Double Virtualization ??

Discussion in 'sandboxing & virtualization' started by Ranget, Feb 5, 2012.

Thread Status:
Not open for further replies.
  1. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    Hi guys a new question poped up in my mind

    a Malware that have an antivirualization technique that can escape from Virtual Environment and infect the Host

    Will it be able to Escape if i Ran VMware inside of a Vmware
    or Virtual pc inside of VMware ?
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    If the malware can exploit VMWare than running VMWare in VMWare won't help. Running VirtualPC in VMWare probably would.
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    Does that work? The last time that I checked, I found no way to do double virtualization.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    No clue, I'd be surprised if you could run a VM in a VM honestly but you could run one in Sandboxie.
     
  5. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    I've tried vmware in vbox and it works but need a good config
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    Please say more about that.
     
  7. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    I've tried vmware workstation in virtualbox : i wanted to know which vm use and i didn't want to install both (i was fearing some conflicts). So i tried this : but my notebook isn't powerfull enough for being usable.
    So it's possible but i don't know of there's an interest.
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    o_O

    VMware Workstation and VirtualBox are both applications. Versions of both are available that run on Windows and Linux. Both can run Windows and Linux VMs. But neither, as far as I know, can run applications. So VMware Workstation must have been running in some OS, which was running in VirtualBox.

    Or was it VMware ESXi? Maybe that will run as a VM.

    There's a thread about running Virtuozzo/OpenVZ as a VM, I think.
     
  9. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    It was workstation inside vbox, i'm sure.
    And why it works i don't know, i did the test by curiosity that's all :p
     
  10. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Running a VM in Sandboxie would lose the benefit of CPU virtualization if supported.Personally if I felt the need for two lots of virtualization I'd run it the other way,SBIE within the VM.

    As for running a "full-on" VM within another VM,even if possible that's a huge drain on resources for very little benefit.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Why?/ How?
     
  12. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    I might be incorrect but I don't think that VMWare software would even install correctly within SBIE,let alone allow Ring 0 access.SBIE doesn't support any driver installation/high level access.

    http://www.sandboxie.com/index.php?FrequentlyAskedQuestions

    "Sandboxie also prevents programs executing inside the sandbox from loading drivers directly. It also prevents programs from asking a central system component, known as the Service Control Manager, to load drivers on their behalf. In this way, drivers, and more importantly, rootkits, cannot be installed by a sandboxed program."
     
    Last edited: Feb 7, 2012
  13. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    780
    I run Sandboxie in Shadow Defender Shadow Mode

    but I also run Avast Pro and Malwarebytes on demand

    I just go out of Shadow Mode for AV update
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I don't think VMware/Virtualbox need that kind of access. Maybe for internet access or something.
     
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I think I remember user ssj100 (a former WSF user) running VirtualBox within Sandboxie just fine. I'd imagine to be more problematic to run VMWare inside Sandboxie, though... that thing is HUGE!! So, you'll have to spend more time figuring out the kind of access that it needs. :eek: :D
     
  16. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    Unless you are hoping to test malware that absolutely is not necessary. The biggest risk for a home user using a VM is their VM box getting popped and whatever baddie they pick up stays within the guest and may attack the LAN. If you want to harden yourself stick to only one type 2 hypervisor and do the following:

    1. The biggest risk to your network is having the guest stay bridged to your host NAT, that is a big no no, keep the guest OS totally isolated on its own NAT. Adjust firewall rules accordingly assuming internet access is required. If it is not then disable it completely.

    2. No shared folders between guest and host

    3. Disable clipboard sharing between guest and host. You do not want to pick up a java-click exploit on a linux guest only to have it affect your windows host.

    4. Take snapshots of your VM guest as a clean install, always revert back when possible if you have been using the machine for malware testing.

    Again the biggest risk to home users is having their guest os infected and attacking their host or other computers through their LAN. Not saying what you proposed doesn't exist in practice though a lot of these vectors are sealed if you follow the steps I have suggested above.
     
    Last edited: Feb 7, 2012
  17. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    You cannot nest virtualization like that unless you have virtulization extensions in your processor. Without VT-x this setup would not be possible. As other advice suggests, you should install 2 different types of hypervisors. I don't imagine you will get any reasonable performance with this setup though.

    Another suggestion is to run Qemu within your type 2 hypervisor if you lack VT-x.

    Using NAT mode for a guest only prevents the host communicating to the guest, but not the other way around. NAT mode acts like a virtual router. This would defeat the purpose of securing the host from guest attacks.


    I think we should direct this thread to discuss how you could harden the hypervisor processes running on the host through using sandboxing. What kind of settings would you need to do this?
     
  18. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    By default the guest will interact with the host at some level, I am more along the lines of protecting the network from the guest. I read over my original post and I see I made a typo and went host happy I ment to say

    The VM software would act as a router and your guest would be of a private subnet belonging to that VM where the guest IP not visible from the outside. Assuming internet access is required.
     
  19. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Might as well run a virtual machine within a LiveCD. Sounds more feasible to me.
     
  20. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    How? Do you mean that you're running a livecd's virtualbox from within a virtualized environment?

    Virtualbox
    ...LiveCD
    .......Virtualized instance of Virtualbox
     
  21. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    This works:

    host: VMware ESXi 4.1 on Dell R710
    guest/host: Owl 3.0 (with OpenVZ)
    guest: Ubuntu 10.10​
    I wonder whether Owl/OpenVZ will run inside commercial Virtuozzo VPS.

    Of course, OpenVZ containers aren't really VMs, but maybe close enough.
     
  22. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,694
    Why? What's the point? What exactly is going to escape and where ... Besides, if you don't have any malware in the first place, then nothing else matters.

    OT, if you must, use a linux host and that's it.

    Mrk
     
Loading...
Thread Status:
Not open for further replies.