Discuss Protecting Host Machine from Malware escaping a VM.

Solarquest

Moderator
MalwareTips Staff
AV-Tester
Verified
Joined
Jul 22, 2014
Messages
1,986
#61
N.nvt, thank you!
Yesterday I forgot one question, what about the router? How safe/weak is it? How can you protect if from malware that attemps to change the settings? First step is to change User name and password, second to update the firmware , but then, whan can be done? :)

What about Bios, Cmos and MBR? How can they be protected and/or backed up?
For the VM, if internet access is blocked, then many pcs of malware might not activate nor download other malware and show all capabilities, same for the AV that cannot check using the cloud.....
Using firewall on guest and host, NAT and VPN allow a relatively safe way to grant access to internet without compromising too much the security of the network (with Static IP)?
 
Last edited:

Solarquest

Moderator
MalwareTips Staff
AV-Tester
Verified
Joined
Jul 22, 2014
Messages
1,986
#62
What sandbox program would you recommend?
About malware that infects firmare of devices, can and will AV be able to protect from these infections and to scan these firmwares (not sure the scan is possible as of now)?:(
 

Aura

Level 20
Verified
Joined
Jul 29, 2014
Messages
963
OS
Windows 10
Antivirus
Emsisoft
#63
What VM software are you going to use for testing? VMware Workstation?
VM Worstation is the safest virtual machine on the market , and with it there is a very really slim chance of getting infecting while using it... Why?If a malware can bypass the virtual machine software than it must have a great code and any good malware writer will have his malware poll running processes during startup of his app and look for virtual processes to prevent from being run and analyzed in a virtual environment, basically a well coded piece of malware will crash or not run in a virtual environment.
I have been using a vm for quiete awhile and I have never seen a piece of malware that could actually escape from the vm and infect the system.



The web guard component of a security suite can interfere with your malware testing so to not ger interrupted you can disable it , however their is no need to disable your antivirus engine while testing.
I know this is an old post but, Jack is right. I've never seen a malware that escaped a VM to infect the host system before. Nor on my computers, nor on the computers of people I've been assisting both IRL and online. These malwares exists, YES, but most of the time, they have been created to target specific users and organisations or to bypass certain specific piece of software. In fact, these kind of malwares are mainly ... "custom coded" for the specific situation they'll be used in. Yes it's possible to come across a malware that will inject itself in your shared RAM and jump from the VM to the host system, it can happen, or will spread using the shared clipboard feature, etc. but these are still quite rare. It's like BIOS-Rootkits. They are very rare, made to be used in specific situations against specific people and organisations so I doubt you'll ever get one if you know what you're doing. I don't say that you'll never get once, the chance is still there but it's pretty low if you ask me.
Just my 2 cents on the matter.
 

MrBrian

New Member
Joined
May 25, 2014
Messages
14
#64
  • If there's a way for the malware to exchange information with the host. This can be over the network; in this respect, there's no difference between using a VM and using a separate physical machine, so you need to firewall the VM appropriately (allow only the bare minimum, don't do anything that might allow the server to hijack the client such as SSH with X forwarding).
There can be a difference. See post #58 for more details.
 
Likes: Solarquest

RejZoR

Level 9
Verified
Joined
Nov 26, 2016
Messages
433
OS
Windows 10
Antivirus
Avast
#65
If you're using hardware based virtualization, chances of malware escaping are nearly impossible, especially if you're running it in HyperV mode. There is a slight chance of being done via VM exploit, but it's very unlikely.

I personally still always run extra protection on host system.
 
Joined
Feb 3, 2017
Messages
103
OS
Windows 10
Antivirus
Kaspersky
#66
VMWare machine adapter in NAT mode - Limited user account on Windows 10 - Software restriction policies including only run programs in the program files directories (x86 and 64) on host.
 
Likes: vemn

vemn

Level 6
AV-Tester
Joined
Feb 11, 2017
Messages
267
#67
A question I always had actually.
How secure is the hypervisor against "insider" Attack?
Security vendors primarily will recommend securing the VMs first, granular fw configuration or HIPS.
 
