Discuss Protecting Host Machine from Malware escaping a VM.

V

Vextor

Guest
#22
WinAndLinuxTutorials said:
What makes a VM with a bridged connection infect the Host OS with malware??
You know a worm. Well worms spread through internet connections, so if it was physical connection, it could spread to your computer if it's a real connection, like it would spread through a network (e.g a buisness). So if it's NAT, a virtual connection, then there is no risk of it spreading like this.
 
Likes: Xtwillight

3link9

Level 5
Verified
Joined
Oct 22, 2011
Messages
862
#23
MRF71 said:
How good is virtual box compared to vmware?
I don't really like virtual box... I had some problems with it in the past but if you don't want to pay for Workstation, Its good.

The problems I had with Virtual box is that I kept getting errors while creating and starting the machine, I sent a ticket to oracle and they said its now fixed in the new version, So i got the new version and I got it working for about two days but then it kept freezing on Virtual box's loading screen (Not the OS's startup, It was VB's] So I just deciding to uninstall it and get Workstation, Haven't had a problem yet except for user error (Never snapshot it before infecting it for a removal test). But Security wise, Its good...but not as good as Workstation IMHO.
 
Likes: Eng_Mohamed

Overkill

Level 31
Verified
Joined
Feb 15, 2012
Messages
2,118
OS
Windows 7
Antivirus
Default-Deny
#24
Thanks for the info...So let me see if I understand...NAT is a virtual connection and not a physical connection?
Mrizos uses a vlan I think to do his tests on youtube, but it seems very complicated to setup.
 

MalwareDoctor

Moderator
MalwareTips Staff
Verified
Joined
Aug 5, 2012
Messages
462
#25
MrXidus said:
I've been testing malware/rootkits/worms/etc in VMWare for 5 years now.

Not one threat has escaped or harmed my real system.

Can I ask you a question, what connection are you using, bridged or NAT?
 

MalwareDoctor

Moderator
MalwareTips Staff
Verified
Joined
Aug 5, 2012
Messages
462
#29
MrXidus said:
You'll notice I did say NAT under the picture. :)
Thanks, I did not notice the NAT written underneath the illustration. Just for curiosity sake, how long have you been testing on the VM and have you ever had anything "escape" the virtual machine environment?
 

HeffeD

New Member
Joined
Feb 28, 2011
Messages
1,597
#30
Hotrod123 said:
...have you ever had anything "escape" the virtual machine environment?
Malware that could escape is quite rare. I'm not even sure it actually exists in the wild. I've read some proof-of-concepts, but I've never seen actual spreading malware that can do so.

More common is malware that is able to detect that it is running in a virtual environment, (be it a VM or a sandbox) and will stay inert. Then a user feels it's safe, so he runs it on his host, and then the malware acts.
 
Likes: Eng_Mohamed

MalwareDoctor

Moderator
MalwareTips Staff
Verified
Joined
Aug 5, 2012
Messages
462
#31
HeffeD said:
Hotrod123 said:
...have you ever had anything "escape" the virtual machine environment?
Malware that could escape is quite rare. I'm not even sure it actually exists in the wild. I've read some proof-of-concepts, but I've never seen actual spreading malware that can do so.

More common is malware that is able to detect that it is running in a virtual environment, (be it a VM or a sandbox) and will stay inert. Then a user feels it's safe, so he runs it on his host, and then the malware acts.
Yes I have heard of malware being able to know the difference between a host and virtual OS. Do you think worrying about it spreading over the network with NAT is just being paranoid? I know there is always a chance, but in all likelyhood with Comodo running on every other machine on my network, do you think I am good to run some suspicious programs in the virtual machine(VMware Workstation 8)?
 

MalwareDoctor

Moderator
MalwareTips Staff
Verified
Joined
Aug 5, 2012
Messages
462
#32
HeffeD said:
Hotrod123 said:
...have you ever had anything "escape" the virtual machine environment?
Malware that could escape is quite rare. I'm not even sure it actually exists in the wild. I've read some proof-of-concepts, but I've never seen actual spreading malware that can do so.

More common is malware that is able to detect that it is running in a virtual environment, (be it a VM or a sandbox) and will stay inert. Then a user feels it's safe, so he runs it on his host, and then the malware acts.
Yes I have heard of malware being able to know the difference between a host and virtual OS. Do you think worrying about it spreading over the network with NAT is just being paranoid? I know there is always a chance, but in all likelyhood with Comodo running on every other machine on my network, do you think I am good to run some suspicious programs in the virtual machine(VMware Workstation 8)? Also, I have VMware tools set to automatically update whenever a new update is available.
 
Likes: Xtwillight

HeffeD

New Member
Joined
Feb 28, 2011
Messages
1,597
#33
Hotrod123 said:
Yes I have heard of malware being able to know the difference between a host and virtual OS. Do you think worrying about it spreading over the network with NAT is just being paranoid?
If you're not doing any file sharing, the odds are slim. However, you can never be too paranoid when it comes to malware. New techniques are being introduced every day.

