Full virtualization security vs. rootkits

How many currently known rootkits are capable of breaking through a virtual machine into the host OS, in a Windows host/Windows guest setup?

Also, how does the security of different full virtualization solutions compare?

How about emulators like QEMU (given a fast enough host computer of course)?

 

I don't think there are any rootkits that attempt to break out of a VM. VMs are usually used for analysis, not defense.

I don't think virtualization is really great security. Yes, it's another "hurdle" for malware to get through but:
1) If you do work in the VM the malware can at the very least hijack your session
2) They're more like emulators than sandboxes. They're a weird fusion of the too.

I'd stick to Windows MIAC and Linux Apparmor for sandboxing.

 

Analysis was what I was thinking of, actually. I'm not there yet, but I might get there some day.

From the sound of it though, a better choice for analysis might be a full emulator? Or is this the sort of thing that's done on a dedicated machine behind a strong firewall?

(Or perhaps on a VM on a dedicated machine behind a firewall?)

 

It's all emulation. VMWare/Virtualbox aren't ideal for malware analysis necessarily but they're probably fine.

Just do it on Linux. I've posted Virtualbox apparmor profiles. Even if they break out they're still stuck.

There was some program that had an animal for a mascot or something like that. It was made to be a sandbox for malware to run in for proper analysis and it included logging features etc. Can't remember it =\ if I think of it I'll get back to you.

 

Thanks, kind of figured as much. Didn't know you could run VBox under AppArmor though, I thought the vboxdrv kernel driver would nullify any protection from that?

For what it's worth, I've already done some messing with malware samples from spam under VirtualBox (Linux host), but without any additional isolation. Probably a bad idea in retrospect, thought it would take a damn sophisticated trojan to run effectively on both Windows and Linux. But I guess one cannot be too paranoid when dealing with this stuff.

 

Yes, with no Internet access (or, at least, not with your IP address)

 

Ugh, good point. The IP is problematic. Especially if you want to find out where it's sending data.

 

I haven't looked at the profile in weeks but I didn't see any massive holes. Apparmor is built into the kernel therefor it can restrict programs that run as root/ kernel.

 

True, rootkits may try to detect if they run inside a VM in order to foil any attempt to analyse them. There is no real point in breaking out of VMs (at least not yet )

I disagree. VMs are great for security, but as for any other security solution, they are not enough. The way they are used for that purpose is very important. For instance, running a browsing session inside a VM and getting infected with a keylogger can be a problem if you enter your bank details or any passwords in the SAME session. But if you close it, restore the session from a snapshot and then do some banking, it is perfectly safe. Of course, you can achieve this using a sandboxing solution, but I was trying to point out that it is important to use any security solution in a proper way.
As for protecting your host, I personally find that using a VM is a good option.

 

Yeah, the real "saving grace" of a VM is that it's restored to a "safe" point.

It can be used for security. My point is only that it isn't really so much a sandbox as it is a completely separate system.

 

That's why when I test out malware, I do it in VM with the host running in shadow mode. A VM aware piece of malware might get through VM but the chances of it making it past shadow mode are slim to none. Not to say that there aren't malware that can get past both but I haven't seen any yet. That's why backups are made.

 

I doubt that any such malware exists,even though it's probably possible to do so.There'd certainly be no commercial value in producing such malware,since the type of people that run dubious stuff in VMs typically operate a high security policy on the host.Far easier to just target the many click-happy folks out there that allow the malware onto their systems without the necessity for malware authors to jump through many technical hoops.