Likes: Eng_Mohamed

DracusNarcrym

Level 19
Verified
Joined
Oct 16, 2015
Messages
908
OS
Windows 10
Antivirus
Comodo
#69
Any advise on securing VMWare hosts?

I am running esxi in my home lab wouldn't mind any tips other users have about securing their servers.
Without too much trouble, use a separate physical machine and a separate subnet for the VM.

Otherwise stuff gets rather complex, although the VM by itself should be rather secure without any user intervention as far as tweaks and 3rd party software is concerned.

For further, more detailed information, you should consult some of the malware testers around here, they'll have enough experience and knowledge on the subject.
 
Likes: SHvFl

SHvFl

Level 34
Content Creator
Verified
Joined
Nov 19, 2014
Messages
2,311
OS
Windows 10
Antivirus
Emsisoft
#71
Demonstrating a now (silently) patched VMware escape

Twitter
Good reminder that there always going to be expoits. Sure the important exploits are not used at the everyday malware but people testing malware should be aware that a leak might be possible and a separate machine or reset of the whole pc after you are done testing might be a good practice.
 
Joined
May 22, 2017
Messages
262
#72
I run Appguard on my Host and have placed Vmware in its Guarded Apps to mitigate any potential exploits via memory, and have isolated the guest from the Host completely. Utilizing NAT networking does not allow the Guest direct access to the Network, although you will still want something on the Host to monitor the network with.

Both Norton and Eset have excellent Network monitor/scanning, and both have proved to be quite reliable for this task. Combine them with Appguard in Lockdown mode on the Host when you fire up that VM, and chances of anything nailing the network or Host are now very slim. Setting a snapshot as stated above and resetting it after is also a good idea, and a practice i do without thinking now days.

I have run my share of malware through my VM over time, and have yet to have an incident.
 

Xtwillight

Level 6
MH Trial
Joined
Jul 1, 2014
Messages
268
OS
Windows 10
Antivirus
Emsisoft
#74
I think today most of malware won't launch their attacks if they discover the vm or sandbox to avoid being discovered and analyzed
Most malware does not recognize
that it starts in a virtual environment.

Malware that detects a virtual environment is more demanding
to program.

With malware, it makes the mass of malware variations.

Malware infections via email with link are much more common
how to believe. Also, the falsity of fake / spam / phishing email allegedly from Paypal or other reputable companies has been well.
 
Likes: Eng_Mohamed

davisd

Level 20
Verified
Joined
Feb 2, 2016
Messages
979
OS
Windows 10
Antivirus
Default-Deny
#75
Just did usual VM testing with Sophos Home Premium, and played around with some malicious .jar files, suddenly my mouse started to move, for a second I thought my VM is lagging, but no, my VM was remotely taken over. Panic trigger was ON, VM's internet connection closed. Wiping that snapshot now, not going to do further investigation, who, where and how, the fact remains that it is easy to bypass all these Antivirus solutions out there and you should never relay on just one security software and all attack vectors to system should be disabled. That was actually very scary, in my all these years testing stuff in VM I've never experienced this. Thank god I was on with VPN and other safety measures taken. :emoji_fearful::emoji_fearful::emoji_fearful::emoji_fearful:

Those who test malicious stuff with just Shadow Defender on their host machines are nuts, you should never do it, because in my example attacker could just steal all credentials and sensitive info over in just couple of seconds. All who are new to this should think twice, it's not a game. :emoji_cold_sweat:
 
Last edited:

Der.Reisende

Level 36
Content Creator
AV-Tester
Verified
Joined
Dec 27, 2014
Messages
2,526
OS
Windows 10
Antivirus
Tencent
#76
Just did usual VM testing with Sophos Home Premium, and played around with some malicious .jar files, suddenly my mouse started to move, for a second I thought my VM is lagging, but no, my VM was remotely taken over. Panic trigger was ON, VM's internet connection closed. Wiping that snapshot now, not going to do further investigation, who, where and how, the fact remains that it is easy to bypass all these Antivirus solutions out there and you should never relay on just one security software and all attack vectors to system should be disabled. That was actually very scary, in my all these years testing stuff in VM I've never experienced this. Thank god I was on with VPN and other safety measures taken. :emoji_fearful::emoji_fearful::emoji_fearful::emoji_fearful:

