I remember Mutahar (someordinarygamers) mentioning in a video that he had to reimage his PC because he was doing a virus investigation and it managed to escape the VM. So yeah, it's absolutely possible. It's why I'm too scared to do it myself and instead watch TH-camrs take the risk. I still think VMs are a good security measure, but as all security measures, don't assume it's a silver bullet because nothing is completely secure... Except TempleOS.
Best solution for testing is to have a dedicated box on its own subnet/vlan that cannot communicate with the rest of your network. Even then, when you actually test you definitely should unplug Ethernet and setup a fakenet or something similar to look for network connections.
Just don't let them get anything they can pick the lock with and you should be good. Remember to feed your basement malware, the stink is terrible otherwise.
VM escapes are one of the top-tier warchest 0-days since you can steal many huge servers with one for a massive attack, or steal data from the adjacent VMs stealthily.
@@thatoneglitchpokemon(TL;DR at bottom) That's assuming a lot. For one that either the same hypervisor is being used or that the exploit works for any hypervisor. Well as that that the computer can be detected as a VM in the first place and it's for example not like just a KVM Windows VM faking real hardware and has all possible security maximized (Proper Group Policy setup, UAC, none bruteforceable password, minimal version of Windows such as the IoT release (legal evaluation version can be legally used here), limited and minimized network capabilities, fully deleting any and all browsers including Edge and EdgeWebView, firewall enforced by the VM above it and so on...) And or the same being done with a more well equipped OS for this such as OpenBSD TL;DR work with the principle of least privilage (such as minimal OS install with only what it needs), and use different hypervisors and OSes per layer of virtualization. And if possible use QubesOS for a more secured and streamlined process. The chances of virtualization fully being defeated even on an internetless fully locked down OS such as a properly configured OpenBSD in the middle of the VM chain is astronomically low, hackers have a higher chance of getting through waiting for a cosmic ray to flip enough bits to hack it for them. Or that they figure out a surefire undefatable way to hack all CPUs to their core.
Some malwares are smart: can recognize a VM and so it won’t fire so naturally you think it’s safe. And when it’s in the real system it fires. Maybe not a VM escape but a VM dodging.
No need to go through brick walls. t̵͍͈͝ḧ̶̢̟̪͕́ë̷̡͚́̓̇͋͝y̶͇̠̗̬͛̏̐͆̓ ̸̡͗̿l̴̳͍̓̽͌͆̌ì̷̢̬͚͜ͅv̷̬̘̼̱͐̓͑́͝ͅe̸͇͚̪̱̅̎̊̓ ̸͙̾̾̍̀͝i̵̡͍͂̍̊͝n̸̢̡̢͍̥̓ͅs̴̤͓̈́͌̊̚ȋ̴͕̻͔̟͐͊̓̚d̸̫̫̻͖̐͗̄͐͝e̶̠͔͊̐́̚ ̷̩͚̹̈́̽̏̿̏̈́ÿ̶̢̜̗̱̩́̑͆̈́͋o̷̤͇͓̲̿̇̀͘ǘ̵͔̼̳͙͓̥̐͝r̶̪̞̅̉̐͝ ̷͈̥̠̱̐̅̊̆͌̌w̶̨̲̗͎͛̋̅̌͆̑ͅa̴̛̯͉̍͆̆̐l̸̛͓̯͕͑̌̄ͅl̷̛̙͖̪̼̾̐̐̈́ͅs̴̯͕̞͖̩̖̀̍͝͝͝ ṯ̸̨̛̘̥̈́̇͘͠h̵̛͈͍̰͙̑̎̒͝e̵̩̻͓̠͇̐͂͂͝y̸̛̪̟͇̟̞͑̽́̕ ̷̜̟̂̌̆͛͌ͅc̶̻̱̞͚͋̒̐̐͑͜a̴̤͉̍̈́͂̄̚ǹ̵̡̈́̆̽ ̷̛̠̦͙̗̽̓͛̕h̴̢̢̼̬̓͊͌̆̚é̶̪͇̰͚̠̀͘̚a̸̜͎̦̲̩̋̓̎̔r̶̛̪̫͎̱̖̅̓͠ ̶͍͉̫̀͂̊̎ȳ̸̡̛͕͔͍̯̋̕̚õ̷̫̪͆̒̀̑ư̵͇͕̈́̆̑̕ȓ̷̡̛̛͕͔̯̊̐ ̴͖̯̘̗̇̓͆͘͝h̵̢͖̹̥̘̀̄̓̇͝e̷̬̖̙̋̿͌̀͘á̶̛̼̻̯̟̪͛͗̾r̵̢̫̻̯͛̿̎̾͘t̵͉͉͎̀̀̎̐͝ͅb̷̝̫̦̦̋͆͌̕e̶̠̝̯̍̐̋̆͂a̷̱̫͓͑̅̿̄t̷̹̑͆͊̊̑ ̸̡͉̝̙̿̐̎̕͠a̸̛͖͖͛̓̽̕n̷͈̤̮̐͂̍̇͝ͅd̶̫̪̗͍̫͋̔̎̕͘ ̷̡̘͍͓̑̑̑̊͝f̵̱͚͚͌͌͋̕a̴̪͕̹͇̋͑̾̎ṟ̶̢̲͍͊́͌̑t̶̨͓̑͗͂́̚ͅs̸̟̞̼̠͒̀̈́͝ ̷͔͕͉̳̅̑̒̄ͅw̵̹̲̦̗͆̀̋̆́h̸̡̟̠͎́̀̔̿̚e̷̢͕͓̽̽̍̏ͅn̷̠̞̲̈́̋̀̔̕ ̷̰̋͐̇͝ỹ̷͖͔͇͎́̏̇͒ͅö̴͕̝͖̯̳́̈́͋́ǘ̶̱͇̖͉̟̅̓͒̕ ̵̢͍͚̘̃͊̾͂s̴̝̱͚̻̦̓̆̏̋ḻ̸̨̼͉̯̍̀͝͝e̷̢̢̖̗͑̆͋̚ę̵̩̟̠͑̍̐̿̔p̴̢̛̲͕̖͖̎͛̕͝
@@alfonzo7822 Yes, and no. Depends on how u are using your pc. If u are careful the it's ok, but you know still bad. So getting a better av is a good idea.
