Protecting Host Machine from Malware escaping a VM.

V

Vextor

WinAndLinuxTutorials said:
What makes a VM with a bridged connection infect the Host OS with malware??

You know a worm. Well worms spread through internet connections, so if it was physical connection, it could spread to your computer if it's a real connection, like it would spread through a network (e.g a buisness). So if it's NAT, a virtual connection, then there is no risk of it spreading like this.
 
  • Like
Reactions: Xtwillight

3link9

Level 5
Thread author
Verified
Oct 22, 2011
860
MRF71 said:
How good is virtual box compared to vmware?

I don't really like virtual box... I had some problems with it in the past but if you don't want to pay for Workstation, Its good.

The problems I had with Virtual box is that I kept getting errors while creating and starting the machine, I sent a ticket to oracle and they said its now fixed in the new version, So i got the new version and I got it working for about two days but then it kept freezing on Virtual box's loading screen (Not the OS's startup, It was VB's] So I just deciding to uninstall it and get Workstation, Haven't had a problem yet except for user error (Never snapshot it before infecting it for a removal test). But Security wise, Its good...but not as good as Workstation IMHO.
 
  • Like
Reactions: DDE_Server

Overkill

Level 31
Verified
Honorary Member
Feb 15, 2012
2,128
Thanks for the info...So let me see if I understand...NAT is a virtual connection and not a physical connection?
Mrizos uses a vlan I think to do his tests on youtube, but it seems very complicated to setup.
 

MDTechVideos

Moderator
Verified
Staff Member
Well-known
Aug 5, 2012
473
MrXidus said:
I've been testing malware/rootkits/worms/etc in VMWare for 5 years now.

Not one threat has escaped or harmed my real system.


Can I ask you a question, what connection are you using, bridged or NAT?
 

MrXidus

Super Moderator (Leave of absence)
Apr 17, 2011
2,503
Hotrod123 said:
MrXidus said:
I've been testing malware/rootkits/worms/etc in VMWare for 5 years now.

Not one threat has escaped or harmed my real system.

Can I ask you a question, what connection are you using, bridged or NAT?

MrXidus said:
FZrMt.png


NAT.
 
  • Like
Reactions: Xtwillight

MDTechVideos

Moderator
Verified
Staff Member
Well-known
Aug 5, 2012
473
MrXidus said:
You'll notice I did say NAT under the picture. :)

Thanks, I did not notice the NAT written underneath the illustration. Just for curiosity sake, how long have you been testing on the VM and have you ever had anything "escape" the virtual machine environment?
 

HeffeD

Level 1
Feb 28, 2011
1,690
Hotrod123 said:
...have you ever had anything "escape" the virtual machine environment?

Malware that could escape is quite rare. I'm not even sure it actually exists in the wild. I've read some proof-of-concepts, but I've never seen actual spreading malware that can do so.

More common is malware that is able to detect that it is running in a virtual environment, (be it a VM or a sandbox) and will stay inert. Then a user feels it's safe, so he runs it on his host, and then the malware acts.
 
  • Like
Reactions: DDE_Server

MDTechVideos

Moderator
Verified
Staff Member
Well-known
Aug 5, 2012
473
HeffeD said:
Hotrod123 said:
...have you ever had anything "escape" the virtual machine environment?

Malware that could escape is quite rare. I'm not even sure it actually exists in the wild. I've read some proof-of-concepts, but I've never seen actual spreading malware that can do so.

More common is malware that is able to detect that it is running in a virtual environment, (be it a VM or a sandbox) and will stay inert. Then a user feels it's safe, so he runs it on his host, and then the malware acts.

Yes I have heard of malware being able to know the difference between a host and virtual OS. Do you think worrying about it spreading over the network with NAT is just being paranoid? I know there is always a chance, but in all likelyhood with Comodo running on every other machine on my network, do you think I am good to run some suspicious programs in the virtual machine(VMware Workstation 8)?
 

MDTechVideos

Moderator
Verified
Staff Member
Well-known
Aug 5, 2012
473
HeffeD said:
Hotrod123 said:
...have you ever had anything "escape" the virtual machine environment?

Malware that could escape is quite rare. I'm not even sure it actually exists in the wild. I've read some proof-of-concepts, but I've never seen actual spreading malware that can do so.

More common is malware that is able to detect that it is running in a virtual environment, (be it a VM or a sandbox) and will stay inert. Then a user feels it's safe, so he runs it on his host, and then the malware acts.

Yes I have heard of malware being able to know the difference between a host and virtual OS. Do you think worrying about it spreading over the network with NAT is just being paranoid? I know there is always a chance, but in all likelyhood with Comodo running on every other machine on my network, do you think I am good to run some suspicious programs in the virtual machine(VMware Workstation 8)? Also, I have VMware tools set to automatically update whenever a new update is available.
 
  • Like
Reactions: Xtwillight

HeffeD

Level 1
Feb 28, 2011
1,690
Hotrod123 said:
Yes I have heard of malware being able to know the difference between a host and virtual OS. Do you think worrying about it spreading over the network with NAT is just being paranoid?

If you're not doing any file sharing, the odds are slim. However, you can never be too paranoid when it comes to malware. New techniques are being introduced every day.

Hotrod123 said:
I know there is always a chance, but in all likelyhood with Comodo running on every other machine on my network, do you think I am good to run some suspicious programs in the virtual machine(VMware Workstation 8)?

