Malware and VM question.

L

LabZero

Thread author
I read old post about this question but it is possible that a new malware can bypass Vbox ?
 
  • Like
Reactions: FireShootSK
H

hjlbx

Thread author
I read old post about this question but it is possible that a new malware can bypass Vbox ?

Yes.

Via various network flaws = vulnerabilities\client-host setup.

Don't use bridged networking.

Don't use network shares (just mentioning for sake of thoroughness).

Before run malwares, disable networking. Most simple solution.


or... just dump VM and use Shadow Defender. :D
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
In such architecture environment there's always a possible of slip/bypass but literally its a minimal chances, first of all to avoid any problems the default settings of network is NAT so it isolates the connection and does not have any ability to sneak on networks especially worms. ;)
 

Cch123

Level 7
Verified
May 6, 2014
335
There are 2 ways to achieve VM escape with virtualbox.

The first is configuration errors, which others have mentioned above. The second, which is potentially far more serious is a vulnerability in VirtualBox itself. An example would be CVE-2014-0981, which allows malware in the VM to escape into the host system. However, you do not need to worry about such exploits because to the best of my knowledge no malware has such a capability. Not even APTs.

Have you tried Shadow Defender yet if not you get a 30 day free trial at this link. http://www.shadowdefender.com/

Shadow defender is a nice addition, but it is also far from full-proof. If i recall correctly a year back there were issues reported about how Shadow Defender failed to protect against some advanced rootkits. Furthermore, although I have not tested it personally, I do not see any reason why kernel level exploits and malware are not able to bypass Shadow Defender. At this privilege level malware can unload most if not all security software and do whatever it wants.
 

frogboy

In memoriam 1961-2018
Verified
Top Poster
Well-known
Jun 9, 2013
6,720
There are 2 ways to achieve VM escape with virtualbox.

The first is configuration errors, which others have mentioned above. The second, which is potentially far more serious is a vulnerability in VirtualBox itself. An example would be CVE-2014-0981, which allows malware in the VM to escape into the host system. However, you do not need to worry about such exploits because to the best of my knowledge no malware has such a capability. Not even APTs.



Shadow defender is a nice addition, but it is also far from full-proof. If i recall correctly a year back there were issues reported about how Shadow Defender failed to protect against some advanced rootkits. Furthermore, although I have not tested it personally, I do not see any reason why kernel level exploits and malware are not able to bypass Shadow Defender. At this privilege level malware can unload most if not all security software and do whatever it wants.
Not saying it can't but have not seen any proof that it can either.
 
H

hjlbx

Thread author
Shadow defender is a nice addition, but it is also far from full-proof. If i recall correctly a year back there were issues reported about how Shadow Defender failed to protect against some advanced rootkits. Furthermore, although I have not tested it personally, I do not see any reason why kernel level exploits and malware are not able to bypass Shadow Defender. At this privilege level malware can unload most if not all security software and do whatever it wants.

In the video, the tester used Kaspersky TDSS Killer. TDSS picked up a remnant at the very end of Track 0. However, the tester did not realize it was a remnant and reported it as a complete rootkit by-pass.

Tony fixed this issue.

I'm not saying Shadow Defender is "bullet-proof." As in its current version there is no complete disk virtualization...which is a request submitted to the developer.

If there is any current vulnerability to malware with Shadow Defender then it is strictly limited to rootkits...and no testing has established this to be the case since Tony coded complete MBR virtualization. Based upon my experience nothing has, so far, gotten past it on my W8.1 system...and that's a lot of malwares.

However, if anything is going to handily defeat SD it is going to be an exploit and not a run-of-the-mill nasty.

I've been trying to track-down some samples of Zero Access/Sirefef and other rootkits for some testing. It's about time that the Shadow Defender 0 rootkit question is definitively answered: "Can rootkits bypass it or not?" And the tests need to be credible. There's no use in doing the testing if it isn't beyond reproach... like what happened to that unfortunate video author.