@@S.S.S759When it comes to scanning windows defender uses almost the same virus definitions as other av. the only difference is windows defender doesn't have a good realtime protection like checking for malicious connections etc. But if you're someone who knows what they're doing, windows defender is fine. i only use windows defender ans npe when i suspect malware. npe has been the best at removing malware. but for offline i use msert
Most vm escape in the early 2000s were just network based as most applications back then used NAT without a firewall. This especially under XP caused many headaches.
When I was young, I used to test viruses in VM, for fun, 1 virus got out(as i know) and put a nest in the WiFi router, it was somehow physically overwritten from above, no antivirus could help, finally we threw it in the trash
Test it on a physical machine that isn't connected to the internet, has no wifi or Bluetooth capabilities, and that you will never use for any other purpose since some malware can infect your bios @@aldk5200
Iirc it's not embedded in the storage, but rather the firmware/CPU(?) somehow? I could be remembering wrong, but it's true that there are malwares that persist even through a disk reformat
Not really, once you format a disk everything is gone. The problem is that they infect the UEFI which means that they're gonna live in your motherboard memory, so regardless of how many times you format your HDD, the virus will keep reinfecting it.
Just a note: KVM doesn't necesarrily have to be a software virtualizing hardware, it can be a hardware itself that sits between the dedicated physical machine and the network input, and with that piece of hardware, you can fully control the physical machine remotely (which is used by number of data centers worldwide). You can power it off, you can even power it on. It's a full control node. It shares the same abbreviation with the KVM software that does virtualization.
@@Isaac-eq7xk Isaac. I have at least 2 active NDA's from the work Ive done in cybersecurity and general tech. What I said is a fact that Eric would likely agree with. If he tries to deny that hes on the wrong side of the bell curve because the skill gap in this industry goes from kiddy playing in HTML editor to literal god who was in the FBI watchlist at 13 and wrote his own kernel and compiler and only went to work for the good guys after he got arrested and faced 300 years in prison. Eric is a hobbyist who makes videos for other less experienced hobbyists. Nothing Eric has covered is advanced in any shape way or form. Its literally entry level stuff, its only considered more than that by people with zero actual experience in the field. Thats not a slight against him or his content its just a fact, his videos are entertaining, mildly educational and good. Im sorry your feelings were hurt.
I asked this question to a security "expert" back in 2012 if this was possible. Their answer was "no". Glad to see that if I can imagine it, it becomes so. I have seen that happen a lot recently.
We were doing infrastructure clouds for that company related to Ebay. First production workloads kicked in, somebody hacked the front-end software, escaped the VM and spilled onto the hypervisor, using another exploit to expose the ssh keys. We were highly praised the next day because we were schmucks who didn't know shit and completely f-d up the inter-hypervisor networking that evening. The hacker couldn't figure out how to fix it and just gave up.
Interesting video, but I'm curious about the specific vulnerabilities they exploited to escape the virtual machine. Were these known exploits that were patched or were they zero-day vulnerabilities?
@@EricParker well that's the thing, an actual hacker or malware dev isn't going to be concered with exploiting the computer of a security researcher using a vm, because that's such a small number of people it isn't worth the dev time to actually acheive. so the fact these are hobbiest hackers doing it for fun makes sence to me.
@@EricParker exploits like this can be tough to use in a widespread way in the wild, because whatever entity using it risks tipping their hand or allowing someone else to reverse engineer the technique for themselves
What I do is I bought a cheap old intel Nuc off ebay for 50 usd and run a linux based hypervisor on it. I then run windows in that to mess with windows malware. I believe it is highly unlikely that a malware that targets windows will attack my linux host. Additionally I do have that machine on an entirely physically separate network. No vlan or subnetting or anything. Literally no physical connection. I use one of those old 3g data sticks on it to connect it to the internet. That tiny little box is generally my testing environment for all sorts of things that i don‘t want on my actual machine.
Carefully crafted malware can escape from the VM and execute memes in your brain via the Snow Crash vulnerability. The only way to stay safe is to not look at the display connected to the infected machine.
its never safe to download something period, if its a vm a malware could break out of it, if its a throwaway pc networms could reach your main pc through the network
A VM was still a safe environment to test malware and such. These were exploits that got patched, and the likelihood that any virus you're going to come across is going to break through the VM and infect your entire network is around zero.
There is no secure way to "test" malware. It's some scary shit. It's unlikely to break out of a VM or to spread through your network, but it's not impossible. Unless it's your job and you know EXACTLY what you're doing, never deliberately download malware and be very cautious with downloading even legit software.