Well, you'll be as protected as you are with your host machine connected to the internet, but I'll never be the person to tell you that you are OK to play with malware. In my opinion, if you ever have to ask for tips on how to safely play with malware, you shouldn't be doing it... :angel:
 

MDTechVideos

Moderator
Verified
Staff Member
Well-known
Aug 5, 2012
473
HeffeD said:
Hotrod123 said:
Yes I have heard of malware being able to know the difference between a host and virtual OS. Do you think worrying about it spreading over the network with NAT is just being paranoid?

If you're not doing any file sharing, the odds are slim. However, you can never be too paranoid when it comes to malware. New techniques are being introduced every day.

Hotrod123 said:
I know there is always a chance, but in all likelyhood with Comodo running on every other machine on my network, do you think I am good to run some suspicious programs in the virtual machine(VMware Workstation 8)?

Well, you'll be as protected as you are with your host machine connected to the internet, but I'll never be the person to tell you that you are OK to play with malware. In my opinion, if you ever have to ask for tips on how to safely play with malware, you shouldn't be doing it... :angel:

Can I ask you a question. You are using the same username on the Comodo forums right? Because I believe I was having a discussion with you under a different username.
 
  • Like
Reactions: DDE_Server

HeffeD

Level 1
Feb 28, 2011
1,690
Hotrod123 said:
Can I ask you a question. You are using the same username on the Comodo forums right? Because I believe I was having a discussion with you under a different username.

Yes, that would be me. Hello Weatherman97. :)
 

MDTechVideos

Moderator
Verified
Staff Member
Well-known
Aug 5, 2012
473
HeffeD said:
Hotrod123 said:
Can I ask you a question. You are using the same username on the Comodo forums right? Because I believe I was having a discussion with you under a different username.

Yes, that would be me. Hello Weatherman97. :)

Why did you give away my true identity? :p Nah I just wanted to mix it up a little bit. But going back to the million dollar question, is my network secured 99.99%? That is the most important thing I am trying to protect because I could easily fix an issue on my host machine, but it would be a pain in the neck to repair all the machines on my network. Also, I looked at the website you posted on the Comodo thread. Already tried it before, but I followed the instructions again with the same result: loss of Internet connection.
 
  • Like
Reactions: Xtwillight

HeffeD

Level 1
Feb 28, 2011
1,690
I already figured it was you because the line of questioning was so very similar. :)

Hotrod123 said:
But going back to the million dollar question, is my network secured 99.99%?

No. But if you do this, you'll be much closer. (But still impossible to put a percentage value on your security)

I'm not as crotchety as some of the users you encountered when asking this on the VMWare forum, but I agree with them somewhat, and I'm definitely not going to tell you you'll be fine testing malware. Whether you choose to believe them, or me for that matter, (on here or the same thing I've told you at Comodo) is your prerogative.

Testing malware is always going to carry risk. You can mitigate risk somewhat, but it's never completely safe. (and impossible to put a percentage on how safe you are) If you choose to play with it, the onus is completely on you. The last thing I want is to tell you you'll be fine, then have you come back blaming me that you've infected your network.

So as I've already stated, (as have others on different forums) I don't recommend playing with malware at all. Especially on a network with other machines connected.
 
  • Like
Reactions: DDE_Server

MDTechVideos

Moderator
Verified
Staff Member
Well-known
Aug 5, 2012
473
HeffeD said:
I already figured it was you because the line of questioning was so very similar. :)

Wow you are on alot of forums. :)


HeffeD said:
No. But if you do this, you'll be much closer. (But still impossible to put a percentage value on your security)


Is there any way you can help explain the internet loss I mentioned in the last couple of sentences on the previous post?
 
  • Like
Reactions: DDE_Server

HeffeD

Level 1
Feb 28, 2011
1,690
Hotrod123 said:
Wow you are on alot of forums. :)

I get around. ;)

Hotrod123 said:
Is there any way you can help explain the internet loss I mentioned in the last couple of sentences on the previous post?

I thought I'd already answered that in the other thread. Any time you add usability, you reduce security. You aren't isolated if you've allowed internet access through the host machine.

Many YouTube malware testers use the internet to download malware from malware lists to test, but security experts will never test malware if there is an internet connection.

It's a bit of a catch-22. You need to get the malware from the internet, but you don't want your VM to access the internet. So the only way to get the malware to the VM is through file sharing with your host machine, but you don't want your VM to have any contact with your host machine, nor do you want to expose your host machine to the malware you want to test.

Do you see where I'm going with this?

To be blunt, testing malware is never a safe thing to do. You'll be opening security holes to test in a reasonable manner. (the manner you see on YouTube tests) If you have to ask how to do this safely, you shouldn't be doing it.
 
  • Like
Reactions: DDE_Server

MDTechVideos

Moderator
Verified
Staff Member
Well-known
Aug 5, 2012
473
Hotrod123 said:
Do you see where I'm going with this?


I do, but I wish it didnt have to be this way.:( You have seen me constantly browse various forums for the best configuration, and after many opinions and ideas I feel like I have found the perfect blend between testing and security(sorry for all the I's). Anyway, thanks for all your help and if I need any more answers you will be sure to be hearing from me again. :cool:
 
  • Like
Reactions: DDE_Server

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top