Vmware Question?

I've been using Vmware for the past 2 years for beta testing, but I've done very little malware testing. I have the concern that the guest OS will allow cross contamination of the host OS. What are the chances of this happening? Are there steps that need to be taken to prevent this? Do I need to adjusting any settings of VMware to prevent cross contamination? I'm using the latest version of VMware Workstation. I use Shadow User on XP Pro 32 bit for beta testing because it allows saving changes to the shadow after reboot, but I can't use Shadow User on W7. I'm using W7 64 bit as the host OS.

 

Really next to nil, so really it could happen - you can do anything with enough motivation, time, money - but more likely a bug, PoC or documented vulnerability (the three may seem the same but are inherently different) would be fixed without it ever harming you. Also in the first place the problem needs to be successfully exploited to do any harm.

Personally I don't worry about it but then I do 'work' on a different machine and make backups. I'm not sure with latest version and 7 but can you run vmware with reduced privileges? Is there a free shadow app for Windows7?

 

In my reading I found hypervisors were vulnerable to attacks but much of the info is pre 2008 and most is PoC.
Several companies have developed hypervisor protections, IBM - sHype, Hypersafe (Researchers at NCSU).
sHype
"With secure booting, preventing VMMs from being subverted." Jiang NCSU

There must be enough concern for development of these protections.

Would be nice to find out if the virtualization products include these hardened hypervisor protections, if just for peace of mind.

If malware were breaking through VMMs I'm sure the thread would be bigger than stuxnet.

I think the router or modem is more vulnerable which both Host and Guest use to access the internet.

 

As far as I know it's not possible to damage host OS by anything you do on guest OS. That means viruses can only damage guest OS but it won't spread on host OS.

The's only one possiblity to infect host OS and that is by using shared folders.

 

The best way to prevent cross contamination is to dual boot windows with linux and install and run vmware on your favorite distros like Ubuntu or LinuxMint for example. That's it. I've done it myself and I have never experienced any cross contamination.

Thanks.

 

That sounds like a good ideal. If I can install VMware on Linux then I could use Linux as the host OS, and run Windows as the guest. I can't imagine any possibility of cross contamination then. Thanks for the info!

 

I've never tried to run VMware with reduce privileges. I'm the administrator account on the machine so as long as Windows allows it I can. Have you ran WMware with a LUA before?

I've never used Windows Virtual PC, but it says its W7 compatible, and I do believe its free if i'm not mistaken. I'm not really sure why i have never tried it before. I'm downloading it now.

 

In reply to your question, there are 2 main ways even a VM can contaminate a real system.:

1- Shared folders, even if set to read only. There are some vulns tht render this ineffective. To be totally safe its best to not allow folder sharing unless you're positve that your working environement is absolutely clean.

2- Network Access. The virus in the VM will view the host as a computer connected to a network and infect it accordingly if its a worm (if vm is not firewalled). You might think that having a firewall installed on the host will cut it, however this is not true. Sometimes some firewall would allow traffic that is from the same IP to the same IP as the vm program is installed on the host. If your playing with malware that can bypass ring 0 protection like firewalls its end game. Maintaining protection on both the host and guest can be extremely cumbersome and not worth it. So its best if you run a vm with no netowrk access.

 

I normally don't allow shared folders on the same drive the VM or OS is located on, but I do normally add an external drive so that I have easy access to software for beta testing.

So there is potential for cross contamination by allowing the Vm access to the network. I was very concerned about that. I have been allowing network access to the VM when beta testing, but I have never allowed access when testing malware.

 

Serapis, I should have added to my last post that I prefer to change the directory of the VM to an external Drive, and run the VM from the external drive so that I save space when backing up my OS drive. I have never ran malware samples in this manner, but I would prefer to do so in order to save space when backing up my OS. This could add an entire new element to the issue of cross contamination. I guess i should just use a separate drive just for testing samples.

 

I've tried VMware Player, VirtualBox, Virtual PC and Qemu Manager. Except Qemu Manager, all others work under LUA without any problem.

 

Thanks for the info!

 

This is by far the safest method of them all. Physical separartion of the drives Guarantees safety.