@@plebisMaximussay what you want but if it’s your experience there’s no secure way to do it, you must have poor updating habits, or, like he said in the video, get extraordinarily unlucky with a zero-day i test all sorts of malware in vm’s, i have for a decade i just don’t disable any of the side-channel mitigations when working with malware as i don’t want it potentially seeing my host’s memory spaces
Guys, it may seem silly, but this happened to me. I was testing in a virtualized environment inside my W10 using Virtual Box with a W10 and suddenly I heard a super strange sound coming from the mouse. The sound sounded like a flat tire with a flooded lawnmower at the moment of use. I was scared to death, but the spirit for discoveries was greater. I continued with my tests and after several sounds described above I saw a message on the screen. It said the following: "Never mix coffee with cola!" Then I started to put the pieces together: how did the virus discover that I was using carbon paper to draw the pyramids in the third grade in the afternoon?! Guys, this left me astonished to the point of reviewing the settings of my computer that was bought at a stand in Bangladesh in exchange for some corn that was said to be super corn, where a single grain of corn was enough to make more than a billion Cereals for all of us in the world. In short: the color purple is better than confetti on the floor.
This video was really intreasting. I wonder if there's a way to completely prevent malware from escaping virtual machines, or if it's always going to be a cat-and-mouse game.
intreasting 😭😭 but yeah its probably always gonna be a cat and mouse game, because they is always vulnerabilities in programs, so people are always going to find a way to exploit this. but maybe in theory there will be a day that vms will have like an unstoppable firewall that prevents all malware from seeping through.
Well, I think instead of focusing on the VM, we should focus on the host and perhaps create a special lockdown mode or ‘high alert mode’ when testing malware on a VM
Full virtualization is an entirely impractical yet successful answer. Malware can reach a host if it is installed on an imaginary operating system directly connected to the host hardware. Malware cannot reach the host if it is installed on imaginary computer hardware in a simulated computer.
@@goldencheats23 to be able to code a virus that is able to break Out of vm's ,you must have really good knowledge in malware development , and the basics of malware development is to know how to bypass antiviruses. Meaning that the person who made that malware probably also coded it in a way that it wont be detected by any Antivirus
Ahh, good old operator error. Running a sample not in the specialised isolated section, but on the host. That's why they say never experiment if you're not prepared to lose everything. =^.^=
@@younes1815because if a virus wants to escape windows from inside a VM it usually wants to virus the host. Linux is built different, so a virus written for infecting windows wouldn't work. Also, people like to believe linux is much more secure, but that's only because most targets are on windows machinez
im not concerned about guest to host escape as its wildly unlikely, what im worried about is malware that requires an internet connection to run like some infostealers? wouldnt connecting the VM to the internet allow some LAN-escape to infect other REAL computers on the same network?
Thats why it should be isolated from the rest and firewalls in place. Some smart malwares that detect vm just behave nicely while at the vm so u think they r not doing anything nasty.
Any time I've ever done any screwing about with malware, I used linux as my host system with a windows vm. I'd wager the chances of a virus running on windows not only being able to escape a vm but to also successfully have an impact on linux to be very low.
Air gapped systems can be hacked of course a VM escape is possible in theory but it’s very unlikely to happen since they specifically need to find a host driver that is exploitable in a particular configuration.
Nice video, but throughout watching your videos, there were several audio hitches like at 2:40 here sounding like a misplaced cut, cutting off the information and the sentence. Just FYI!
I'm trying to understand the first part.. where you open an infected steam file. Are you saying that if steam.exe knew how to escape the VM, that it would do so after you accidentally run it?
so i'll admit, im not that skilled, but i am aiming towards being a pen-tester personally (been interested in cyber sec for ~ the last 7 years, and actively learning the last 2-3ish), and before watching, my thought would be theoretically yes, but its gonna be easier for it todo network traversal, rather than direct VM escape (ie, you make the VM, and don't take it off the network by accident or whatever, and it jumps to your main system that way). Will edit after finishing the vid. Edit: after finishing, while I missed some of the more nuance portion (namely the last bit about AWS, and other VM sellers being the primary targets), I am glad to know I was more or less correct it would seem in that you have to have really bad luck w/ a 0 day (aka the "theorectically yes" portion), or user error. not trying to sound like im bragging or anything, more just proud that my thought process was accurate
yea directly escaping might be harder. What most do is just "behave nicely" under strange circunstances. That means some infected steam malware will just behave properly if it detects no network or a vm and it will just be "steam". U think its safe and when u run it outside of the vm it deploys the payload. Obv that approach wont work when you KNOW its malicious but the point is when finding IF it's malicious. If it behaves as expected under the vm and does what it says nothing more it may look safe.
They do can but now days it's rather a low possibilty of happening since virtual machines have leveled up and viruses had rather leveled down than leveled up in being dangerous
I think its possible and there has been few cases, but it really depends about how the rdp has been configured. At my work it is often done so that only user inputs and video is allowed trough.
generally speaking even if a VM escape 0day exists, there is little probability a virus you are researching would have such a thing in it. all of that extra code in there that could be signature detected in return for the creds or crypto wallet of the smallest subset of users. Such a thing would be used by an organization for targeted attacks and you would already take special care
My laptop speaker audio has been reduced recently, tried using Malwarebytes to remove malware since I thought of a correlation here, but I still think that my laptop is working weirdly
Ok that escaping is very specific on the used vm software and os you are running on, isn't it. I don't think quemu emulation would allow that, or would there be the same issues?
