Virtual Machines

Discussion in 'sandboxing & virtualization' started by ssj100, Aug 12, 2009.

Thread Status:
Not open for further replies.
  1. ssj100

    ssj100 Guest

    To be honest, I (probably like many here) am fairly new to virtual machines (VMs). Apologies to those who are expert or experienced with VMs, as they will most likely find this post boring haha.

    I had been hearing of virtual machines for a long time, and the idea sounded great to me, but I have always been too lazy to give it a try. I wish I had tried it earlier! I guess I have to thank Wilders user "demoneye" for giving me the push this time haha.

    After playing around with VirtualBox (a type of virtual machine and completely open-source), I have been incredibly impressed. In fact, I haven't been so impressed by a piece of software since I started using Sandboxie.

    Virtual machines (like VirtualBox) can definitely be used as a type of security application. For example, firing up a fresh Windows XP each time (and perhaps using eg. Sandboxie within the VM etc) might possibly be one of the safest ways to do online banking and other sensitive internet browsing.

    I'd always thought that Virtual Machines had issues with usability and convenience. However, with my experiences of VirtualBox, I find I can open up the VirtualBox console and load up a clean Windows XP snapshot good to go within 15-20 seconds. In my opinion, that is very impressive.

    Then there is the complete freedom to test and do whatever the heck you want within the VM. Personally, I don't even bother doing windows updates etc for my Windows XP VM, as I don't use it for anything but testing software and malware. Once I dirty the heck out of Windows XP (within the VM), a few simple clicks and I've loaded up the clean, original snapshot I started out with.

    Anyway, I'm just wondering what sort of experiences people on Wilders have had with regards to VMs. What VM do you guys normally use? Who here actually uses a VM in order to gain more security when doing eg. online banking etc, and thus use a VM as a type of anti-malware software? Perhaps some of you have a Linux VM, and fire that up to do almost everything (since Linux is inherently more secure than Windows), but still use eg. Windows XP/Vista for gaming (since Windows is generally more compatible with PC games) etc?
     
  2. apathy

    apathy Registered Member

    Joined:
    Dec 10, 2004
    Posts:
    461
    Location:
    9th Circle of Hell(Florida)
    Virtual programs like VMware/Virtualbox are really great for testing out programs or installs. You can setup snapshots so that if you mess something up you can go back to your base install. There are some programs that can take ShadowProtect/Acronis images and convert them to vmware compatible os's. I would love to see a feature like booting into a snapshot independent of the operating system that I was setup on.

    I've run backups and restores within Virtualbox/VMware with ShadowProtect, it is very easy but you need a good amount of space.

    You mentioned Linux and you could do a ubuntu setup via wubi in windows which would work very well too for security purposes.
     
    Last edited: Aug 12, 2009
  3. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I purchased vmWare Workstation. I use it all the time. I do banking sometimes, or anytime I desire a known clean environment. But more often I use it as my sandbox. I have multiple boxes, and multiple snapshots on each box.

    The way I normally use it is something like this.
    Install OS, but take a snapshot after text mode. Another snapshot after GUI install before first login. Another after first login. Now I can go back and test about everything, with a snapshot navigating between them easily.

    Then I clone this image, or mabye make a full install. XP Pro, Home, Vista, 7, *nix sometimes. Each I take snapshots of in layers, so that I have a basic install, tweaked, one with firewall or no, one with ProcessGuard or other, one with InstallRite ready to take it's own snapshot of system changes after an install. Some I use for things like quickbooks, where it is heavily guarded, others for things like Electronic Workbench or various tools or states of projects. Some are servers or tring things out.

    Most often when I simply test a quick program I start it in SBIE, as it is convenient. If the program is heavier, like a firewall or aV or somehting, it starts in vm box because I don't have to worry about reboots or system heavy things.

    I take snapshots all the time, sometimes deleting them after I am done with a project, sometimes keeping them as new baselines.

    I guess the point for me is that I can start multiple vm boxes up, network between them and basically test almost anything with the exception of graphic intensive things. I think the newer versions have more capabilities in that realm, but I don't think I will shell out any $$ just for that.

    Sul.
     
  4. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    CAn VB or VM utilize more than one core of the cpu now?
     
  5. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    I know VMware Workstation does as I'm using it!

    TH
     

    Attached Files:

  6. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Thanks Triple Helix.
    Can you bring up Taskmanager within the vm and check from there as well?
     