Hotrod123 said:
I know there is always a chance, but in all likelyhood with Comodo running on every other machine on my network, do you think I am good to run some suspicious programs in the virtual machine(VMware Workstation 8)?
Well, you'll be as protected as you are with your host machine connected to the internet, but I'll never be the person to tell you that you are OK to play with malware. In my opinion, if you ever have to ask for tips on how to safely play with malware, you shouldn't be doing it... :angel:
 

MalwareDoctor

Moderator
MalwareTips Staff
Verified
Joined
Aug 5, 2012
Messages
462
#34
HeffeD said:
Hotrod123 said:
Yes I have heard of malware being able to know the difference between a host and virtual OS. Do you think worrying about it spreading over the network with NAT is just being paranoid?
If you're not doing any file sharing, the odds are slim. However, you can never be too paranoid when it comes to malware. New techniques are being introduced every day.

Hotrod123 said:
I know there is always a chance, but in all likelyhood with Comodo running on every other machine on my network, do you think I am good to run some suspicious programs in the virtual machine(VMware Workstation 8)?
Well, you'll be as protected as you are with your host machine connected to the internet, but I'll never be the person to tell you that you are OK to play with malware. In my opinion, if you ever have to ask for tips on how to safely play with malware, you shouldn't be doing it... :angel:
Can I ask you a question. You are using the same username on the Comodo forums right? Because I believe I was having a discussion with you under a different username.
 
Likes: Eng_Mohamed

HeffeD

New Member
Joined
Feb 28, 2011
Messages
1,597
#35
Hotrod123 said:
Can I ask you a question. You are using the same username on the Comodo forums right? Because I believe I was having a discussion with you under a different username.
Yes, that would be me. Hello Weatherman97. :)
 

MalwareDoctor

Moderator
MalwareTips Staff
Verified
Joined
Aug 5, 2012
Messages
462
#36
HeffeD said:
Hotrod123 said:
Can I ask you a question. You are using the same username on the Comodo forums right? Because I believe I was having a discussion with you under a different username.
Yes, that would be me. Hello Weatherman97. :)
Why did you give away my true identity? :p Nah I just wanted to mix it up a little bit. But going back to the million dollar question, is my network secured 99.99%? That is the most important thing I am trying to protect because I could easily fix an issue on my host machine, but it would be a pain in the neck to repair all the machines on my network. Also, I looked at the website you posted on the Comodo thread. Already tried it before, but I followed the instructions again with the same result: loss of Internet connection.
 
Likes: Xtwillight

HeffeD

New Member
Joined
Feb 28, 2011
Messages
1,597
#37
I already figured it was you because the line of questioning was so very similar. :)

Hotrod123 said:
But going back to the million dollar question, is my network secured 99.99%?
No. But if you do this, you'll be much closer. (But still impossible to put a percentage value on your security)

I'm not as crotchety as some of the users you encountered when asking this on the VMWare forum, but I agree with them somewhat, and I'm definitely not going to tell you you'll be fine testing malware. Whether you choose to believe them, or me for that matter, (on here or the same thing I've told you at Comodo) is your prerogative.

Testing malware is always going to carry risk. You can mitigate risk somewhat, but it's never completely safe. (and impossible to put a percentage on how safe you are) If you choose to play with it, the onus is completely on you. The last thing I want is to tell you you'll be fine, then have you come back blaming me that you've infected your network.

So as I've already stated, (as have others on different forums) I don't recommend playing with malware at all. Especially on a network with other machines connected.
 
Likes: Eng_Mohamed

MalwareDoctor

Moderator
MalwareTips Staff
Verified
Joined
Aug 5, 2012
Messages
462
#38
HeffeD said:
I already figured it was you because the line of questioning was so very similar. :)
Wow you are on alot of forums. :)


HeffeD said:
No. But if you do this, you'll be much closer. (But still impossible to put a percentage value on your security)

Is there any way you can help explain the internet loss I mentioned in the last couple of sentences on the previous post?
 
Likes: Eng_Mohamed

HeffeD

New Member
Joined
Feb 28, 2011
Messages
1,597
#39
Hotrod123 said:
Wow you are on alot of forums. :)
I get around. ;)

Hotrod123 said:
Is there any way you can help explain the internet loss I mentioned in the last couple of sentences on the previous post?
I thought I'd already answered that in the other thread. Any time you add usability, you reduce security. You aren't isolated if you've allowed internet access through the host machine.

Many YouTube malware testers use the internet to download malware from malware lists to test, but security experts will never test malware if there is an internet connection.

It's a bit of a catch-22. You need to get the malware from the internet, but you don't want your VM to access the internet. So the only way to get the malware to the VM is through file sharing with your host machine, but you don't want your VM to have any contact with your host machine, nor do you want to expose your host machine to the malware you want to test.

Do you see where I'm going with this?

To be blunt, testing malware is never a safe thing to do. You'll be opening security holes to test in a reasonable manner. (the manner you see on YouTube tests) If you have to ask how to do this safely, you shouldn't be doing it.
 
Likes: Eng_Mohamed

MalwareDoctor

Moderator
MalwareTips Staff
Verified
Joined
Aug 5, 2012
Messages
462
#40
Hotrod123 said:
Do you see where I'm going with this?

I do, but I wish it didnt have to be this way.:( You have seen me constantly browse various forums for the best configuration, and after many opinions and ideas I feel like I have found the perfect blend between testing and security(sorry for all the I's). Anyway, thanks for all your help and if I need any more answers you will be sure to be hearing from me again. :cool:
 
Likes: Eng_Mohamed