Then what can I do with our Professor when he gave us an activity where we needed to attack our own laptop using another laptop. Is it dangerous even if we use VM?
I guess that top antivirus companies test on special virtualization that closely emulates real hardware including 3D or they test on real hardware and watch through DMA card and some custom remote connection drivers.
Can Malware from a windows partition jump to a Linux partition on the same machine, or vise versa, or just between different windows partitions? If so, is it a common type of malware feature seen in the wild (spreading between OS partitions).
While the virtual machine example is important and interesting, I’m also interested in what viruses or malware can do when downloaded through a code translator like wine on linux. Say for example you are running Windows games on a linux machine and a windows virus is sent to your computer, does the translation layer make that windows virus now linux compatible?
As usual security is never absolute, but you shoot for the most practical solution weighed against what you have to protect. If you have 2 identical houses side by side with the only difference being that one has a security sign in the window, which do you think will get robbed first? Neither house is truly secure, but the house with no security sign is more likely to get hit by a burglar of opportunity. Now, if you put a stack of money in full view of a window in the house with the sign then you obviously will need more than a sign. Security is way more nuanced than that example, but I hope it illustrates the point.
Well obviously they can get out of a vm, but isnt a big obvious one being the virus getting into the internet? Or alternatively ive heard of some detecting that they are in a VM, therefore stopping the code, but when its ran outside a VM, it actually runs?
Is it okay if I run the VM as an RDP server from my secondary device, and then connect to that RDP server from my device. Now is it possible for that VM to execute commands on my primary pc or secondary pc?
I'm currently studying malware analysis and the common case is that Malware attempts to disable its functionality or makes analysis hellish if it detects that it's in a VM, because average malware authors don't have millions of dollars to exploit hardware related zero days. Most modern malware contains routines that check if the machine is a VM (it could check the given resources to the guest, or get the process list of the guest and checks for the VMware tools process and many other techniques that I haven't fully studied/known about yet..), and from there decide whether it executes its normal malicious behavior or just doesn't execute it's malicious payload. Additionally, when doing dynamic analysis (running the malware) you'd use services that simulate an internet connection in order to get an insight on what it does. (You wouldn't really allow the malware to connect to the internet directly, unless you're absolutely certain on what it does which you can know by using static analysis) On top of that, most of the time you'd have to uninstall VMware Tools because malware is on the lookout for that process and therefore you can't use shared folders to begin with.
Would also do this on a PC that is not a daily driver, networking disabled. When experimenting with malware, you really cannot take enough precautions. There are also services like Triage that is way better to use.
I remember Mutahar (someordinarygamers) mentioning in a video that he had to reimage his PC because he was doing a virus investigation and it managed to escape the VM. So yeah, it's absolutely possible. It's why I'm too scared to do it myself and instead watch TH-camrs take the risk.
I still think VMs are a good security measure, but as all security measures, don't assume it's a silver bullet because nothing is completely secure... Except TempleOS.
templeos is the most secure OS because it is secured by the lord himself... amen
Best solution for testing is to have a dedicated box on its own subnet/vlan that cannot communicate with the rest of your network.
Even then, when you actually test you definitely should unplug Ethernet and setup a fakenet or something similar to look for network connections.
@@sakamocat and if it ever gets hacked then it was god's plan all along
@@raininafrica4620No way, LMAO
Having read the Wikipedia article on TempleOS, I’m convinced that it might be the way forward.
But can worms escape from my PC's to power cable, then from power cable dig the way out and get inside me while I sleep?
🤨🤨🤨🤨
Yesish but no?
Idiot, they will got stuck by electricity
Not if you eat your vegetables. Have you been eating your vegetables?😐
yes
yes, they can.
thanks you helped me get my 9 minutes back from this video
@sebastianandres my guy, search it up
@@sebastianandreshe also says this 28 seconds onto the video, so yeah.
But it is not that simple
@@neztimar43 i lied to you i didnt even saw the video man
But can malware escape my basement?
It can, unless you put all the devices on your network into your basement and keep them there.
yes, net worms can
Just don't let them get anything they can pick the lock with and you should be good. Remember to feed your basement malware, the stink is terrible otherwise.
Can you?
I'm malware.....help me
VM escapes are one of the top-tier warchest 0-days since you can steal many huge servers with one for a massive attack, or steal data from the adjacent VMs stealthily.
if they're universal yes but since vms are so complex they're usually highly dependent on the configuration and hardware used
Can Malware escape Virtual Machine running inside a Virtual Machine which is running inside a Virtual Machine?
yes.
If it can escape one machine, then what is another machine for it to escape out of?
yes just the malware could just clone itself to the hypervisor and if it gets detected as a VM redo the process until the VM detection returns false
@@thatoneglitchpokemon(TL;DR at bottom)
That's assuming a lot. For one that either the same hypervisor is being used or that the exploit works for any hypervisor. Well as that that the computer can be detected as a VM in the first place and it's for example not like just a KVM Windows VM faking real hardware and has all possible security maximized (Proper Group Policy setup, UAC, none bruteforceable password, minimal version of Windows such as the IoT release (legal evaluation version can be legally used here), limited and minimized network capabilities, fully deleting any and all browsers including Edge and EdgeWebView, firewall enforced by the VM above it and so on...) And or the same being done with a more well equipped OS for this such as OpenBSD
TL;DR work with the principle of least privilage (such as minimal OS install with only what it needs), and use different hypervisors and OSes per layer of virtualization. And if possible use QubesOS for a more secured and streamlined process. The chances of virtualization fully being defeated even on an internetless fully locked down OS such as a properly configured OpenBSD in the middle of the VM chain is astronomically low, hackers have a higher chance of getting through waiting for a cosmic ray to flip enough bits to hack it for them. Or that they figure out a surefire undefatable way to hack all CPUs to their core.