  7. wat0114

    wat0114 Guest

    I tried Vb and was quite impressed but I see no purpose for it, personally, other than for testing, as others have mentioned. I can't exactly remember the documentation, but it is even more useful if your hardware (hardware virtualization??) supports it. Mine does not, although I was still able to use Vb inside Vista 32 bit, but I could not get the window full screen for my virtual environment (maybe my screw up) so that bugged me too. On another note regarding testing, i can always and easily restore an image if something goes wrong. Remember, too, that the virtual system needs some RAM and harddisk space to function, so that imposes some limitations as well.
     
  8. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,123
    Location:
    USA
    .
    Regarding using a VM for security, keep in mind that while the Host OS is protected (from activity inside the VM) the VM needs its' own security applications. Using a fresh VM for online banking eliminates the possibility of a resident keylogger, etc, but you would still want to harden it with AV, AS, firewall and anything else you would normally use in the Host OS. Internet facing apps in a VM are no less vulnerable to attack.
     
  9. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    these two things can be deadly together and i'm glad you specified that you only do this for playing with malware.

    i'm with you on not applying updates to virtual machines, it causes the virtual hard disk to bloat (significantly - i see a 200+% increase in size when i apply all the updates), with no good reason considering the entire point is to have an environment where a compromise has no consequence. why apply patches when there are supposed to be no consequences.

    however, online banking and other similar sensitive activities should be done on a box that you can keep clean (specifically it should be clean at the start and still clean at the end). it's all well and good to be able to get rid of malware quickly and easily but since an unhardened windows box can be owned in a matter of minutes after going online, you might not be finished your bank transactions before the box is owned again - and then there goes your bank account.
     
  10. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I don't know. I have a vmWare box that I know is clean, and when I do banking etc with it, I only go to my bank. If I do this, even without protection (considering I am behind a router) I surely hope what you say is not so, or that means my banks website is compromised, in which case it would not matter what I was running.

    I see you point if you plan on going anywhere or doing anything other than banking. But that is the nice part or vmWare boxes and banking, you system can be squeeky clean when you start, you do your banking only, you get off, restore to snapshot state. Back to squeeky clean, then go surf other places if you feel the need to.

    Besides, I feel that addage that 'you will be owned in minutes without protection' is not accurate. It should be stated something like 'an unpatched unprotected machine, on a live WAN or opening emails or surfing many websites could easily become compromised'. That seems like reality to me. Based on years of using machines that are not patched and have little to no protection other than a router. Of course the argument exists that if you arent' protected, how do you KNOW you aren't compromised. The answer is simple, you just have to know what's under the hood of your machine to notice anything that is not normal. Process Explorer or other native means is enough to tell if you know what you are doing, excluding memory tampering or dll injection.

    But then, that is why I personally like to use vm boxes, because I know they are always clean.

    Sul.
     
  11. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    the router affords you some extra protection, but only from things on the WAN side. if you have a compromised machine somewhere else on your LAN (even if it's just a different VM, maybe the one you use for playing with malware) it may then compromise your online banking box if that box isn't properly hardened.

    if you can't keep the box clean throughout the lifetime of the session then the box isn't appropriate for use in sensitive activities like online banking.

    it's not an adage, it's a measurement. at one point it was measured to be 4 minutes. it is an average, however, and it changes according to the threat landscape.

    an unpatched machine (if you don't patch your VM's then they count) connected directly to the internet (ie. no router) can be owned in minutes. that's the metric. if you have a router but you have also allow machines to be compromised (because it's easier to just restore them later) that would nullify the benefits of your router with respect to this metric because the compromised machine would be within your network with nothing between it and other unpatched (virtual) boxes.

    {snip}
    except that's false. what you really know is that they start clean. they aren't always clean unless you can keep them clean (as opposed to cleaning them easily), which means protecting them as well as you would a physical machine.

    {edited to remove inappropriate usages of "you")
     
    Last edited: Aug 13, 2009
  12. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Good points, however you assume that certain threats will not be mitigated. It is fair to say that perhaps an average user would fall under such criteria as you state.

    I think that those who are anal, like myself, would tend to fare much better. I personally disallow local traffic on my vmWare box, as well as my main OS. I have heavily tweaked systems in my house for the family, so were they to be compromised (which I highly doubt), still there are no LAN traffic allowed.

    This leads us to the possibility of an exploit for LAN attacks that a patch would have mitigated, true enough.

    As for clean states, how do you think one were to become 'unclean' if what they do is start from a known clean snapshot (and I mean clean, as in not possible becuase it is fresh install (a snapshot) and during install the NIC was disabled) and then go directly to thier bank website.

    I don't dismiss that attacks can happen, but it would seem there would have to be a 'man in the middle' if you do as I do, which is only do one thing with that vmBox, and that is go directly to the bank. Or like I said, the bank website could be compromised.