Those who test malicious stuff with just Shadow Defender on their host machines are nuts, you should never do it, because in my example attacker could just steal all credentials and sensitive info over in just couple of seconds. All who are new to this should think twice, it's not a game. :emoji_cold_sweat:
Yup, had this experience as well in the HUB multiple times.
JAVA RATs are the most frightening thing followed by Keyloggers IMO.
Good you will (in most cases?) need JRE installed to run first. No idea if JAVA RATs do autoinstall runtimes.

Many AV miss those .jar, not only Sophos, but also Norton as just one of many (also very slow to add detections for) because signatures take way to much time for those threats (let alone BD and Kaspersky) and B.B./HIPS miss it.
 
Last edited:

davisd

Level 20
Verified
Joined
Feb 2, 2016
Messages
979
OS
Windows 10
Antivirus
Default-Deny
#77
Yup, had this experience as well in the HUB multiple times.
JAVA RATs are the most frightening thing followed by Keyloggers IMO.
Good you will (in most cases?) need JRE installed to run first. No idea if JAVA RATs do autoinstall runtimes.

Many AV miss those .jar, not only Sophos, but also Norton as just one of many (also very slow to add detections for) because signatures take way to much time for those threats (let alone BD and Kaspersky) and B.B./HIPS miss it.
Had so far good experience with Panda handling those .jar's, but neverthless, they are scary. I don't believe it's enough to run ANY antivirus solution alone on Windows, it's just matter of time until something gets past, adding NVT OSArmor near-perfectly fill those open holes. You can do further investigation if you want so, if I recall correctly it was this one. Still, Java shouldn't be installed on user's system if not used by any program.


There are still people who join Malwaretips stating that they test malware on host systems, It's crazy, it's not testing, it's zerro responsobilities for your actions.
 
Last edited:
I

illumination

Guest
#78
All who are new to this should think twice, it's not a game. :emoji_cold_sweat:
Have not been able to say this enough in the last couple years.

As well as keeping the Guest fully Isolated from the host, i never tested unless i had the full arsenal of monitoring tools engaged while doing so, as many can be used as quick kill switches such as Process Explorer and TCPview. I certainly never test outside of a VM environment, and absolutely check into the sample to learn of what it does before proceeding to launch them. This also makes monitoring of the system easier knowing what/where the sample will effect the system.

Many believe testing is a quick, slap it in the VM type of thing, and this is far from the truth, to do it properly is very time consuming, most of this time spent in preparation and research, the rest of it spent in monitoring.
 

shmu26

Level 67
Content Creator
Verified
Joined
Jul 3, 2015
Messages
5,639
OS
Windows 10
#79
How does Comodo do against these java buggers?
I have one machine with java installed, it has Windows Defender + Comodo Firewall, Proactive config with both HIPS and Autosandbox enabled.
 
Last edited:

ticklemefeet

Level 16
Verified
Joined
Jan 31, 2018
Messages
760
#80
Those who test malicious stuff with just Shadow Defender on their host machines are nuts, you should never do it, because in my example attacker could just steal all credentials and sensitive info over in just couple of seconds. All who are new to this should think twice, it's not a game. :emoji_cold_sweat:
But why? not that I do that but you said your VM was remotely taken over but not your host. But yes if you were to get a nasty on your host it could steal your info.

I use SD on my host but also have Appguard, Voodooshield, Spyshelter, and Fort Knox firewall. That is what I use on my host. For testing I use virtual Box as I have never used VMWare. I then use whatever security software I am testing in the VM. Spyshelter seems pretty good for loggers and if it gets by all my other software the firewall should stop it.