@@thatoneglitchpokemonhow difficult would this be if every vm is a different OS?
Some malwares are smart: can recognize a VM and so it won’t fire so naturally you think it’s safe. And when it’s in the real system it fires. Maybe not a VM escape but a VM dodging.
He mentioned it here and I believe he has a video about hiding that your VM is a VM so that malware can't tell
Yes it is a common attack, see MITRE Technique T1497 "Virtualization/Sandbox Evasion" for more Information and examples.
not some, they put this feature in every rat
Wouldn't happen in TempleOS
In the temple, viruses glow in the dark
Malware on TempleOS would download more ram and a car for us.
If you get a virus on TempleOS you might summon a D(a)emon
God is the anti-virus, he checks the malware for us before it runs
Daemons cannot tread upon holy ground
all fun and games until it escapes into ANOTHER vm but doesnt realise it
😂
Can malware go through a brick wall next please.
No need to go through brick walls.
t̵͍͈͝ḧ̶̢̟̪͕́ë̷̡͚́̓̇͋͝y̶͇̠̗̬͛̏̐͆̓ ̸̡͗̿l̴̳͍̓̽͌͆̌ì̷̢̬͚͜ͅv̷̬̘̼̱͐̓͑́͝ͅe̸͇͚̪̱̅̎̊̓ ̸͙̾̾̍̀͝i̵̡͍͂̍̊͝n̸̢̡̢͍̥̓ͅs̴̤͓̈́͌̊̚ȋ̴͕̻͔̟͐͊̓̚d̸̫̫̻͖̐͗̄͐͝e̶̠͔͊̐́̚ ̷̩͚̹̈́̽̏̿̏̈́ÿ̶̢̜̗̱̩́̑͆̈́͋o̷̤͇͓̲̿̇̀͘ǘ̵͔̼̳͙͓̥̐͝r̶̪̞̅̉̐͝ ̷͈̥̠̱̐̅̊̆͌̌w̶̨̲̗͎͛̋̅̌͆̑ͅa̴̛̯͉̍͆̆̐l̸̛͓̯͕͑̌̄ͅl̷̛̙͖̪̼̾̐̐̈́ͅs̴̯͕̞͖̩̖̀̍͝͝͝
ṯ̸̨̛̘̥̈́̇͘͠h̵̛͈͍̰͙̑̎̒͝e̵̩̻͓̠͇̐͂͂͝y̸̛̪̟͇̟̞͑̽́̕ ̷̜̟̂̌̆͛͌ͅc̶̻̱̞͚͋̒̐̐͑͜a̴̤͉̍̈́͂̄̚ǹ̵̡̈́̆̽ ̷̛̠̦͙̗̽̓͛̕h̴̢̢̼̬̓͊͌̆̚é̶̪͇̰͚̠̀͘̚a̸̜͎̦̲̩̋̓̎̔r̶̛̪̫͎̱̖̅̓͠ ̶͍͉̫̀͂̊̎ȳ̸̡̛͕͔͍̯̋̕̚õ̷̫̪͆̒̀̑ư̵͇͕̈́̆̑̕ȓ̷̡̛̛͕͔̯̊̐ ̴͖̯̘̗̇̓͆͘͝h̵̢͖̹̥̘̀̄̓̇͝e̷̬̖̙̋̿͌̀͘á̶̛̼̻̯̟̪͛͗̾r̵̢̫̻̯͛̿̎̾͘t̵͉͉͎̀̀̎̐͝ͅb̷̝̫̦̦̋͆͌̕e̶̠̝̯̍̐̋̆͂a̷̱̫͓͑̅̿̄t̷̹̑͆͊̊̑ ̸̡͉̝̙̿̐̎̕͠a̸̛͖͖͛̓̽̕n̷͈̤̮̐͂̍̇͝ͅd̶̫̪̗͍̫͋̔̎̕͘ ̷̡̘͍͓̑̑̑̊͝f̵̱͚͚͌͌͋̕a̴̪͕̹͇̋͑̾̎ṟ̶̢̲͍͊́͌̑t̶̨͓̑͗͂́̚ͅs̸̟̞̼̠͒̀̈́͝ ̷͔͕͉̳̅̑̒̄ͅw̵̹̲̦̗͆̀̋̆́h̸̡̟̠͎́̀̔̿̚e̷̢͕͓̽̽̍̏ͅn̷̠̞̲̈́̋̀̔̕ ̷̰̋͐̇͝ỹ̷͖͔͇͎́̏̇͒ͅö̴͕̝͖̯̳́̈́͋́ǘ̶̱͇̖͉̟̅̓͒̕ ̵̢͍͚̘̃͊̾͂s̴̝̱͚̻̦̓̆̏̋ḻ̸̨̼͉̯̍̀͝͝e̷̢̢̖̗͑̆͋̚ę̵̩̟̠͑̍̐̿̔p̴̢̛̲͕̖͖̎͛̕͝
LMAO 😂
Easy, just use wireless connections such as using your ram as an antenna.
If you throw the pc hard enough, yes it can
I love the "Not that windows defender will detect anything".
But... It's the only solution you need.