    Not displaying attitude, but really just curious as to what you think might be able to compromise the vm in such a situation. Do you refer to the host somehow being compromised and picking up keystrokes or packets?

    Sul.
     
  13. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Rmus is probably the one who knows. I have read about them, and I have no doubt there are POC that make vm possible of compromise. Personally, until it becomes a real threat that is not just POC or very very sparse, I don't know what to worry about. It is the same with SBIE and Shadow programs. If something breaks those down, or better to say 'when', I am unsure I want to continue with even attempting to secure my computer. I don't know what alternatives there would be, but certainly if you can't count on virtualizing/sandboxing anymore, the gates are apparently wide open. That is, short of full blown hips where anything and everything is scrutinized. And other than testing, I have no desire to go back to 'popup' land with those types of programs.

    Sul.
     
  14. wat0114

    wat0114 Guest

    Good counter point :) Something else I wanted to say with regards to testing in VM is that I honestly in most testing scenarios can not feel confident the test program is going to behave exactly as it would in a real test environment. For example, I have seen many posts over the years where people complain their firewall doesn't work completely as expected in their VM, whereas no problems exist in the real environment. If I'm testing in a real environment, I know for certain the program is not subject to possible side effects introduced by running in a VM environment.

    This is another good point, but I have always tested a new O/S as a dual-boot option alongside my existing, production O/S (XP or Vista); I've employed this method when testing several Linux distros and Win 7, although I will admit the VM route is probably better because you can test several (two or more, depending on memory & disk space) at once.

    I will have to set aside some time later this year and get back to playing with VM, maybe virtualbox, as I'm still intrigued by it and would like to learn and discover more about it.

    BTW ssj, you should trademark your haha's: haha™ :D
     
    Last edited by a moderator: Aug 13, 2009
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I guess I don't know about all the paranoia regarding the internet and online banking. I have always looked at it as potentially insecure, so I take steps to stay safe.

    I don't personally see how a fresh install of any OS, when ran behind a router with Opera as the browser is going to cause problems if all you do is get online, go directly to your bank website, login, do your bizness and leave. All the more when you have a vmWare box that is essentially either snapshot or the drive is independent-nonpersistent. There is no way it is compromised, there is no way that incoming threats get through NAT router, if you allow no LAN, there is no way another computer locally can effect you. If you only have one computer it is void anyway regarding LAN attacks.

    I just don't see where the exploit is in these circumstances. I would never consider doing banking after browsing to many websites, or opening mail or anything else that exposes you to uncontrollable circumstances.

    As for vm and firewalls etc, I have played with probably every firewall you can download over the years, many of them you really have to dig around to even locate. Firewalls or any networking of any kind has always been very on the level for me. A little learning about how the host and vm work together goes a long way to understanding how the networking goes about it's business. Personally my vm's are seperate machines on the network.

    The only exploit I would ever worry about would be somethign on the host OS hooking and sniffing the keystrokes and virtual NIC. I would imagine it possible to sniff both, find keystrokes and packet headers, and piece the two together.

    It all comes down to just how much you want to take control of your own computer. I persoanlly spent years rummaging around the OS to find out how and why. So mabye that is why I am not overly concerned.

    My family and friends, that is a different story all-together.

    Sul.
     
  16. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    sully - no real need to quote here, just to say that if (as you seem to suggest) you set up your banking machine to not accept connections from within the LAN and/or the boxes you allow to get dirty have no network access then it sounds like the chances of your banking machine getting owned from behind a router and only visiting the bank are vanishingly small.

    only things you'd likely need to worry about are pharming attacks succeeding in changing the DNS of your router from a dirty box, 3rd party content on your bank's website, gateway spoofing from a dirty box - oh, and of course a compromise of the VM's host (because the protection virtual machines offer is one way only, you can't protect a guest from the host, you can only protect the host from a guest).
     
  17. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    If I remember correctly, that measurement was based on the rather "interesting" assumption that the system is completely without firewall protection. Then, these unpatched systems would get owned by stuff like Blaster, without the user ever having to actually do anything like browse some site. Quite honestly, I think that measurement is a little 2003.
     
