VMware and the SafeSys Worm...a question.

Discussion in 'malware problems & news' started by Lebowsky, Jul 28, 2009.

Thread Status:
Not open for further replies.
  1. Lebowsky

    Lebowsky Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    161
    Hi all, i have heard about VMware and i understand that it basically allows you to install multiple Operating Systems and Platforms on a single PC and move back and forth easily between them.

    Well what happens when im running in such a virtual Machine OS, if i get a virus?
    Will it be deleted when i log off, and not compromise my whole PC?

    And how about this SafeSys worm, do you think it will still be able to get into the kernel drivers to insert its code, while i execute the worm in Vmware?
     
  2. Lebowsky

    Lebowsky Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    161
    I have also heard that there is this ability to create "a snapshot or “picture” of your virtual machine, the memory, settings, and virtual disk are captured and frozen in time at that specific moment. At any time, you can revert back to that original configuration, losing all changes you made since that snapshot was taken."
    http://blogs.techrepublic.com.com/virtualization-coach/?p=143

    So does this mean that the virus can be defeated this way,
    by simply reverting to a previous snapshot?
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Generally yes. I test malware in a VMware Machine, and once I've screwed it up, I revert to a snapshot. Neat thing, is even if malware destroys your disk reverting to a snapshot brings everything back.

    Pete
     
  4. Lebowsky

    Lebowsky Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    161
    And has ANY virus been able to bypass that in your experience, or do you know of any that has?

    Also, another thing that i have read is that apparently the new viruses know if they are operating in a Virtual Machine, and so they keep the payload dormant....to be released if access is possible outside of the VM environment...

    Edit: im talking about VMWare Workstation 6.5.2.
     
    Last edited: Jul 29, 2009
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    From what you read, was it revealed how the new virus got onto the computer in the first place?

    thanks,

    ----
    rich
     
  6. Lebowsky

    Lebowsky Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    161
    You download an application.
    You dont want to pay for the software.
    You then proceed to download the 'crack' or 'patch' released by a software cracking group.
    You think you are safe in a Guest Vmware OS, so you first try the software+patch to see if it works, and no funny business.
    Everything appears fine, so you decide to install the application+patch in your Host OS.
    Bam, the rootkit inside the patch is now activated once it sees that its on the Host OS.
     
  7. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Lebowsky,

    regarding SafeSys worm, have you seen this thread? Look at the links in the first post (especially the second one).

    There are many rumors out there, which doesn't mean they are founded. Where did you hear of this "chain of events"? A link perhaps? IMHO, without some proof (or at least PoC) this is nothing more than a boogeyman story.
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047

    So far nothing I've played with has refused to run or escaped the VM machines.

    As to the scenario you've outlined, if some one uses cracks to avoid paying for software, they are stealing, and I wish the worst that can happen upon them. They need the lesson.

    Pete
     
    Last edited: Jul 29, 2009
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    That's what I thought, but just wanted to be sure.

    thanks,

    rich
     
  10. Lebowsky

    Lebowsky Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    161
    I am inclined to agree with you, it just might be a rumor, or the poster may just be bragging. I remember reading something like the rootkit first detects if vmware is running in startup (or?) taskmanager, and if the process is detected, nothing happens, it aborts releasing the payload, and sits dormant.
    I think the poster may just be kidding, or not.
    I stumbled upon these comments in a blog or a forum, i dont remember which as its been a couple of weeks...you know how it goes, one link leads to another....

    you are welcome rich. but like i said, it may or may not be based in fact.

    Glad to hear that.
     
Loading...
Thread Status:
Not open for further replies.