Protecting Host Machine from Malware escaping a VM.

[Solarquest]

N.nvt, thank you!
Yesterday I forgot one question, what about the router? How safe/weak is it? How can you protect if from malware that attemps to change the settings? First step is to change User name and password, second to update the firmware , but then, whan can be done?

What about Bios, Cmos and MBR? How can they be protected and/or backed up?
For the VM, if internet access is blocked, then many pcs of malware might not activate nor download other malware and show all capabilities, same for the AV that cannot check using the cloud.....
Using firewall on guest and host, NAT and VPN allow a relatively safe way to grant access to internet without compromising too much the security of the network (with Static IP)?

 

[Solarquest]

What sandbox program would you recommend?
About malware that infects firmare of devices, can and will AV be able to protect from these infections and to scan these firmwares (not sure the scan is possible as of now)?

 

[Aura]

What VM software are you going to use for testing? VMware Workstation?
VM Worstation is the safest virtual machine on the market , and with it there is a very really slim chance of getting infecting while using it... Why?If a malware can bypass the virtual machine software than it must have a great code and any good malware writer will have his malware poll running processes during startup of his app and look for virtual processes to prevent from being run and analyzed in a virtual environment, basically a well coded piece of malware will crash or not run in a virtual environment.
I have been using a vm for quiete awhile and I have never seen a piece of malware that could actually escape from the vm and infect the system.



The web guard component of a security suite can interfere with your malware testing so to not ger interrupted you can disable it , however their is no need to disable your antivirus engine while testing.

I know this is an old post but, Jack is right. I've never seen a malware that escaped a VM to infect the host system before. Nor on my computers, nor on the computers of people I've been assisting both IRL and online. These malwares exists, YES, but most of the time, they have been created to target specific users and organisations or to bypass certain specific piece of software. In fact, these kind of malwares are mainly ... "custom coded" for the specific situation they'll be used in. Yes it's possible to come across a malware that will inject itself in your shared RAM and jump from the VM to the host system, it can happen, or will spread using the shared clipboard feature, etc. but these are still quite rare. It's like BIOS-Rootkits. They are very rare, made to be used in specific situations against specific people and organisations so I doubt you'll ever get one if you know what you're doing. I don't say that you'll never get once, the chance is still there but it's pretty low if you ask me.
Just my 2 cents on the matter.

 

[MrBrian]

• If there's a way for the malware to exchange information with the host. This can be over the network; in this respect, there's no difference between using a VM and using a separate physical machine, so you need to firewall the VM appropriately (allow only the bare minimum, don't do anything that might allow the server to hijack the client such as SSH with X forwarding).

There can be a difference. See post #58 for more details.

 

[RejZoR]

If you're using hardware based virtualization, chances of malware escaping are nearly impossible, especially if you're running it in HyperV mode. There is a slight chance of being done via VM exploit, but it's very unlikely.

I personally still always run extra protection on host system.

 

[DC47561]

VMWare machine adapter in NAT mode - Limited user account on Windows 10 - Software restriction policies including only run programs in the program files directories (x86 and 64) on host.

 

[vemn]

A question I always had actually.
How secure is the hypervisor against "insider" Attack?
Security vendors primarily will recommend securing the VMs first, granular fw configuration or HIPS.

 

[larry goes to church]

Any advise on securing VMWare hosts?

I am running esxi in my home lab wouldn't mind any tips other users have about securing their servers.

 

[DracusNarcrym]

Any advise on securing VMWare hosts?

I am running esxi in my home lab wouldn't mind any tips other users have about securing their servers.

Without too much trouble, use a separate physical machine and a separate subnet for the VM.

Otherwise stuff gets rather complex, although the VM by itself should be rather secure without any user intervention as far as tweaks and 3rd party software is concerned.

For further, more detailed information, you should consult some of the malware testers around here, they'll have enough experience and knowledge on the subject.

 

[TwinHeadedEagle]

Demonstrating a now (silently) patched VMware escape

Twitter

https://zippy.gfycat.com/WickedFaithfulIlladopsis.webm

 

[SHvFl]

Demonstrating a now (silently) patched VMware escape

Twitter

Good reminder that there always going to be expoits. Sure the important exploits are not used at the everyday malware but people testing malware should be aware that a leak might be possible and a separate machine or reset of the whole pc after you are done testing might be a good practice.

 

[S3cur1ty 3nthu5145t]

I run Appguard on my Host and have placed Vmware in its Guarded Apps to mitigate any potential exploits via memory, and have isolated the guest from the Host completely. Utilizing NAT networking does not allow the Guest direct access to the Network, although you will still want something on the Host to monitor the network with.

Both Norton and Eset have excellent Network monitor/scanning, and both have proved to be quite reliable for this task. Combine them with Appguard in Lockdown mode on the Host when you fire up that VM, and chances of anything nailing the network or Host are now very slim. Setting a snapshot as stated above and resetting it after is also a good idea, and a practice i do without thinking now days.

I have run my share of malware through my VM over time, and have yet to have an incident.

 

[security.paranoid]

I think today most of malware won't launch their attacks if they discover the vm or sandbox to avoid being discovered and analyzed

 

[Xtwillight]

I think today most of malware won't launch their attacks if they discover the vm or sandbox to avoid being discovered and analyzed

Most malware does not recognize
that it starts in a virtual environment.

Malware that detects a virtual environment is more demanding
to program.

With malware, it makes the mass of malware variations.

