Main Area and Open Discussion > General Software Discussion

Newest malware now able to target virtual machines?

<< < (4/4)

x16wda:
I wonder if you couldn't overcome that, to some extent, with a liveCD with TrueCrypt on it?  (Assuming, of course that you'd used TrueCrypt to encrypt the disk.)-barney (August 24, 2012, 06:23 PM)
--- End quote ---

Depending on where the failure is, the device should be mountable on another machine with Truecrypt running.  I've done that while testing, but unfortunately the disk didn't croak on me :-)

The usable lifespan of a broken disk is short enough, adding in the complexity and disk access to get the drive mounted might make it tougher to get anything off.

I could never convince my old company to use full disk encryption... even though I figured out how to work around users forgetting their boot password, the concensus was apparently the execs just didn't want to be bothered with another password...

barney:
I wonder if you couldn't overcome that, to some extent, with a liveCD with TrueCrypt on it?  (Assuming, of course that you'd used TrueCrypt to encrypt the disk.)-barney (August 24, 2012, 06:23 PM)
--- End quote ---

Depending on where the failure is, the device should be mountable on another machine with Truecrypt running.  I've done that while testing, but unfortunately the disk didn't croak on me :-)

The usable lifespan of a broken disk is short enough, adding in the complexity and disk access to get the drive mounted might make it tougher to get anything off.

I could never convince my old company to use full disk encryption... even though I figured out how to work around users forgetting their boot password, the concensus was apparently the execs just didn't want to be bothered with another password...
-x16wda (August 24, 2012, 07:34 PM)
--- End quote ---

Hee hee hee.  Yeah, execs don't like interference ... turn it on, and it should work ... biggest problem I had when I was in the corporate world  :'( :P :P.

About three (3) or four (4) decades ago, I had a desktop unit where the HDD gave out.  It ran, but when the heads parked, they wouldn't unpark.  So I removed four (4) screws and a cover, moved the heads with thumb & forefinger, put the cover and the screws back in place, and it ran like a charm.  Did that for something like six (6) or eight ( 8 ) months before the drive totally died (probably because of contamination  ;)).  And I have two (2) drives right now that quit working, but I can still access 'em with an external connection.  I've already pulled all the data off, I'm just hangin' on to 'em to see how much longer they'll last - goin' on two (2) years so far  :o :D.

Renegade:
Wow. That was to me? Okey-doke.
-daddydave (August 24, 2012, 12:47 PM)
--- End quote ---

Ooops. Sorry. Had probably a few more than I should for posting. I meant that for the malware authors. (Need to have a breathalyzer on the post button.)

You have to be pretty darn smart to do that kind of thing, so why can't they do something productive instead of running around being destructive? Sigh... It's non-stop. All the time. :(

f0dder:
This reminds me of why I am wary of dual boot set-ups. Someone could write a Windows virus to attack your Linux system files, or a Linux virus to attack your Windows system files. In either case any normal antivirus software would not be running.

Not sure if that exists in real life, either.-daddydave (August 24, 2012, 02:01 PM)
--- End quote ---
It has been done, but pretty much just a proof of concept thing. Doesn't really make sense for a normal piece of malware, since the gains are extremely small and the code complexity quite a bit higher.

The usable lifespan of a broken disk is short enough, adding in the complexity and disk access to get the drive mounted might make it tougher to get anything off.-x16wda (August 24, 2012, 07:34 PM)
--- End quote ---
Do what you always ought to do with a failing disk: make an image and salvage from that. It's less stressful to do a linear read from the beginning to the end rather than copying individual files that are likely to be scattered all over the disk...

Anyway, this vm-infecting thing is hardly a big deal. It's not a break-out of the vm. I find it kinda silly that this feature is included in a generic piece of malware, given that the gains for zombie-gathering purposes is pretty small.

For hitting specific targets it could be useful (infecting VMs that get mass distributd to the cloud, or images that are used for corporate roll-out), but in a generic piece of malware? Ho humm.

PS: vm-breakouts have been done, but tend not to make it into normal malware - again, the gains aren't big enough, and it makes the vendors aware of the exploit... makes much more sense to keep such an exploit private, and use it for high-profile targets :)

Jibz:
Anyway, this vm-infecting thing is hardly a big deal. It's not a break-out of the vm. I find it kinda silly that this feature is included in a generic piece of malware, given that the gains for zombie-gathering purposes is pretty small.
-f0dder (August 27, 2012, 04:51 AM)
--- End quote ---

Actually my initial thought was that it was kind of clever. I agree that the target audience is rather small, but I would guess the code required to write something into a VM disk image in a file is not terribly complicated, and an action that is likely to not trigger too many alerts. And I don't know how many people use anti-virus and anti-malware inside their virtual machines, but if not, this could perhaps circumvent some of the security measures on your actual machine?

I mean of course it wouldn't have access to the outside machine, but it could communicate with the outside and possibly spread from the VM.

Navigation

[0] Message Index

[*] Previous page