If anyone can be of assistance in providing W8 executables then it would be a great help.
 
  • Like
Reactions: scot and LabZero
H

hjlbx

Thread author
One solution would be to use Sandboxie in Shadow Defender (sandbox in sandbox)

Double-sandboxing will not prevent an exploit.

Bromium researches used Sandboxie inside a VM and the exploit still managed to pull off its dirty deed.
 
  • Like
Reactions: scot and LabZero

frogboy

In memoriam 1961-2018
Verified
Top Poster
Well-known
Jun 9, 2013
6,720
In the video, the tester used Kaspersky TDSS Killer. TDSS picked up a remnant at the very end of Track 0. However, the tester did not realize it was a remnant and reported it as a complete rootkit by-pass.

Tony fixed this issue.

I'm not saying Shadow Defender is "bullet-proof." As in its current version there is no complete disk virtualization...which is a request submitted to the developer.

If there is any current vulnerability with Shadow Defender then it is strictly limited to rootkits...and no testing has established this to be the case since Tony coded complete MBR virtualization. Based upon my experience nothing has, so far, gotten past it on my W8.1 system...and that's a lot of malwares.

I've been trying to track-down some samples of Zero Access/Sirefef and other rootkits for some testing. It's about time that the Shadow Defender 0 rootkit question is definitively answered: "Can rootkits bypass it or not?" And the tests need to be credible. There's no use in doing the testing if it isn't beyond reproach... like what happened to that unfortunate video author.

If anyone can be of assistance in providing W8 executables then it would be a great help.
Never got by on my Windows 7 system either and i have tried very hard to breach it. ;)
 
  • Like
Reactions: scot and LabZero
H

hjlbx

Thread author
We were just joking around about that. :):p:D

Sandboxie with Shadow Defender is no joke. It's actually a valid anti-crypto technique.

What if you exclude files\folders in Shadow Mode (such as AV and all its data folder) and then run a cryptor. The only way to protect that excluded data from the cryptor is to laucnh them sandboxed using SBIE inside Shadow Mode.

See, now I thought you were Neo. :D
 
  • Like
Reactions: scot and LabZero
H

hjlbx

Thread author
  • Like
Reactions: LabZero

frogboy

In memoriam 1961-2018
Verified
Top Poster
Well-known
Jun 9, 2013
6,720
After Privdog i am not touching Comodo ever again period. :D
 
  • Like
Reactions: LabZero

Cch123

Level 7
Verified
May 6, 2014
335
In the video, the tester used Kaspersky TDSS Killer. TDSS picked up a remnant at the very end of Track 0. However, the tester did not realize it was a remnant and reported it as a complete rootkit by-pass.

Tony fixed this issue.

I'm not saying Shadow Defender is "bullet-proof." As in its current version there is no complete disk virtualization...which is a request submitted to the developer.

If there is any current vulnerability to malware with Shadow Defender then it is strictly limited to rootkits...and no testing has established this to be the case since Tony coded complete MBR virtualization. Based upon my experience nothing has, so far, gotten past it on my W8.1 system...and that's a lot of malwares.

However, if anything is going to handily defeat SD it is going to be an exploit and not a run-of-the-mill nasty.

I've been trying to track-down some samples of Zero Access/Sirefef and other rootkits for some testing. It's about time that the Shadow Defender 0 rootkit question is definitively answered: "Can rootkits bypass it or not?" And the tests need to be credible. There's no use in doing the testing if it isn't beyond reproach... like what happened to that unfortunate video author.

If anyone can be of assistance in providing W8 executables then it would be a great help.

Wrong, I was not talking about that video. I have seen it too, and I agree that there are plenty of inaccuracies in it. What I was talking about is that fundamentally, Shadow Defender still relies on OS security mechanisms to ensure the integrity of its function. However, at the kernel level you can access the hard disk sectors directly, thus bypassing SD. In 2009 one such malware appeared and at that point in time it could bypass such protections. If I have time I will dig through my sample collection and make a test.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top