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
  19. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    correct - and while that may seem like an "interesting" assumption to you, it was precisely how the vast majority of people were operating and how quite a few still are operating.

    correct again.

    old viruses never die ( http://anti-virus-rants.blogspot.com/2006/12/old-viruses-never-die.html ). you don't hear about things like blaster anymore because they're nowhere close to new and our society (and thus by extension our media) is novelty obsessed. that doesn't mean it isn't still out there. the same holds true for the infection vector worms like blaster used - you don't hear about it much anymore, but that doesn't mean it isn't still getting used (malware authors love to just add in functionality, even for exploiting old vulnerabilities, because you never know when you're going to encounter a poorly patched system), only that it's not interesting to talk about anymore.

    at any given moment there are still completely unprotected systems being hooked up to the internet, so these 'old threats' are still able to keep going.
     
  20. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Yes, how the vast majority were operating in 2003. But since then the situation has somewhat improved, and now many more users are running behind firewalls and are no longer as vulnerable to attacks like these. Some people, of course, are just as vulnerable as ever, but I think users in a security forum like this may not fall into that group of folks who happily run without any firewalls on unpatched, unprotected systems with all kinds of exploitable stuff open and accessible from the whole net. So, while old viruses may never die, they really shouldn't worry anyone who has any idea of what they're doing. :D

    VirtualBox has had privilege escalation and denial of service vulnerabilities at the least, but I don't remember seeing others. But then, it's likely that any complex software has serious vulnerabilities just waiting to be found. And sometimes, of course, some people find them and don't tell others about them, instead thinking up "better" uses for their discoveries. That goes for VirtualBox, and it goes for any Security Software X that one might use.

    As for any security on the host OS, whether that matters depends on what the vulnerability in the virtualization software is like. If the vulnerability lets you break out of the virtual machine and execute code in the host OS in kernel mode, then I don't see any security on the host helping much.

    As said, it's a world of uncertainty. But when most people are running as admin protected only by an AV if even that, rest assured that exploits against vulnerabilities in virtualization software aren't waiting for you around every corner of the web. :D
     
    Last edited: Aug 14, 2009
  21. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Excellent post.
    I think that there's a tendency to forget at times that a VM is just a piece of software at the end of the day,that means like every other program it's subject to coding errors and vulnerabilities.Regarding the internet banking,to remove any possibility of conducting sensitive transactions whilst banking a live cd is the only 100% secure solution (barring of course a compromised bank site).But if that was the case a full refund would be a simple matter anyway.
     
  22. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    So how exactly does one use a Live CD? Any explanations? Do all Oses support this?
     
  23. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Unfortunately even live CDs aren't quite 100 %. Live CDs are just operating systems like any other, except they're loaded from a read-only media (an optical disc) which means the media itself cannot be infected after the clean (I hope!) OS is written on it. Now if the OS on the live CD happens to have some vulnerability, or contain some software that has a vulnerability, it's entirely possible that such vulnerabilities can be exploited once the OS is running. Then, you could run malicious code in memory, or a RAM disk, or even write it to a hard drive that is present in the system, if the drive can be mounted and allows write access. I haven't heard of an attack like this ever happening, but it's possible. Or if it isn't, I must be missing something due to too litttle sleep, too much security forums. :D

    It could happen like this: 1) You boot a live CD. Unfortunately the OS on the disc has an unknown remotely exploitable vulnerability in some open network service that allows the bad guy to just send some stuff to the open service and it then gets malicious code executed. The OS has no firewall running to prevent this. 2) Malicious code starts running in memory, maybe also writes itself to the RAM disk, and any hard drives that allow it. Malicious code has now infected the OS, and could, for example, possibly send your online banking credentials to the bad guy when you log into the bank's site with the browser. 3) You shut down the OS, at which point the malicious code dies, also, but you might get infected the same way in the future.

    All that could also happen through a browser vulnerability. You browse some exploit site, get the running live CD system infected, and then go to the banking site, and... This would require, though, that whoever is behind the attack considers the possibility that their target may be using a live CD instead of booting from a hard drive like most people.

    But how likely is this? Very unlikely.
     
  24. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Wow and I thought I was paranoid :D
    To be fair there are hardened live distros which should mitigate these unlikely scenarios,but close to 100% is as good as it gets.
     
  25. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Well, I wouldn't say I was paranoid, as in worried about something like that happening. I just accept it could happen, in a really unlikely and nasty scenario I'm likely to never personally witness.

    Hardening is a good goal, but it's well nigh impossible to harden something so completely it just can't have any exploitable vulnerabilities at all. Hard to get to the full 100 %, but then, "close enough" is "good enough" for most anyone, including me. :D

    This is something Google might be very helpful with. But you could use a live CD in any system that has a proper optical disc drive and allows booting from said drive. The latter is a matter of BIOS boot device settings, and really doesn't depend on what OS is installed. :)
     
Loading...
Thread Status:
Not open for further replies.