take advantage of? Just the 4 gigs in total, or 4 gigs over above whatever it takes to load the entire live cd? I will assume its the latter.

 

Hi SSJ, I suppose what you're saying makes sense. So you have virtualbox installed on your real system. And different instances of vb opened in different sandboxes? Is this how it works? And only the vm has run and internet access? Do you have DMR enabled? Will a vm work with reduced rights?

Your test results are very interesting. One wonders how well the other key/screen/etc logger tests would perform against a vm from the host. One also wonders whether the guest running on a different platform from the host (different brand of OS) would make any difference?

 

Hi Searching,

Can you give us more info about router infections? Is powering down the router, something which I do regularly all that is required? If so why do you do all that extra stuff? Feel free to start a new thread on this if you feel we may be taking the thread OT.

 

All right thanks for that SSJ, hopefully I will find some time to give this a try.

 

Yeah, that's why I prefer just installing the OS on the hard drive and being happy with that. But in some cases live CDs can be extremely handy: like examining an infected or malfunctioning system.

Sounds like a pretty interesting trick, although I do rather wonder how that actually works and how useful it really is. I don't know all the things Sandboxie tries to do, and I think you might want to ask Tzuk how it would behave when you try to run something as complex as virtualization software inside it. Meaning, actually how much protection doing that can offer, considering that the virtualization software will use its own drivers to do some things that are required to make the virtual machines work, and those drivers would run in kernel mode on the host OS - and you can't block them, or otherwise the virtualization software will not work, and you can't really control them, either, since they're already in the kernel. Something to think about, perhaps.

 

The concept of bullet-proof enough is a really critical one and a nuance that is all too easily lost in the conjectured hypotheticals so easily tossed into these discussions.

Another nuance that tends to get lost in these discussions is the time dependency of all the answers.

Want to have an absolutely secure system for all time? Aside from physically disallowing all external communications, eliminating the use of all removable media, and restricting physical access, I can't give you an answer to that question. Nobody can. Any answer provided is, in principle, subject to revision upon the appearance of a currently unknown exploit or vulnerability. That's true for any system and/or OS (Windows, Linux, OSX, etc.).

However, guidance can be provided toward creating a system that is bullet-proof enough at the current time, and that guidance generally involves very simple easily executed steps and not some elaborate pandimensional construct.

Blue

 

Very well said. We can spend all day worrying about things like which HIPS is 0.7 % better than others and how to be safe from BluePill and (enter latest imaginary/proof-of-concept/undetectable/FUD malware here) and how to avoid not getting owned by some undiscovered vulnerability in some virtualization software or we can be realistic and set up a reasonably secure system based on real threats, keep up with the times, and enjoy computing. It's still always good to understand the limitations of whatever one has chosen to do, and to acknowledge that practically all software has vulnerabilities. This is to get a realistic sense of what security is: an ongoing process to stay reasonably safe, as compared to some magical product that you install once to remain 100 % safe from everything for the remaining eternity. In many places, I see far too many people fall for the latter mode of thinking.

And to put all this stuff in perspective with the subject of the thread, that is to say "virtual machines", one can be "reasonably safe" or "reasonably bulletproof" without any virtual machines at all. Of course.