topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 6:25 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: When testing untrustworthy software, remember virtual machines can be escaped  (Read 12892 times)

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
For those of us who occasionally test "untrustworthy" software from sources we can't be sure of, using a virtual machine is generally considered "safe".  Whatever happens in a virtual machine stays in a virtual machine -- or so we hope.

This is just a reminder that malware authors are actively trying to find ways to break out of virtual machines and infect the host pc, and to be careful.

Contestants at this year's Pwn2Own hacking competition in Vancouver just pulled off an unusually impressive feat: they compromised Microsoft's heavily fortified Edge browser in a way that escapes a VMware Workstation virtual machine it runs in. The hack fetched a prize of $105,000, the highest awarded so far over the past three days.


cranioscopical

  • Friend of the Site
  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 4,776
    • View Profile
    • Donate to Member
So one should be cagey?

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
That's why I always test untrustworthy software on Amazon instances. Let them deal with the malware. :D :P

(I don't actually do that.)

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
(I don't actually do that.)

(That you'll admit :))

panzer

  • Participant
  • Joined in 2008
  • *
  • default avatar
  • Posts: 941
    • View Profile
    • Donate to Member
I used to test software on CIA's computers but one day they said that I have managed to infect their entire grid with malware they created and that I have to test software at NSA from now on.

Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
So one should be cagey?

-cranioscopical (March 20, 2017, 11:46 AM)

The "vault" at fault, you could say...  :P

MilesAhead

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 7,736
    • View Profile
    • Donate to Member
Amazon instances
-cranioscopical (March 20, 2017, 11:46 AM)

It may be best to use digital paper.  Burn it when done.  :)

cranioscopical

  • Friend of the Site
  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 4,776
    • View Profile
    • Donate to Member
So one should be cagey?

-cranioscopical (March 20, 2017, 11:46 AM)

The "vault" at fault, you could say...  :P

You know that this will end in gridlock.

MilesAhead

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 7,736
    • View Profile
    • Donate to Member
So one should be cagey?

-cranioscopical (March 20, 2017, 11:46 AM)

The "vault" at fault, you could say...  :P

No doubt a combination of factors caused it to take a tumble.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
While VMs can be escaped, you should keep in mind that a VM escape is an extremely valuable 0day.

So, if you get a piece of "interesting software" containing a VM escape, there's basically two scenarios:

1) you're targeted by a nation-state, YOU'RE GONNA DIE AND THERE'S NOTHING THAT YOU CAN DO ABOUT IT.
2) you're dealing with a potentially nasty piece of malware, but it's using publically-known escape techniques.

Keep your VM software up-to-date! And don't even think about using sandboxing/containerizing software for testing BadStuff.

PS: while you're not super likely to find VM-escape in the wild, it's a lot more common for malware to have VM detection - meaning it won't activate when running in a VM, so it lulls you into a false feeling of safety.
- carpe noctem

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
F0dder -- thank you for your wisdom -- very helpful.


PS: while you're not super likely to find VM-escape in the wild, it's a lot more common for malware to have VM detection - meaning it won't activate when running in a VM, so it lulls you into a false feeling of safety.

Excellent point I hadn't even considered.