@@alfonzo7822 Yes, and no. Depends on how u are using your pc. If u are careful the it's ok, but you know still bad. So getting a better av is a good idea.
@@S.S.S759When it comes to scanning windows defender uses almost the same virus definitions as other av. the only difference is windows defender doesn't have a good realtime protection like checking for malicious connections etc. But if you're someone who knows what they're doing, windows defender is fine. i only use windows defender ans npe when i suspect malware. npe has been the best at removing malware. but for offline i use msert
@@alfonzo7822WinDef is great yeah but if you're like me who's a power user who doesn't know the nitty details then yeaaaah you might need more layers
@@strob5657 Can you really call yourself a power user if you keep frying your system with malware? lmao
Most vm escape in the early 2000s were just network based as most applications back then used NAT without a firewall. This especially under XP caused many headaches.
but can malware escape physical machines?
Only other thing past physical is via network/wireless/bluetooth etc, to try spreading to another physical.
Some malware can infect the wifi and other pcs connected to the WiFi
Yes, they can affect all machines on a network
net worms can. This is why firewalls are important.
@@SmilerRyanYT imagine infecting components firmware. targeting mouse, keyboard... THUMBDRIVES? wait. that already happened right?
how did we came from carving rocks in the cave to this specific malware issue man...
When I was young, I used to test viruses in VM, for fun, 1 virus got out(as i know) and put a nest in the WiFi router, it was somehow physically overwritten from above, no antivirus could help, finally we threw it in the trash
bruh… so how do I prevent this if I want to test malware???
Test it on a physical machine that isn't connected to the internet, has no wifi or Bluetooth capabilities, and that you will never use for any other purpose since some malware can infect your bios @@aldk5200
@@aldk5200 just dont test the malware lol
I've heard that some malware get "permanently" embedded in hard storage, staying there despite reformatting the disk
Iirc it's not embedded in the storage, but rather the firmware/CPU(?) somehow? I could be remembering wrong, but it's true that there are malwares that persist even through a disk reformat
Malware on bios
Not really, once you format a disk everything is gone. The problem is that they infect the UEFI which means that they're gonna live in your motherboard memory, so regardless of how many times you format your HDD, the virus will keep reinfecting it.
@@frankbucciantini388 what's the solution in that case?
Flashing the bios with a brand new image downloaded from the manufacturer website and onto a USB stick using a different computer.
Just a note: KVM doesn't necesarrily have to be a software virtualizing hardware, it can be a hardware itself that sits between the dedicated physical machine and the network input, and with that piece of hardware, you can fully control the physical machine remotely (which is used by number of data centers worldwide). You can power it off, you can even power it on. It's a full control node. It shares the same abbreviation with the KVM software that does virtualization.
Anything connected to the internet is not completly safe
Love how humble you are, explaining these things without a big ego
Cant have an ego when you havent earned one
Hes very much still a beginner himself just explaining things as best he can for the layman
@@User-kq3odvery untrue
@@Isaac-eq7xk Isaac. I have at least 2 active NDA's from the work Ive done in cybersecurity and general tech. What I said is a fact that Eric would likely agree with. If he tries to deny that hes on the wrong side of the bell curve because the skill gap in this industry goes from kiddy playing in HTML editor to literal god who was in the FBI watchlist at 13 and wrote his own kernel and compiler and only went to work for the good guys after he got arrested and faced 300 years in prison.
Eric is a hobbyist who makes videos for other less experienced hobbyists. Nothing Eric has covered is advanced in any shape way or form. Its literally entry level stuff, its only considered more than that by people with zero actual experience in the field.
Thats not a slight against him or his content its just a fact, his videos are entertaining, mildly educational and good. Im sorry your feelings were hurt.
@@User-kq3od shouldve been more specific, people have unearned egos all the time
@@Isaac-eq7xk Shouldve gotten a higher level reading comprehension, dont blame me for your own inadequacy.
I asked this question to a security "expert" back in 2012 if this was possible. Their answer was "no". Glad to see that if I can imagine it, it becomes so. I have seen that happen a lot recently.
Please imagine me with $ 1 million.
We were doing infrastructure clouds for that company related to Ebay. First production workloads kicked in, somebody hacked the front-end software, escaped the VM and spilled onto the hypervisor, using another exploit to expose the ssh keys. We were highly praised the next day because we were schmucks who didn't know shit and completely f-d up the inter-hypervisor networking that evening. The hacker couldn't figure out how to fix it and just gave up.
Interesting video, but I'm curious about the specific vulnerabilities they exploited to escape the virtual machine. Were these known exploits that were patched or were they zero-day vulnerabilities?
I don't think there has ever been a case of a malicious exploit. All of the ones I showed are from pwn2own or other trade shows.
@@EricParker well that's the thing, an actual hacker or malware dev isn't going to be concered with exploiting the computer of a security researcher using a vm, because that's such a small number of people it isn't worth the dev time to actually acheive. so the fact these are hobbiest hackers doing it for fun makes sence to me.
@@EricParker exploits like this can be tough to use in a widespread way in the wild, because whatever entity using it risks tipping their hand or allowing someone else to reverse engineer the technique for themselves
What I do is I bought a cheap old intel Nuc off ebay for 50 usd and run a linux based hypervisor on it. I then run windows in that to mess with windows malware. I believe it is highly unlikely that a malware that targets windows will attack my linux host. Additionally I do have that machine on an entirely physically separate network. No vlan or subnetting or anything. Literally no physical connection. I use one of those old 3g data sticks on it to connect it to the internet.
