Protecting Host Machine from Malware escaping a VM.

Der.Reisende

Level 44
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Dec 27, 2014
3,377
Had so far good experience with Panda handling those .jar's, but neverthless, they are scary. I don't believe it's enough to run ANY antivirus solution alone on Windows, it's just matter of time until something gets past, adding NVT OSArmor near-perfectly fill those open holes. You can do further investigation if you want so, if I recall correctly it was this one. Still, Java shouldn't be installed on user's system if not used by any program.


There are still people who join MalwareTips stating that they test malware on host systems, It's crazy, it's not testing, it's zerro responsobilities for your actions.
Those Adwinds are quite common, they appear on Hybrid quite often, some days more, some days less.
They will not only drop lot's of .vbs which might carry out actions described below, but javaw.exe also will end up in AutoRuns linking to a dropped .jar (somewhere in AppData/Roaming as far as I remember).

Not sure if all .jar variants have the ability, but some of which we had in the Malware HUB in the past did not only set up multiple remote connections (via javaw.exe), will target quite a bunch of Anti-Malware / Anti-Virus softwares and try to disable (Malwarebytes, Windows Defender, BullGuard - last one was completely unusable when I ran a few few tests against, and with such malware in the pack). You will notice by the registry hijack entries shown in HitmanPro / Norton Power Eraser.

It's interesting that some vendors manage to detect the dropped .vbs, like as if they are recycled, but do nothing when you first launch the .jar.
From the vendors I tried, I know Q360 will manage to clean up the infection but not stop it in first place, F-Secure will instantly block via DeepGuard (or BD signatures). Kaspersky will for sure block it instantly (ask @harlan4096).

Not sure about Tencent, they have BD signatures, so most of the time the .jar is detected by signatures, might clean up like @ Q360.
Norton does detect some of the malware, but will have the registry hijacked and the .jar being active in memory, AutoRun and calling out.
BullGuard: Cannot tell about, when I tested it half an year ago or more, it was shut down by the RAT.
Judging from my experiences 3 months or more ago, QuickHeal will act like Norton.

Many firewalls have the javaw.exe process whitelisted, so they won't alert when it calls out (it might be used for legit services, too).

Watch that .jar, I bet it will stay low detected for days.

Had so far good experience with Panda handling those .jar's, but neverthless, they are scary. I don't believe it's enough to run ANY antivirus solution alone on Windows, it's just matter of time until something gets past, adding NVT OSArmor near-perfectly fill those open holes. You can do further investigation if you want so, if I recall correctly it was this one. Still, Java shouldn't be installed on user's system if not used by any program.


There are still people who join MalwareTips stating that they test malware on host systems, It's crazy, it's not testing, it's zerro responsobilities for your actions.
Have not been able to say this enough in the last couple years.

As well as keeping the Guest fully Isolated from the host, i never tested unless i had the full arsenal of monitoring tools engaged while doing so, as many can be used as quick kill switches such as Process Explorer and TCPview. I certainly never test outside of a VM environment, and absolutely check into the sample to learn of what it does before proceeding to launch them. This also makes monitoring of the system easier knowing what/where the sample will effect the system.

Many believe testing is a quick, slap it in the VM type of thing, and this is far from the truth, to do it properly is very time consuming, most of this time spent in preparation and research, the rest of it spent in monitoring.
Agree, VM (+VPN!!!) is probably the best call, because of full isolation of personal data.
Easy to set up (you can find good guides via Google), easy to restore.

Would not keep a lot of personal data on the host either, you don't know if a malware manages it's way there, either out of VM or trough the net.
Even more if I use ShadowDefender (me likes it better than an VM, too).

How does Comodo do against these java buggers?
I have one machine with java installed, it has Windows Defender + Comodo Firewall, Proactive config with both HIPS and Autosandbox enabled.
It will probably sandbox it completely, and it might not be able to do any harm outside the sandbox.
Maybe @cruelsister can help?
Not sure what happens if you use it in stock settings (haven't used it for some time, so I cannot tell), if it allows javaw.exe outside containment, AFAIK it has a big list of trusted vendors, Oracle is for sure one of them.
 
Last edited:

shmu26

Level 85
Verified
Helper
Top poster
Content Creator
Well-known
Jul 3, 2015
8,139
Those Adwinds are quite common, they appear on Hybrid quite often, some days more, some days less.
They will not drop lot's of .vbs which might carry out actions described below, but javaw.exe will end up in AutoRuns linking to a dropped .jar (somewhere in AppData/Roaming as far as I remember).

Not sure if all .jar variants have the ability, but some of which we had in the Malware HUB in the past did not only set up multiple remote connections (via javaw.exe), will target quite a bunch of Anti-Malware / Anti-Virus softwares and try to disable (Malwarebytes, Windows Defender, BullGuard - last one was completely unusable when I ran a few few tests against, and with such malware in the pack). You will notice by the registry hijack entries shown in HitmanPro / Norton Power Eraser.

