Protecting Host Machine from Malware escaping a VM.

Discussion in 'General Security Discussions' started by 3link9, Jan 18, 2012.

  1. WinAndLinuxTutorials

    Trusted

    Aug 23, 2011
    2,126
    157
    Schoolboy
    Jordan
    What makes a VM with a bridged connection infect the Host OS with malware??
     
  2. Vextor

    Vextor Guest

    You know a worm. Well worms spread through internet connections, so if it was physical connection, it could spread to your computer if it's a real connection, like it would spread through a network (e.g a buisness). So if it's NAT, a virtual connection, then there is no risk of it spreading like this.
     
  3. 3link9

    3link9 Level 5

    Oct 22, 2011
    867
    222
    United States
    I don't really like virtual box... I had some problems with it in the past but if you don't want to pay for Workstation, Its good.

    The problems I had with Virtual box is that I kept getting errors while creating and starting the machine, I sent a ticket to oracle and they said its now fixed in the new version, So i got the new version and I got it working for about two days but then it kept freezing on Virtual box's loading screen (Not the OS's startup, It was VB's] So I just deciding to uninstall it and get Workstation, Haven't had a problem yet except for user error (Never snapshot it before infecting it for a removal test). But Security wise, Its good...but not as good as Workstation IMHO.
     
  4. Overkill

    Overkill Level 30
    Trusted

    Feb 15, 2012
    2,106
    1,997
    USA
    Windows 7
    Default-Deny
    Thanks for the info...So let me see if I understand...NAT is a virtual connection and not a physical connection?
    Mrizos uses a vlan I think to do his tests on youtube, but it seems very complicated to setup.
     
  5. MalwareDoctor

    MalwareDoctor Moderator
    Staff Member

    Aug 5, 2012
    462
    1,072

    Can I ask you a question, what connection are you using, bridged or NAT?
     
  6. MrXidus

    MrXidus Super Moderator (Leave of absence)

    Apr 17, 2011
    2,173
    931
    Australia
     
  7. Plexx

    Plexx Guest

    MrXidus, I think Hotrod is not sure if he should follow the red or green arrow :p
     
  8. MrXidus

    MrXidus Super Moderator (Leave of absence)

    Apr 17, 2011
    2,173
    931
    Australia
    You'll notice I did say NAT under the picture. :)
     
  9. MalwareDoctor

    MalwareDoctor Moderator
    Staff Member

    Aug 5, 2012
    462
    1,072
    Thanks, I did not notice the NAT written underneath the illustration. Just for curiosity sake, how long have you been testing on the VM and have you ever had anything "escape" the virtual machine environment?
     
  10. HeffeD

    HeffeD New Member

    Feb 28, 2011
    1,597
    12
    Malware that could escape is quite rare. I'm not even sure it actually exists in the wild. I've read some proof-of-concepts, but I've never seen actual spreading malware that can do so.

    More common is malware that is able to detect that it is running in a virtual environment, (be it a VM or a sandbox) and will stay inert. Then a user feels it's safe, so he runs it on his host, and then the malware acts.
     
  11. MalwareDoctor

    MalwareDoctor Moderator
    Staff Member

    Aug 5, 2012
    462
    1,072
    Yes I have heard of malware being able to know the difference between a host and virtual OS. Do you think worrying about it spreading over the network with NAT is just being paranoid? I know there is always a chance, but in all likelyhood with Comodo running on every other machine on my network, do you think I am good to run some suspicious programs in the virtual machine(VMware Workstation 8)?
     
  12. MalwareDoctor

    MalwareDoctor Moderator
    Staff Member

    Aug 5, 2012
    462
    1,072
    Yes I have heard of malware being able to know the difference between a host and virtual OS. Do you think worrying about it spreading over the network with NAT is just being paranoid? I know there is always a chance, but in all likelyhood with Comodo running on every other machine on my network, do you think I am good to run some suspicious programs in the virtual machine(VMware Workstation 8)? Also, I have VMware tools set to automatically update whenever a new update is available.
     
