Can Malware escape Virtual Machines?
Official Discord Server –
Learn Reverse Engineering –
Follow me on X –
Disclaimer: The content in this video is for education and entertainment purposes to showcase the dangers of malware & malicious software. I do not encourage any form of illegal hacking, nor do I encourage the usage of game cheats, cracks or hacks.
Cracks are sometimes shown to highlight the dangers of software piracy, my content is not intended to teach anybody how to pirate, or maliciously hack.
(C) Eric Parker 2024
[ad_2]
source
I do wonder one thing, why there are not escapes using external devices with macro functions like mouses.
Since I know this I never do Malware analysis in Vmware or virtualbox anymore. I use Recorded future Triage which is free and safe. Even though I'm still use VMware, it's only for experimenting with Windows systems.
Rootkits sure as hell can
> Industry standard when you escape a hypervisor is to spawn the calculator.
Nah, that standard for showcasing any sort of shell access / arbitrary code execution on Windows.
We can’t
Guys, it may seem silly, but this happened to me. I was testing in a virtualized environment inside my W10 using Virtual Box with a W10 and suddenly I heard a super strange sound coming from the mouse. The sound sounded like a flat tire with a flooded lawnmower at the moment of use. I was scared to death, but the spirit for discoveries was greater. I continued with my tests and after several sounds described above I saw a message on the screen. It said the following: "Never mix coffee with cola!" Then I started to put the pieces together: how did the virus discover that I was using carbon paper to draw the pyramids in the third grade in the afternoon?! Guys, this left me astonished to the point of reviewing the settings of my computer that was bought at a stand in Bangladesh in exchange for some corn that was said to be super corn, where a single grain of corn was enough to make more than a billion Cereals for all of us in the world. In short: the color purple is better than confetti on the floor.
I asked this question to a security "expert" back in 2012 if this was possible. Their answer was "no". Glad to see that if I can imagine it, it becomes so. I have seen that happen a lot recently.
what is the .mal file extension? just wondering
VM escape would not be a problem if the virus only moved to another VM 😎😎😎😎
When it comes to security – how it was made when there was no VMs? Did we tested on production? XD
How is this guy so bad after years of this lol
1:17 good thing that whenever I enabled 3d acceleration in VirtualBox, the machine started constantly crashing
You forgot to talk about clipboard sharing and auto usb mounting to VM
Malware inception.
I use triage to test malwere
We're still waiting for the cat ears at 100k bro… 😼
but what if you run a vm inside a vm to counteract a vm escape, like wouldn't that work?
TLDW: yes, if they have worms on it/they can
just run a virtual machine in a virtual machine, problem solved
Do something about your voice EQ man, literally had to turn up the volume to hear you but my subwoofer started shaking because your voice is drowned in bass
Anything connected to the internet is not completly safe
depends on a virtual machine in question
great video.
What if I run a VM..inside a VM,inside a VM? xD
Tbh if all of the exploits in that exploit chain were 0-days, it would be way too expensive for random criminals. You don't need to worry about that kind of disasters unless you work for some top-tier organizations that are targeted by nation-state attackers.
That being said, there are more ways to escape a VM. The default config template used by VMWare isn't safe to run malware imo. Here are some minimum settings I use and recommend.
1. Do NOT store unencrypted samples outside your VMs. There was an Office 0-day that attacked the explorer integration. Just browsing the file in explorer was enough to detonate the malware, in a VM or on the host.
2. Do NOT use shared folders. Some malware may overwrite files and make it dangerous to open on the host.
3. Do NOT use clipboard sharing or drag-and-drop feature. Fractureiser abused clipboard sharing feature to try to escape into the host file systems.
4. Turn on as many isolation options available as possible. VMWare has a series of isolation config entries that you can add to your VMX description file.
Basically all you want is to isolate the lab VMs as much as possible. I run a simple HTTP server on VMs and use curl to manually transfer files. Yes, I have to type a bunch of commands to transfer files between VMs and the host, but this makes the operator think twice. You want to make your system not prone to human errors.
(•_•)
( •_•)>⌐■-■
(⌐■_■)
Why does no one speak about kaspersky as an AV?
Hello, one of the authors of CVE-2021-45464 here, if you want I could provide you with some materials. As far as I know, the vulnerability is still unfixed.
Thanks for making my sleeping even more nervous! 😀
And thanks for the video!
I've heard that some malware get "permanently" embedded in hard storage, staying there despite reformatting the disk
All depends how malicious the malware is
The can YouTubers put the answer in the title situation is insane
Use a software based emulator running only in userspace. Further confined with selinux. Live boot the host OS. Safest way to virtualize.
Yes, its can happen if they works with infecting hardware not only system.
Malware cant escape triage tho. Or maybe triage is not a VM? Or doesn't work in a similar way
how did we came from carving rocks in the cave to this specific malware issue man…
How private is Whonix?
My laptop speaker audio has been reduced recently, tried using Malwarebytes to remove malware since I thought of a correlation here, but I still think that my laptop is working weirdly
VM escapes are one of the top-tier warchest 0-days since you can steal many huge servers with one for a massive attack, or steal data from the adjacent VMs stealthily.
What I do is I bought a cheap old intel Nuc off ebay for 50 usd and run a linux based hypervisor on it. I then run windows in that to mess with windows malware. I believe it is highly unlikely that a malware that targets windows will attack my linux host. Additionally I do have that machine on an entirely physically separate network. No vlan or subnetting or anything. Literally no physical connection. I use one of those old 3g data sticks on it to connect it to the internet.
That tiny little box is generally my testing environment for all sorts of things that i don‘t want on my actual machine.
i am waiting for cat ears