Can malware "cross" virtual machines?

Discussion in 'sandboxing & virtualization' started by wearetheborg, Aug 28, 2010.

Thread Status:
Not open for further replies.
  1. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    I read this interesting thread:
    https://www.wilderssecurity.com/showthread.php?t=249990
    It got me wondering: are virtual machines bulletproof in the sense that malware cannot crosss the VM? Say for virtualbox.
     
  2. wat0114

    wat0114 Guest

    If you run your vm in a host Standard (LUA) account, you should be pretty much bullet proof. I will gladly run any malware thrown my way in my vm without the least concern of it jumping, ninja-like, in to my host and infecting it.
     
  3. Dogbiscuit

    Dogbiscuit Guest

    If a security vulnerability in VM software is known to an attacker and is unpatched, it can be exploited like a vulnerability in any other type of software used for security (i.e., Sandboxie). Running as a restricted user in the guest VM can prevent attacks out to the host, depending on the nature of the vulnerability being exploited.

    There are a few known security vulnerabilities in VirtualBox 3.x, but these aren't considered very serious.
     
    Last edited by a moderator: Aug 29, 2010
  4. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    I am a total newbie on those VMs, and what would have me concerned is to find a sure way to keep my second and external hard drives well protected anough of any infection possibly trying to jump aboard them.
     
  5. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    You know, and some will consider this going too far, if you are really concerned about becoming infected, you can always run your VM on a machine that is protected by a lite VM program such as Returnil, ShadowDefender, etc.

    I have done this in the past, activated ShadowDefender, then turned on VirtualBox. Also, inside of VB I run a Linux Distro, so an infection would have to get thru Linux, then VB, then a reboot of SD in order to infect my system. I don't want to say that is impossible because I don't want to become over confident and when you become over confident is when you get nailed, but still, I just don't see how an infection could get thru that many layers with each one layer being so potent. By the way, all of this runs quite smoothly on my system.

    Acadia
     
  6. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Do you also run Selinux/AppArmor in the linux VM?
     
  7. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Keep an eye on Qubes from The Invisible Things Lab - its at alpha stage now (but awesome already) with a number of things and exploits that have presented themselves need ironed out.

    I've had a few PoCs in the past concerning this although few and far between that get plugged very quickly.

    edit : there's me telling you to keep an eye out for QubesOS and I noticed you've started a thread about it, lol :rolleyes::) .
     
    Last edited: Aug 29, 2010
  8. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    Yes, so true, I had forgot about the use of Shadow Defender in those occasions to protect all my drives, great idea and thanks, Acadia.
    But about running VM inside another VM, I would be too afraid to multiply (if not square or cubify) my nullities in that area by using this aproch.
    And there is also available this other conceptual option going by unplugging those external drives that I could also try :)
     
  9. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Running the same type of vm inside a vm is quite useless and unneeded. Shadow Defender seems a nice insurance as Peter will testify and has extensively tested but running in LUA is also a nice solution.
    I run VMWare Workstation on Windows and Linux (also have Fusion) but running VMWare on Linux with Windows guests is very safe.
     
  10. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
  11. acuariano

    acuariano Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    786
    shadow defender hasn't been update but seens still quite strong.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Meriadoc is right. That is exactly what I do. I use VMware Workstation, and keep it up to date. When I am playing with nasties, I do run the VM machine on the SD protected host.

    While true neither may be bullet proof, it does offer added protection, and I've never been hurt this way.

    Pete
     
  13. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Yo, people, I do NOT run a VM inside of another VM; running VirtualBox on a system protected by ShadowDefender is not quite the same.

    No, I do not use any protective software on my VM Linux other than NoScript running on Firefox when I surf on the VM Linux, but I do have Online Armor and Anti-Executable (along with the usual AV and AM) on my main system. Yes, I know some folks will think this is more than necessary, but as long as it all works so smoothly, and nothing is running slow, why not? I don't like RAM and processor cycles just sitting there doing nothing. I spent the money for all of this power, might as well put it to use and what better use than for security? (and besides, its just plain fun playing with all of this stuff) :D

    Acadia
     
    Last edited: Aug 29, 2010
  14. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    No, its not...I would also add LUA+SRP to the mix :D
     
  15. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    Yo too goes to you, Acadia.

    My (lexical handicap) fault.

    I just mix an "ON" for an "IN" in reading
    << you can always run your VM on a machine >> !

    Sorry for the confusion
    :) o [

    --
    EDIT added an hat on my emoticon
     
    Last edited: Aug 29, 2010
  16. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    That's why I use the sig that do, well, at least here at Wilder's. :cool:

    Acadia
     
  17. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Oh yeah, I've forgot to mention, I do this ALL inside of Sandboxie, except for the ShadowDefender part.