That tiny little box is generally my testing environment for all sorts of things that i don‘t want on my actual machine.
Thats neat!
Carefully crafted malware can escape from the VM and execute memes in your brain via the Snow Crash vulnerability. The only way to stay safe is to not look at the display connected to the infected machine.
Honestly not that long ago i thought a VM is a panacea when testing malware and other malicious stuff.
its never safe to download something period, if its a vm a malware could break out of it, if its a throwaway pc networms could reach your main pc through the network
@@bruhblox_ just buy internet from different internet providers for each PC
A VM was still a safe environment to test malware and such. These were exploits that got patched, and the likelihood that any virus you're going to come across is going to break through the VM and infect your entire network is around zero.
There is no secure way to "test" malware. It's some scary shit. It's unlikely to break out of a VM or to spread through your network, but it's not impossible. Unless it's your job and you know EXACTLY what you're doing, never deliberately download malware and be very cautious with downloading even legit software.
@@plebisMaximussay what you want
but if it’s your experience there’s no secure way to do it, you must have poor updating habits, or, like he said in the video, get extraordinarily unlucky with a zero-day
i test all sorts of malware in vm’s, i have for a decade
i just don’t disable any of the side-channel mitigations when working with malware as i don’t want it potentially seeing my host’s memory spaces
Guys, it may seem silly, but this happened to me. I was testing in a virtualized environment inside my W10 using Virtual Box with a W10 and suddenly I heard a super strange sound coming from the mouse. The sound sounded like a flat tire with a flooded lawnmower at the moment of use. I was scared to death, but the spirit for discoveries was greater. I continued with my tests and after several sounds described above I saw a message on the screen. It said the following: "Never mix coffee with cola!" Then I started to put the pieces together: how did the virus discover that I was using carbon paper to draw the pyramids in the third grade in the afternoon?! Guys, this left me astonished to the point of reviewing the settings of my computer that was bought at a stand in Bangladesh in exchange for some corn that was said to be super corn, where a single grain of corn was enough to make more than a billion Cereals for all of us in the world. In short: the color purple is better than confetti on the floor.
This started out great.... Then got infected. 😕
Vivid imagination
Purpl🤤
This video was really intreasting. I wonder if there's a way to completely prevent malware from escaping virtual machines, or if it's always going to be a cat-and-mouse game.
intreasting 😭😭 but yeah its probably always gonna be a cat and mouse game, because they is always vulnerabilities in programs, so people are always going to find a way to exploit this. but maybe in theory there will be a day that vms will have like an unstoppable firewall that prevents all malware from seeping through.
Well, I think instead
of focusing on the VM, we should focus on the host and perhaps create a special lockdown mode or ‘high alert mode’ when testing malware on a VM
There is no way to prevent all escapes
unnetworked and a host with nothing worthwhile on it is a good start
Full virtualization is an entirely impractical yet successful answer.
Malware can reach a host if it is installed on an imaginary operating system directly connected to the host hardware.
Malware cannot reach the host if it is installed on imaginary computer hardware in a simulated computer.
short answer yes long answer Y E S
What if you have a antivirus on the main system? Does it just bypass it? @Eric Parker
@@goldencheats23 If it can break out of vms its probably ud too
@@AdilKettani-n3b so the antivirus won't do anything once it gets into the main system? How does that work
@@goldencheats23 to be able to code a virus that is able to break Out of vm's ,you must have really good knowledge in malware development , and the basics of malware development is to know how to bypass antiviruses. Meaning that the person who made that malware probably also coded it in a way that it wont be detected by any Antivirus
Ahh, good old operator error. Running a sample not in the specialised isolated section, but on the host. That's why they say never experiment if you're not prepared to lose everything. =^.^=
Malware: *escapes windows vm*
Malware: where am i
Linux: death
Why?
@@younes1815because if a virus wants to escape windows from inside a VM it usually wants to virus the host. Linux is built different, so a virus written for infecting windows wouldn't work. Also, people like to believe linux is much more secure, but that's only because most targets are on windows machinez
@@katarnsside note but most viruses target mac and windows because most people are on those
@@kowaihanaMost valuable data is stored on Linux machines though, like 99% of all servers in the world run Linux.
@@d.sherman8563 "PEOPLE"
im not concerned about guest to host escape as its wildly unlikely, what im worried about is malware that requires an internet connection to run like some infostealers? wouldnt connecting the VM to the internet allow some LAN-escape to infect other REAL computers on the same network?
Thats why it should be isolated from the rest and firewalls in place. Some smart malwares that detect vm just behave nicely while at the vm so u think they r not doing anything nasty.
Matrix level threat, still trying to escape reality
Any time I've ever done any screwing about with malware, I used linux as my host system with a windows vm. I'd wager the chances of a virus running on windows not only being able to escape a vm but to also successfully have an impact on linux to be very low.
Virus:"Yey, I escaped the VM! Now let's look at this..."
Linux: *moonspeak*
Virus:"Okie dokie, back to the VM."
All depends how malicious the malware is
Air gapped systems can be hacked of course a VM escape is possible in theory but it’s very unlikely to happen since they specifically need to find a host driver that is exploitable in a particular configuration.
Love the way you explain man ❤❤
You forgot to talk about clipboard sharing and auto usb mounting to VM
Your Answer: 8:14
A good strategy running a different OS on the VM than the host machine. For example, macOS host with Windows VM.
