Virtual Machines

Okay, I've discovered a problem, at least on my setup, running VB sandboxed in Sandboxie under LUA in Vista. The error is attached. No access to the virtual harddisk file *.vdi). I can run VB sandboxed under my admin account just fine.

What I am able to run without issue is VB within my Vista LUA/SRP account, and run my Internet facing programs within Sandboxie within VB logged in as user. I'm also running Outpost security suite on the host system. The virtualized O/S is XP Pro SP2.

Now I don't care what theoretical malware might theoretically compromise this setup, but good luck on it happening IMO this is just about as paranoid setup as one can get, short of using Linux as the host O/S. Now that would be ultra paranoid Really, I could step outside, get hit by lightning, an hour later get hit by a turd from a seagull flying overhead, then an hour later get hit by the entrails of a comet breaking up in earth's atmosphere. We are likely talking about possible, theoretical vulnerabilities that are infinitesimally and ridiculously minute in this type or similar setup, such as what ssj is using

 

Hey SSJ,

so you've actually cleared it with Tzuk that it shouldnt be a problem to run a vm within a sandbox?

 

Would it be possible to run virtual box within a virtualiser like Shadow Defender? Maybe I can exclude whatever files the vm uses to store its info in. This way changes made to the vm are kept. If anything breaks out its gone with a reboot. If DW can be made to untrust anything that comes out of the vm then it wont be able to gain direct disk access which is pretty much the only way it can beat a virtualiser, atleast that I know off.

So is this possible?

 

Vms are complex software, it would be nice to get the opinion of the creator on this issue. Im not very knowledgeable on the technical aspects of computing so I would rather err on the side of caution.

 

I agree, since it works perfectly fine under my admin account. So now I'm left asking: is it safer to run VB sandboxed under an admin account, or is it safer to to run Sandboxie within VB under a limited account, with SRP no less? I tend to feel this latter setup is probably pretty da#@ bullet proof, although the former setup, you discovered, is also bordering on Fort Knox-like security too

Anyways, I'm glad I've revisited VB; it's a great program with tons of usefulness

 

Alright thanks for that ssj!

 

I think MIMs are relavent to mention as long as it contributes to the security concerns of the OP.

I only have my own experience trying to solve my own issues.
My router has an xscale processor with 32 megs of ram, runs Linux with Busybox.
I was unable to determine if it was memory resident malware or trojan DNS changer.
I did not find any altered info in the routers page.

After overcoming a rootkit infection that involved conficker last year and safesys more recently, I went LiveCD and removed the HDD. I was still being redirected. That only leaves the router. After verifying the redirections, I reset the router and changed the IP address, 3x.

I believe conficker and safesys began spreading from bittorrent and similar shares.

How do you think a VM would have helped?
It wouldn't once the router was affected. All my Iway traffic is now dibs for hackerX.

If you are infected,
That is if a rootkit infection hasn't installed a bast*rd version of Alcohol 120 as a hidden device so any CDs you make also get infected with something that creates a partition/OS on HDD.
I tried to install a *BSD and it created a 2.5mb partition on that install as well. That's why I pulled the HDD for now.

VM's are useful but a man's got to know his limitations.

 

1) Do all routers come with their own OS? And how can malware configured to infect windows infect Linux?

2) Even if it creates a partition/OS on HDD, it will be the Live OS which runs and not the OS on the HDD or the OS created by the malware? So your session will still be safe. And how does malware create its own OS anyway?

 

Hi Pete sorry for going OT, but would it be possible for you or one of the other mods to separate the posts on Live CDs and the posts on router infections into separate threads? Thanks.

 

From post #1

MIMs don't care what security you use. They can sift all of your incoming and outgoing traffic. Attach malicious code to your incoming download of xyz.exe.

Usage of VM in this way creates a false sense of security and potential for exploit is greater. If an exploit runs in a session in which you make a CD, that CD may be compromised creating the potential to contaminate the host if used.

The only way to improve security for yourself is to be vigilent. Know the limitations of the security methods and tools you use. Ask yourself how the configuration is weak.
Are VMs susceptible to direct hardware access?
Is my router protected by a VM on my computer?
What about malware that jumps address space in memory and survives reboot, how does a VM protect me?

@pete

I wasn't trying to go off topic, but trying to provide real examples of how a VM system can be compromised. You are only as strong as your weakest link. Harden a computer to attack and you leave peripheral devices open to assault, making MIMs possible.

 

Don't let fear mongering posts scare you away from online banking, ssj. If your bank is worth its salt, like mine is, you will probably find on their website the approach they take to securing your ssl connection is done so in a serious and professional manner. Heck, mine even guarantees 100% reimbursement for unauthorized online transactions. Of course there are requirements from the customer as well such as signing out after finishing, keeping passwords confidential, and contacting them immediately if something happens. This is all common sense stuff anyways.

Getting back ot, I can't possibly imagine running virtualization your way, my way, or various other ways such as within a Linux distro can be considered a weak defense against online vulnerabilities. Sure, there is recent info on router exploits, and how your VB will not save you from this but my goodness these are extremely far from widespread attacks. Besides, we are talking about a security platform (well okay, more specifically Virtual Machines) on the computer in this thread - not an external appliance such as the router.

 

Whats an example of a memory hopping malware that survives reboot ?

 

I also have virtual machine,and I notice that my c: partition disk in my host is often fragmented with lot of fragments that all of them can't be defragmented from the host....i'm not working a lot in my virtual m.

-I have defragmented in the guest also,with windows defragmenter and with vmware tool for defragmentation...

 

Host - XP sp2
Guest - XP sp2

 

Just a tip because I didn't notice it mentioned in this thread: be sure to install the Guest additions, as it will make the VBox experience considerably better with improved graphics, seamless mouse integration and, at least in my case, afford the capability of accessing shared folders (this latter function didn't work for me untill after I installed the additions).

Also, there are some pretty good VBox tutorials here.

 

VMware...and second thing,files in the ''my virtual machines''folder(on host) is bigger and bigger,every time I turn ON virtual machine (and do some normal surfing) after turning OFF again,that file in this folder is for about 200MB bigger...

 

o.k.i can't find that in vmware,maybe is the option during the instalation of the virtual machine,no problem...i found simple solution,just revert to snapshoot(backup),and all is almost clear and small...