    IN SUMMARY (ignoring the average everyday folks protection like AV and AM which I also recommend and use myself), and I usually don't do all of this at the same time, just no need to, its just there if if I want it, MAXIMUM PROTECTION: first protect all 4 of my hard drives with ShadowDefender; then open up VirtualBox inside of Sandboxie; then surf using Firefox with NoScript inside of a Linux distro.

    Sorry to repeat this, I can't believe that I left out Sandboxie, one of my favorites: In order to be infected if I surfed in this ultra safe mode first the "bug" would have to get thru Firefox protect by Noscript, then survive the unfriendly environment of Linux, then survive being dissolved by VirtualBox, then being dissolved by Sandboxie, then being dissolved by ShadowDefender when I reboot.

    Do I even need to mention Online Armor, Anti-Executable, and my AV and AM at this point? :D

    Again to repeat myself, I know that this is extreme, but my system can easily handle this, and nothing beats knowing that I can surf freely without fear. :cool:

    But most of all, I enjoy all of this stuff, I know, you're all saying "Acadia, you really do need to get yourself a life."

    Acadia
     
  18. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    I'm not sure that analysis is correct, in that its not like the malware has to first penetrate (he he he I said penetrate...) linux then virtualbox etc. More likely, a bug can directly hook into the windows disk drivers and go right through each security measure.

    I'm curious Acadia, why dont you also do this in LUA, and maybe use SRP?
     
  19. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Whoa Acadia, someone needs a break :D in all seriousness though what parts of the web do you surf that needs this biohazard level containment? :cautious: :ouch: :D Maybe the NSA should use your security setup on their machines:D :D --The only thing wrong with this setup my friend is the massive potential for security software conflicts which can undermine your cyber fort knox.

    all this kernel hooking on the host can cause breaches due to software bugs as I recall with what happened before with AVs and sandboxie etc. There is also the sandboxie and SD folder excclusion causing unshadowed file to appear outside of sandbox. part of the exercise here, is to strike a balance of robust security with no potential, fatal conflicts that outdo the setup.

    Maybe Linux is ok for browsing but besides that you cant really do much else. Part of having a vm is appreciating the fact that you can have the full functionality of windows while enjoying higher security. but even then, I personally would never utilize a vm connected for a browsing sandbox because driveby worms could infect the host via vm networking hence rendering all of this fisco useless. I regard securing the host is actual priority, it should be secure enough for any risky surfing anyways -- hence not requiring I do not require a vm for that purpose. this is becuase everything on the host s default deny.
    testing viruses in a isolated vm is best -- no shared folders/ networking at all. Even though vm are disposable, their being part of the host (being installed on your real system) will always open room for possibilities of infection.
     
  20. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    LOL!! Believe it or not I don't surf anywhere that I would not want my wife to see, I just love this stuff (I know, I know, someone really has to get a life). Like stated before, all this stuff plays quite nicely together on my system. The only reason that I am using Linux is because I was not about to purchase another license for Windows when I could get Linux for free. All that I use Linux for is surfing; I do not mind the wasted hard drive space, most of my drive is still empty anyways.

    To repeat, I know this is extreme but I enjoy the playing. (And it is sort of a cozy feeling that I do not need to worry about getting a drive-by-download from a friendly site that had been hacked).

    I don't trust VM to totally protect me which is why I open the VM inside of Sandboxie: layers. By the way, Sandboxie and VirtualBox work perfectly together on my system as if they were made for each other.

    Acadia
     
  21. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    I am a little confused as to how a program that has drivers like vbox can run unencumbered in sandboxie. I had read once that if something was to exploit a flaw in the driver component of a sandboxed program ( thats installed on the original OS ) then it had a free pass to reach the outside.
     
  22. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    I don't know what to tell you, I just know that it works. I've been using VB inside of SB for over a year now, never a problem. I don't remember my settings in Sandboxie but I probably had to allow VB startup permission and access to the Internet, or something like that. When I get home I can check if you want me to. This is on a WinXP 32bit system.

    Acadia
     
  23. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Eh..no..actually can do quite a lot :cautious:
    IIRC, cant install any tool with kernel drivers in SBoxie, but can run any previously installed tools. ??
    ( with tweaks as noted )
     
  24. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    I do everything in Linux :cool:
     
  25. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Ok take it easy guys, I am NOT going to initiate an OS debate of Linux vs windows :D :) ;) :p :D :D . I was talking from my perspective of the apps I need working which only function on windows. (and yes I know about WINE but apprently it doesnt cut it):ninja:

    However, I am looking forward to those who can respond to my former inquiry of wht exploiting a sandboxed driver implicates.

    Peace out :thumb:
     
Loading...
Thread Status:
Not open for further replies.