malware affects host from inside V-box ?

Discussion in 'sandboxing & virtualization' started by popcorn, Sep 24, 2012.

Thread Status:
Not open for further replies.
  1. popcorn

    popcorn Registered Member

    Joined:
    Apr 3, 2012
    Posts:
    239
    Hi
    I have been running an instance of w7 in a virtualbox for maware detection,
    after seriously breaking the guest OS I scanned and cleaned with hitman pro, during the removal process my host machine "flickered" and I lost internet connection from the host.
    There is no malware signs on either machine (according to CCE,MBAM,HMP amd ES) so I'm not overly concerned about that, was just wondering if anyone can shed any light on this...
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Might have just been a glitch. There are local VM exploits that allow execution of code outside of the VM but it's unlikely you ran into one.
     
  3. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,485
    Location:
    Poland - Cracow
    -http://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines
     
  4. Isso

    Isso Developer

    Joined:
    Mar 28, 2009
    Posts:
    1,450

    This link describes something completely different - malware spreading to guest from infected host.

    I'm actually very interested if there is any malware that can affect host from guest, provided that shared folders, Virtual Machine tools etc are completely disabled.
     
  5. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    If your cpu supports virtualization then the isolation of the VM from the host is extremely secure.

    As far as I'm aware the only way it could be compromised is via a targeted attack on a specific vulnerability within the VM software you're using.Even if this hypothetical exploit were to "escape" the VM,it would then have to adapt to the host environment in order to do it's thing.Then of course,it'd have to avoid/bypass any security arrangement on the host system,likely to be comprehensive due to the fact that only more advanced users really tend to utilize VMs.

    I doubt that,even if it's feasable,such an exploit would be widespread since there's no real financial incentive (for common malware authors),to go after such high-tech security setups.Not while there's so many easy pickings from the vast swathe of inadequately secured systems/click-happy users out there.
     
  6. Isso

    Isso Developer

    Joined:
    Mar 28, 2009
    Posts:
    1,450
    Thank you andyman, sounds very reasonable! :thumb:
     
  7. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,423
    OP nuke your box. Could be a glitch but I'd rather not take the chance especially if your doing malwarfe analysis.



    Watch this space. VMware's source code has been leaked and you can be sure bugs are going to come out of that to be used in exploits. With the amount of companies using VM's it's just to fertile ground to ignore.
     
  8. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    Probably just a bug, I've done malware work in the past over a bridged virtual connection. Always was amusing to see the host OS HIPS go off when it monitored a malicious link using its NIC. If you kept the guest correctly isolated and it wasn't sharing folders, mouse, clipboard etc you should be fine.

    My word of warning however is if this was on your personal network you should disconnect all other devices from the LAN during testing or keep the guest offline completely. While your host would be secure, the malware can propagate over your network and may infect other nonpatched machines on your LAN.


    If you take proper precaution and know how to monitor your host, this isnt necessary at all.
     
  9. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    That's why I prefer Virtualbox,more chance of any potential vulnerabilities being spotted by the white hats first.
     
  10. Flexigav

    Flexigav Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    57
    Location:
    Australia
    The extra precautions could always try to run VMware from a guest OS running under VirtualMachine and the host OS...Two tier visualization! Now that's a bit of a crooked path to get your head around lol! :doubt:
     
  11. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    That kind of thing just makes me dizzy,VMs within Sandboxes within VMs...I'm too old to try and work it out lol o_O
     
Loading...
Thread Status:
Not open for further replies.