Malware experts I have a question

Discussion in 'sandboxing & virtualization' started by Mr Wonderful, Aug 19, 2010.

Thread Status:
Not open for further replies.
  1. Mr Wonderful

    Mr Wonderful Registered Member

    Joined:
    Mar 29, 2010
    Posts:
    23
    I'm starting my first year of college next week. So I was thinking about making a vm and get a head start on analyzing samples. I have been contemplating my setup and have come to the conclusion since I'm now a poor college student that I can only use my one computer. :'(

    Now to my question, If I were to have a Dual boot system and have my Linux partition host a Windows XP VM. Is it theoretically possible for a sample to jump from the VM to my windows partition?
     
  2. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    What VM are you planning on using in linux?
     
  3. Mr Wonderful

    Mr Wonderful Registered Member

    Joined:
    Mar 29, 2010
    Posts:
    23
    VirtualBox.
     
  4. cgeek

    cgeek Registered Member

    Joined:
    Mar 31, 2010
    Posts:
    328
    I'm no expert but I would have to say no. You are safer with running the virtual machine within Linux. Let me explain.
    First off the malware would have to bypass the guest os and then have to run within Linux to be able to access the partition. IMO that would be a lot of work (if possible) for the author to implement! Second I don't even think you have write access (only read) to other partitions within Linux unless the other partition is FAT32. I use a the same setup for analyzing that you are thinking about and have never had a problem.

    BTW: Good Luck in school! :thumb:

    Regards,
    Cgeek
     
  5. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Theoretically? Yes.
    Practically, near impossible.

    Lets even assume you have ntfs-3g installed so that linux can read/write ntfs partitions. I'd recommend mounting the windows partition automatically as READ ONLY.

    So, for malware to jump from VM to your windows partition, it would have to breach the VM from within XP, somehow assume kernel level privileges, unmount the windows partition, remount it read write, and then write to it. It would be very very very very difficult.

    The chances of your laptop getting physically stolen are much much much much higher :D
     
  6. katio

    katio Guest

    If you are already concerned about this level of improbable security issues why do you not worry about Windows Guest->Linux host? That's thousand times more likely (1000 times 0 point something is still not much) and not _that_ hard to pull off.
    Or even more likely is a bug in VBox itself (I know NIC drivers for example are a common problem for VMware Linux offerings) that compromises the host directly or enables local privilege escalation. Still pretty low risk and you'd need to run untrusted stuff on the host or connect to a hostile network.

    I wouldn't worry about this at all, especially with run of the mill Windows malware. If your samples would come from targeted attacks against high profile targets that would maybe be a different story. Windows running virtualised on top of a Linux Server is pretty common today so it may start making sense explicitly targeting that.
     
  7. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Wait until you start college, there's a high chance you'll get a free msdn pass that allows you to download copies of Windows 7, VirtualPC, etc.
     
Loading...
Thread Status:
Not open for further replies.