Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware can break out of virtual machines


  • Please log in to reply
4 replies to this topic

#1 NSAER

NSAER

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 12 March 2018 - 04:11 AM

This is the third time that I have undeniably been infected by malware via clicking a malicious link in VMware.

What transpired is I clicked a malicious link within a windows OS vmware machine. I did not transfer any files from the virtual machine to my real operating system nor vice versa. Then I closed the virtual machine down half an hour later or so.

I noticed that my Comodo Internet Security on my non-virtual operating system had all its protections disabled. I thought "huh that's weird" and I reneabled the protections with no issue.

I then shut down my PC and went to sleep. Next day when I turned on my PC and got into my desktop I noticed that Comodo Internet Security was missing from the tray icons (it automatically starts) so I tried starting it via its desktop icon but it was totally unable to start and gave me an error report. I also tried reinstalling it but I could not successfully do so until I managed after many failed attempts and I still could not start it after having reinstalled it.

I noticed that my PC was very slow and hitchy like something was causing my CPU to stall randomly.

The next thing I noticed is that I was totally unable to update all of my security programs, so they could not access the Internet, except my trusty Hitmanpro which appeared to still be able to send files to their cloud for analysis.

 

I did a scan with Aswmbr, adwcleaner, malwarebytes anti-rootkit (mbar), hitmanpro, and Malwarebytes Internet Security (or whatever it's called) and none of them found anything.

I then rebooted into safemode with networking where I was able to update the aforementioned programs and do a scan with all of them but they still found nothing.

Even in safemode with networking I was experiencing bizarre hitching and slowness which seemed to occur more often when I ran the security software.

 

Having a brain I obviously wiped my harddrive and did a full reinstall.

Well, this didn't fix the weird slowness and network issues. Eventually I lost the ability to access the Internet at all even after reinstalling the ethernet driver. This was also in spite of Comodo Internet Security being able to actually run after me reinstalling windows. I also did a scan with all the software after the reinstall but again they found nothing.

 

So this is my third time reinstalling windows for this particular malware incident (notice I said it's happened 3 times).

This time I removed my old harddrive and put in an even older one to do a clean install on. My thinking was that the malware was hiding on the other harddrive and somehow copying itself into the new installation of windows, which is not uncommon for any malware.

 

I suspect this malware may be created by some governmental agency that cooperates with various tech companies to have backdoors added to their software and possibly hardware, too. You probably all know what I am referring to.

I cannot see any reason otherwise why, for the third time over the span of many months, all anti-malware scanners I've tried have failed to detect anything at all.



BC AdBot (Login to Remove)

 


#2 MarkMackerel

MarkMackerel

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 12 March 2018 - 02:56 PM

Do you know what link it was?

 

I have no doubt that the governments are doing cyber surveillance by the way.



#3 NSAER

NSAER
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 12 March 2018 - 05:40 PM

Sadly no. But all of the 3 times have been different links I clicked.



#4 Bry89

Bry89

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow, Scotland, UK
  • Local time:03:08 PM

Posted 20 October 2018 - 09:49 AM

Usually, this happens if "Shared Folders" is enabled on the VM and of malware itself able to gain entry to the host system by it, which is commonly known as a "hypervisor exploit". If you're going to be using a VM to test out malware or click on links that may be suspicious, then I would advise you to turn Shared Folders off, or whatever else is called under VMWare (as I've only used Virtual PC and VirtualBox). From this mishap that happened though, I hope you're able to get this solved, and learn from your mistakes. You need to be extra careful if you're going around doing all these things on a VM, and I am serious about it.


>>mindsConnected<<

A smaller, close-knit tech-oriented community. Everybody welcome.


#5 sflatechguy

sflatechguy

  • BC Advisor
  • 2,255 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:08 AM

Posted 21 October 2018 - 11:04 AM

All VMs are essentially running from inside a folder on your host OS, regardless of the hypervisor you are using. Best practice is exercise the same precautions in the VM that you would on the host. Don't operate on the assumption that a VM will insulate your system. If you wouldn't download it on to your host OS, don't download it on to a VM.






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users