Does the use of Virtualbox create a defense against loggers?

Discussion in 'other anti-malware software' started by sun88, Jul 19, 2011.

Thread Status:
Not open for further replies.
  1. sun88

    sun88 Registered Member

    Joined:
    Aug 27, 2009
    Posts:
    66
    First of all I am running Win 7 x64. I am using Trusteer Rapport to strengthen my banking connections. What I'm wondering is whether you think my banking connections would be safer using Win 7 + Virtualbox + Ubuntu or whether you think they are safer using Win 7 + Rapport.

    And also the general question "Does the use of Virtualbox create a defense against loggers?".
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    You'll always be safer going through Ubuntu. But if your Windows 7 is compromised with a keylogger it may or may not help.
     
  3. roady

    roady Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    262
    I think that only a livecd can fully protect you from keyloggers....if they can't store themselves temporary in RAM....:ninja:
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    A liveCD is a good way to do it. No, storing themselves in RAM won't do anything. When you turn your computer off to boot into the LiveCD it'll clear out the RAM anyways.
     
  5. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    There was a thread a while back on a similar topic. As i remember it they ran linux inside a virtual machine using virtualbox and then tried to capture the key strokes using a variety of windows based keyloggers. If i remember correctly none of the keyloggers were able to record the keystrokes entered inside the virtual machine. I did a quick search but havent been able to find the thread, if i do find it i'll post it.
     
  6. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    There won't be any phishing protection by Trusteer Rapport though.
     
  7. sun88

    sun88 Registered Member

    Joined:
    Aug 27, 2009
    Posts:
    66
    Right. I already visited all of my banking sites and turned on Rapport support where needed, so the Rapport logo should be green if I am protected and gray if not. Also, I use NIS and Norton DNS which help protect against phishing.
     
  8. roady

    roady Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    262

    So,isn't it possible that an exploit stores itself in RAM and send the keystrokes to an attacker b4 you reboot?
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Why would it matter? You're not doing any banking until you restart your computer anyways. At that point the RAM is emptied.
     
  10. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    If you want to throw another layer of extremely powerful defense into that mixture, you could open up Virtualbox inside of Sandboxie: I've done it.

    In the past, if I wanted to surf, I used LinuxMint installed inside of VirtualBox which I would only open up inside of Sandboxie. This actually worked quite smoothly; this was on an WindowsXP host.

    Acadia
     
  11. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    Just did a quick test using the zemana and spyshelter keylogging tests. Both had no trouble recording my keystrokes in a sandboxed internet exporer but neither could record my keystrokes entered inside a virtual machine running in virtualbox. Although its far from a conclusive test it does point to virtual machines giving some defense against keyloggers.

    I attached a couple of screenshots. For each test i typed the same sentence first in internet explorer and then inside the virtual machine and as you can see its only able to log one sentence.
     

    Attached Files:

  12. x942

    x942 Guest

    Hmm.. Interesting. I just tested against a "commercial" keylogger and it too fails to collect keystrokes from the VM, Metasploit's Meterpreter shell also has a built in keystroke logger that fails as well.


    I am going to test compatibility of running Vbox inside of BufferZone here. This should be a fool proof way of blocking all attacks. The attack would have to migrate from Linux out of Vbox (Not likely; I only know of one POC that can do that and the VM has to be windows as well) and THAN out of the sandbox. I have also covered Vbox with EMET for added protection. :thumb:
     
  13. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    Just run a Linux virtual machine with virtualbox inside a Linux virtualmachine running in virtual box that's running on a Linux system and you should feel quite safe LOL!
     
  14. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Use Internet and/or Start/Run Access Restrictions if you're going to do that.
     
  15. roady

    roady Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    262
    But they are installed on the host OS,right?
    If you use the virtual machine to browse the net,isn't it possible that a keylogger installs itself on the guest OS and records your keystrokes from there?
     
  16. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    Yeh the key loggers were run on the host system. Its definitely possible that a keylogger could install itself on the guest and log keystrokes. My test was simply to show that a virtual machine provides some protection against a keylogger on the host. Say for example a piece of windows malware somehow manges to get out of the guest and infect the host.
     
  17. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    there are 2 concepts i'd like to suggest everyone consider:
    a) just because some host-bound keyloggers don't seem to be able to log keystrokes when the VM has focus, doesn't mean that none can or that it's not possible.
    b) you should really stop focusing so exclusively on keyloggers when there's plenty of trojans that include screen scraping functionality (which will most certainly not be stopped by a VM) along with the keylogging. screen scraping may not be able to get masked out passwords but there's plenty of things (like credit card numbers) that it can still grab.

    if you focus too much on one narrowly defined type of attack you'll miss related attacks.
     
  18. InfinityAz

    InfinityAz Registered Member

    Joined:
    Jul 23, 2005
    Posts:
    828
    Location:
    Arizona
    My only questions is: How many keyloggers are people accidentally having installed on their systems to make this a common issue/concern?

    I'm mainly referring to people on Wilders and not average users.
     
Loading...
Thread Status:
Not open for further replies.