Malware infections via email with link are much more common
how to believe. Also, the falsity of fake / spam / phishing email allegedly from Paypal or other reputable companies has been well.

 

[Deleted Member 3a5v73x]

Just did usual VM testing with Sophos Home Premium, and played around with some malicious .jar files, suddenly my mouse started to move, for a second I thought my VM is lagging, but no, my VM was remotely taken over. Panic trigger was ON, VM's internet connection closed. Wiping that snapshot now, not going to do further investigation, who, where and how, the fact remains that it is easy to bypass all these Antivirus solutions out there and you should never relay on just one security software and all attack vectors to system should be disabled. That was actually very scary, in my all these years testing stuff in VM I've never experienced this. Thank god I was on with VPN and other safety measures taken. :emoji_fearful::emoji_fearful::emoji_fearful::emoji_fearful:

Those who test malicious stuff with just Shadow Defender on their host machines are nuts, you should never do it, because in my example attacker could just steal all credentials and sensitive info over in just couple of seconds. All who are new to this should think twice, it's not a game. :emoji_cold_sweat:

 

[Der.Reisende]

Just did usual VM testing with Sophos Home Premium, and played around with some malicious .jar files, suddenly my mouse started to move, for a second I thought my VM is lagging, but no, my VM was remotely taken over. Panic trigger was ON, VM's internet connection closed. Wiping that snapshot now, not going to do further investigation, who, where and how, the fact remains that it is easy to bypass all these Antivirus solutions out there and you should never relay on just one security software and all attack vectors to system should be disabled. That was actually very scary, in my all these years testing stuff in VM I've never experienced this. Thank god I was on with VPN and other safety measures taken. :emoji_fearful::emoji_fearful::emoji_fearful::emoji_fearful:

Those who test malicious stuff with just Shadow Defender on their host machines are nuts, you should never do it, because in my example attacker could just steal all credentials and sensitive info over in just couple of seconds. All who are new to this should think twice, it's not a game. :emoji_cold_sweat:

Yup, had this experience as well in the HUB multiple times.
JAVA RATs are the most frightening thing followed by Keyloggers IMO.
Good you will (in most cases?) need JRE installed to run first. No idea if JAVA RATs do autoinstall runtimes.

Many AV miss those .jar, not only Sophos, but also Norton as just one of many (also very slow to add detections for) because signatures take way to much time for those threats (let alone BD and Kaspersky) and B.B./HIPS miss it.

 

[Deleted Member 3a5v73x]

Yup, had this experience as well in the HUB multiple times.
JAVA RATs are the most frightening thing followed by Keyloggers IMO.
Good you will (in most cases?) need JRE installed to run first. No idea if JAVA RATs do autoinstall runtimes.

Many AV miss those .jar, not only Sophos, but also Norton as just one of many (also very slow to add detections for) because signatures take way to much time for those threats (let alone BD and Kaspersky) and B.B./HIPS miss it.

Had so far good experience with Panda handling those .jar's, but neverthless, they are scary. I don't believe it's enough to run ANY antivirus solution alone on Windows, it's just matter of time until something gets past, adding NVT OSArmor near-perfectly fill those open holes. You can do further investigation if you want so, if I recall correctly it was this one. Still, Java shouldn't be installed on user's system if not used by any program.

Spoiler: sample

Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'file_27708E.jar'

Antivirus scan for fc05232575a60d447981c58a8bbae51cd93d85927570a1cd531bd9bb563312a4 at 2018-07-02 07:41:39 UTC - VirusTotal

SHA256:fc05232575a60d447981c58a8bbae51cd93d85927570a1cd531bd9bb563312a4

File name: file_27708E.jar
VT Detection ratio: 13 / 60

There are still people who join MalwareTips stating that they test malware on host systems, It's crazy, it's not testing, it's zerro responsobilities for your actions.

 

[illumination]

All who are new to this should think twice, it's not a game. :emoji_cold_sweat:

Have not been able to say this enough in the last couple years.

As well as keeping the Guest fully Isolated from the host, i never tested unless i had the full arsenal of monitoring tools engaged while doing so, as many can be used as quick kill switches such as Process Explorer and TCPview. I certainly never test outside of a VM environment, and absolutely check into the sample to learn of what it does before proceeding to launch them. This also makes monitoring of the system easier knowing what/where the sample will effect the system.

Many believe testing is a quick, slap it in the VM type of thing, and this is far from the truth, to do it properly is very time consuming, most of this time spent in preparation and research, the rest of it spent in monitoring.

 

[shmu26]

How does Comodo do against these java buggers?
I have one machine with java installed, it has Windows Defender + Comodo Firewall, Proactive config with both HIPS and Autosandbox enabled.

 

[ForgottenSeer 69673]

Those who test malicious stuff with just Shadow Defender on their host machines are nuts, you should never do it, because in my example attacker could just steal all credentials and sensitive info over in just couple of seconds. All who are new to this should think twice, it's not a game. :emoji_cold_sweat:

But why? not that I do that but you said your VM was remotely taken over but not your host. But yes if you were to get a nasty on your host it could steal your info.

I use SD on my host but also have Appguard, Voodooshield, Spyshelter, and Fort Knox firewall. That is what I use on my host. For testing I use virtual Box as I have never used VMWare. I then use whatever security software I am testing in the VM. Spyshelter seems pretty good for loggers and if it gets by all my other software the firewall should stop it.