Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VitualBox VS Malware Question


  • Please log in to reply
6 replies to this topic

#1 Spartacus1

Spartacus1

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:39 AM

Posted 05 October 2011 - 08:06 PM

Hello to all!
I am wanting to test out some malware on my VirtualBox VM. I am currently running Ubuntu 11.04 as my host and am going to use Windows XP as my guest. Meanwhile, I have a true installation of Windows XP on another HDD in this machine.
Is it possible that some malicious code could infect my true winxp installation?
Thanks!
May thou virus bow at thy mercy when you come to me...

BC AdBot (Login to Remove)

 


#2 the_patriot11

the_patriot11

    High Tech Redneck


  • BC Advisor
  • 6,763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wyoming USA
  • Local time:08:39 AM

Posted 05 October 2011 - 08:44 PM

Extremely doubtful. The malware would first have to get through the virtual box (which ive never seen happen, but I suppose in THEORY its possible) then it would have to infect your linux (a windows virus that will affect linux. not happenning) then it would have to somehow find its way to your other hard drive. Personally, I would have to say the chances are a million to one that could happen, and i doubt it would be malware, you would almost have to be hacked by a CIA level hacker for that to happen. I could be wrong, but its doubtful.

picard5.jpg

 

Primary system: Motherboard: ASUS M4A89GTD PRO/USB3, Processor: AMD Phenom II x4 945, Memory: 16 gigs of Patriot G2 DDR3 1600, Video: AMD Sapphire Nitro R9 380, Storage: 1 WD 500 gig HD, 1 Hitachi 500 gig HD, and Power supply: Coolermaster 750 watt, OS: Windows 10 64 bit. 

Media Center: Motherboard: Gigabyte mp61p-S3, Processor: AMD Athlon 64 x2 6000+, Memory: 6 gigs Patriot DDR2 800, Video: Gigabyte GeForce GT730, Storage: 500 gig Hitachi, PSU: Seasonic M1211 620W full modular, OS: Windows 10.

If I don't reply within 24 hours of your reply, feel free to send me a pm.


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:39 PM

Posted 06 October 2011 - 02:10 AM

Malware will not "just" jump, however it is all too easy to infect a flashdrive on your infected VM and infect your other XP installation with it. Another risk is infecting your router.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 Spartacus1

Spartacus1
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:39 AM

Posted 28 October 2011 - 03:59 PM

How likely is it that my router could get infected?
May thou virus bow at thy mercy when you come to me...

#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:39 PM

Posted 28 October 2011 - 05:49 PM

You run virtually no risk of infecting your Linux box, but you run many other risks.
But before I go into them, I need some info.

What do you actually want to achieve? For example, do you want to practice cleaning an infected machine? Or do you want to test a security setup? Or something else?

And where did you get the malware you want to test?

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 Spartacus1

Spartacus1
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:39 AM

Posted 30 October 2011 - 04:55 PM

You run virtually no risk of infecting your Linux box, but you run many other risks.
But before I go into them, I need some info.

What do you actually want to achieve? For example, do you want to practice cleaning an infected machine? Or do you want to test a security setup? Or something else?

And where did you get the malware you want to test?


I am mostly wanting to practice cleaning out malware, and testing AVs.
I am using the Malware Domain List as my reference.
May thou virus bow at thy mercy when you come to me...

#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:39 PM

Posted 31 October 2011 - 06:45 AM

I am mostly wanting to practice cleaning out malware, and testing AVs.


Then it's important that you know that not all malware will work in a VM. There is quite some malware in the wild that tries to detect if it is running in a VM or not, and if it is, it changes it behavior. Most of the time this behavior change is just to stop running: it will not infect the OS runnin inside a VM.
We assume that malware authors do this to make analysis more difficult: many malware researchers use VMs to analyze software.
The most popular VM detected by malware is VMware.

So don't be surprised if some of the malware you are testing doesn't work in your VirtualBox VM, i.e. it doesn't infect your VM.

Even if I believe that the malware you will be testing will not have features to break out of the VM, you still have to be careful.

If you give the VM access to your local network, you have to be careful that malware will not try to infect your other machines on the network, for example via file shares. I'm not so worried about malware infecting your router, that is planting malware on your router, because again, there is not much malware out in the wild that does this. What is more frequent however is malware that changes the configuration of your router to open some ports. So watch out for that, for example by making sure that your router admin interface is protected with a non-default password, and by disabling UPNP.

If you give the VM access to the Internet, you run some extra risks. For example, the malware you are using could make your VM member of a botnet, and then your VM could be used to perform illegal acts on the Internet: botnet members are often used to send SPAM or to DDOS web sites. Worst case scenario: you could be held liable for the attack of other machines on the Internet.

I don't recommend that you give your VM access to the Internet. But this implies that some malware will not work, because it requires Internet access.

Edited by Didier Stevens, 31 October 2011 - 07:18 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users