It's interesting that some vendors manage to detect the dropped .vbs, like as if they are recycled, but do nothing when you first launch the .jar.
From the vendors I tried, I know Q360 will manage to clean up the infection but not stop it in first place, F-Secure will instantly block via DeepGuard (or BD signatures). Kaspersky will for sure block it instantly (ask @harlan4096).

Not sure about Tencent, they have BD signatures, so most of the time the .jar is detected by signatures, might clean up like @ Q360.
Norton does detect some of the malware, but will have the registry hijacked and the .jar being active in memory, AutoRun and calling out.
BullGuard: Cannot tell about, when I tested it half an year ago or more, it was shut down by the RAT.
Judging from my experiences 3 months or more ago, QuickHeal will act like Norton.

Many firewalls have the javaw.exe process whitelisted, so they won't alert when it calls out (it might be used for legit services, too).

Watch that .jar, I bet it will stay low detected for days.



Agree, VM (+VPN!!!) is probably the best call, because of full isolation of personal data.
Easy to set up (you can find good guides via Google), easy to restore.

Would not keep a lot of personal data on the host either, you don't know if a malware manages it's way there, either out of VM or trough the net.
Even more if I use ShadowDefender (me likes it better than an VM, too).


It will probably sandbox it completely, and it might not be able to do any harm outside the sandbox.
Maybe @cruelsister can help?
Not sure what happens if you use it in stock settings (haven't used it for some time, so I cannot tell), if it allows javaw.exe outside containment, AFAIK it has a big list of trusted vendors, Oracle is for sure one of them.
Thanks
 

struppigel

Moderator
Verified
Staff member
Well-known
Apr 9, 2020
515
This thread is quite long now, not sure if this has been mentioned.

I think the best defense is having a different operating system for the host than for the VM. The combination of multipartite malware and being able to escape a VM is so rare, I haven't seen it for commodity malware so far.
I would not use the machine for anything else than malware analysis.
 

HarborFront

Level 61
Verified
Top poster
Content Creator
Oct 9, 2016
5,065
This thread is quite long now, not sure if this has been mentioned.

I think the best defense is having a different operating system for the host than for the VM. The combination of multipartite malware and being able to escape a VM is so rare, I haven't seen it for commodity malware so far.
I would not use the machine for anything else than malware analysis.
One of the reasons for have a different guest OS from the main host OS when using a VM is to prevent your main host OS from being fingerprinted besides its other intended uses
 
Last edited:

SpiderWeb

Level 9
Verified
Well-known
Aug 21, 2020
408
So much great advice. My single advice is don't log in as an Admin. You have by default superpowers and malware will just piggyback on whatever you are doing and clicking and opening. When you are logged in as an admin Windows opens Explorer and all child processes elevated by default for no reason.
 
  • Like
Reactions: Protomartyr

kC77

Level 4
Aug 16, 2021
196
malware that escapes the VM? please tell me where i want it! please dm me an example

joking aside, malware doesn't just "escape VM's" if you think this or have suffered this then stop

its like "how do virus's get on users computers".. usually one answer Stupidity

dont share the same network, dont share the same credentials... that is probably the main way.
Also im sure some malware would potentially have default passwords for some routers......if you have a provided router with default creds... uh...

I can forsee that some people just run a VM on their flat (non vlan'd) network WOW.... my number 1 rule is dont do this.

1. run your VM on a dedicated VLAN isolated from any other network device
2. be sure you block access to the gateway 22/80/443 or whatever the port to your routers config url is from the "malware testing vlan"
3. dont use enhanced mode or share mapped drives/devices

the disks your virtual machines run on are likely vhdx, be sure NOT to mount these inside your live machine

apart from that if your network is isolated (properly) and your credentials are not in any way shared, and gateway access is blocked you should be good.
Please dont go pissing around with malware on the same flat network as all your other devices. VLAN VLAN VLAN
 
Last edited:

upnorth

Moderator
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
4,793
I agree that it is not common. But that it doesn't exist, is false. If you deal with malware on a daily basis, it definitely needs to be taken into account.

Also if it wasn't the case, the VM vendors themselves wouldn't patch against it. With most major AV vendors and their professional researchers this knowledge is old.

Even with a dedicated machine on it's own segmented network, one should always watch and control the Host for any possible infection signs. It's highly recommended to read up on this type of malicious behaviour and try to understand it better, before one actually start testing with real malware samples.
 

kC77

Level 4
Aug 16, 2021
196
Also if it wasn't the case, the VM vendors themselves wouldn't patch against it. With most major AV vendors and their professional researchers this knowledge is old.

Even with a dedicated machine on it's own segmented network, one should always watch and control the Host for any possible infection signs. It's highly recommended to read up on this type of malicious behaviour and try to understand it better, before one actually start testing with real malware samples.
wowza never been a huge fan of VMware seems to always be at risk of one vulnerability or another every month or two.
clever malware tho!

does VMware not support shielded vms like hyper-v?
 
  • Like
Reactions: Nevi and upnorth