  13. HeffeD

    HeffeD New Member

    Feb 28, 2011
    1,597
    12
    If you're not doing any file sharing, the odds are slim. However, you can never be too paranoid when it comes to malware. New techniques are being introduced every day.

    Well, you'll be as protected as you are with your host machine connected to the internet, but I'll never be the person to tell you that you are OK to play with malware. In my opinion, if you ever have to ask for tips on how to safely play with malware, you shouldn't be doing it... :angel:
     
  14. MalwareDoctor

    MalwareDoctor Moderator
    Staff Member

    Aug 5, 2012
    462
    1,072
    Can I ask you a question. You are using the same username on the Comodo forums right? Because I believe I was having a discussion with you under a different username.
     
  15. HeffeD

    HeffeD New Member

    Feb 28, 2011
    1,597
    12
    Yes, that would be me. Hello Weatherman97. :)
     
  16. MalwareDoctor

    MalwareDoctor Moderator
    Staff Member

    Aug 5, 2012
    462
    1,072
    Why did you give away my true identity? :p Nah I just wanted to mix it up a little bit. But going back to the million dollar question, is my network secured 99.99%? That is the most important thing I am trying to protect because I could easily fix an issue on my host machine, but it would be a pain in the neck to repair all the machines on my network. Also, I looked at the website you posted on the Comodo thread. Already tried it before, but I followed the instructions again with the same result: loss of Internet connection.
     
  17. HeffeD

    HeffeD New Member

    Feb 28, 2011
    1,597
    12
    I already figured it was you because the line of questioning was so very similar. :)

    No. But if you do this, you'll be much closer. (But still impossible to put a percentage value on your security)

    I'm not as crotchety as some of the users you encountered when asking this on the VMWare forum, but I agree with them somewhat, and I'm definitely not going to tell you you'll be fine testing malware. Whether you choose to believe them, or me for that matter, (on here or the same thing I've told you at Comodo) is your prerogative.

    Testing malware is always going to carry risk. You can mitigate risk somewhat, but it's never completely safe. (and impossible to put a percentage on how safe you are) If you choose to play with it, the onus is completely on you. The last thing I want is to tell you you'll be fine, then have you come back blaming me that you've infected your network.

    So as I've already stated, (as have others on different forums) I don't recommend playing with malware at all. Especially on a network with other machines connected.
     
  18. MalwareDoctor

    MalwareDoctor Moderator
    Staff Member

    Aug 5, 2012
    462
    1,072
    Wow you are on alot of forums. :)



    Is there any way you can help explain the internet loss I mentioned in the last couple of sentences on the previous post?
     
  19. HeffeD

    HeffeD New Member

    Feb 28, 2011
    1,597
    12
    I get around. ;)

    I thought I'd already answered that in the other thread. Any time you add usability, you reduce security. You aren't isolated if you've allowed internet access through the host machine.

    Many YouTube malware testers use the internet to download malware from malware lists to test, but security experts will never test malware if there is an internet connection.

    It's a bit of a catch-22. You need to get the malware from the internet, but you don't want your VM to access the internet. So the only way to get the malware to the VM is through file sharing with your host machine, but you don't want your VM to have any contact with your host machine, nor do you want to expose your host machine to the malware you want to test.

    Do you see where I'm going with this?

    To be blunt, testing malware is never a safe thing to do. You'll be opening security holes to test in a reasonable manner. (the manner you see on YouTube tests) If you have to ask how to do this safely, you shouldn't be doing it.
     
  20. MalwareDoctor

    MalwareDoctor Moderator
    Staff Member

    Aug 5, 2012
    462
    1,072

    I do, but I wish it didnt have to be this way.:( You have seen me constantly browse various forums for the best configuration, and after many opinions and ideas I feel like I have found the perfect blend between testing and security(sorry for all the I's). Anyway, thanks for all your help and if I need any more answers you will be sure to be hearing from me again. :cool:
     
Loading...