Nice video, but throughout watching your videos, there were several audio hitches like at 2:40 here sounding like a misplaced cut, cutting off the information and the sentence. Just FYI!
Not a cut, just an audio issue. Hopefully fixed with the new platform I'm building next week.
I'm trying to understand the first part.. where you open an infected steam file.
Are you saying that if steam.exe knew how to escape the VM, that it would do so after you accidentally run it?
Can they escape a virtual machine running inside of another, running inside of templeOS?
so i'll admit, im not that skilled, but i am aiming towards being a pen-tester personally (been interested in cyber sec for ~ the last 7 years, and actively learning the last 2-3ish), and before watching, my thought would be theoretically yes, but its gonna be easier for it todo network traversal, rather than direct VM escape (ie, you make the VM, and don't take it off the network by accident or whatever, and it jumps to your main system that way). Will edit after finishing the vid.
Edit: after finishing, while I missed some of the more nuance portion (namely the last bit about AWS, and other VM sellers being the primary targets), I am glad to know I was more or less correct it would seem in that you have to have really bad luck w/ a 0 day (aka the "theorectically yes" portion), or user error. not trying to sound like im bragging or anything, more just proud that my thought process was accurate
yea directly escaping might be harder. What most do is just "behave nicely" under strange circunstances. That means some infected steam malware will just behave properly if it detects no network or a vm and it will just be "steam". U think its safe and when u run it outside of the vm it deploys the payload. Obv that approach wont work when you KNOW its malicious but the point is when finding IF it's malicious. If it behaves as expected under the vm and does what it says nothing more it may look safe.
I do wonder one thing, why there are not escapes using external devices with macro functions like mouses.
They do can but now days it's rather a low possibilty of happening since virtual machines have leveled up and viruses had rather leveled down than leveled up in being dangerous
Can Malware escape RDP?
That's actually an interesting question. In theory it's possible such an exploit exists, haven't reversed RDP much.
RDP to newer versions of windows have drag and drop file transfer enbaled by default so id imagine it would be pretty easy
I think its possible and there has been few cases, but it really depends about how the rdp has been configured. At my work it is often done so that only user inputs and video is allowed trough.
generally speaking even if a VM escape 0day exists, there is little probability a virus you are researching would have such a thing in it. all of that extra code in there that could be signature detected in return for the creds or crypto wallet of the smallest subset of users.
Such a thing would be used by an organization for targeted attacks and you would already take special care
The can TH-camrs put the answer in the title situation is insane
it would get less views
@@Isaac-eq7xk no views
you can do pcie passthrough for 3d acceleration which is secure as long as you respect the iommu groups.
Thanks for making my sleeping even more nervous! :D
And thanks for the video!
Can the malware escape if I break the computer?
I think the best way to avoid this is just running a vm in an external drive like a pendrive or external ssd and linux on top for extra control
other drives will be visible in the system and the virus code will very likely copy itself to all of them.
My laptop speaker audio has been reduced recently, tried using Malwarebytes to remove malware since I thought of a correlation here, but I still think that my laptop is working weirdly
I wonder if vinny got malware on his pc after destroying windows video series and didnt even realized
vinny's proc would have corrupted the virus itself. it's jobel that did the windows destructions
Rare if the settings are right
Ok that escaping is very specific on the used vm software and os you are running on, isn't it. I don't think quemu emulation would allow that, or would there be the same issues?
I am too afraid of somehow messing up my host computer so instead i just mess around in triage
Then what can I do with our Professor when he gave us an activity where we needed to attack our own laptop using another laptop. Is it dangerous even if we use VM?
I guess that top antivirus companies test on special virtualization that closely emulates real hardware including 3D or they test on real hardware and watch through DMA card and some custom remote connection drivers.
Can Malware from a windows partition jump to a Linux partition on the same machine, or vise versa, or just between different windows partitions? If so, is it a common type of malware feature seen in the wild (spreading between OS partitions).
Why does Terrabox cloud insist that I install the desktop app?
While the virtual machine example is important and interesting, I’m also interested in what viruses or malware can do when downloaded through a code translator like wine on linux. Say for example you are running Windows games on a linux machine and a windows virus is sent to your computer, does the translation layer make that windows virus now linux compatible?
what is the .mal file extension? just wondering
As usual security is never absolute, but you shoot for the most practical solution weighed against what you have to protect. If you have 2 identical houses side by side with the only difference being that one has a security sign in the window, which do you think will get robbed first? Neither house is truly secure, but the house with no security sign is more likely to get hit by a burglar of opportunity. Now, if you put a stack of money in full view of a window in the house with the sign then you obviously will need more than a sign. Security is way more nuanced than that example, but I hope it illustrates the point.
for some reason I really like the sound of your voice and I am really intruiged by the video aha but interesting to see how malware can escape VMs
yes but it needs to be made for that and most virus creators won't bother
Well obviously they can get out of a vm, but isnt a big obvious one being the virus getting into the internet? Or alternatively ive heard of some detecting that they are in a VM, therefore stopping the code, but when its ran outside a VM, it actually runs?
I mean yes it can escape but we have tools like triage for something like that (online vm generally created to scan for virus)
How about use different OS? Like, Host with Linux, Guest with Windows, is that still possible?
Can you escape my Heart?
Yes they would can escape VM unless you turn off wifi if you turn off wifi in a vm your safe
depends on a virtual machine in question
arent VM processes run by host CPU? and CPUs do have bugs.
Is it okay if I run the VM as an RDP server from my secondary device, and then connect to that RDP server from my device.
Now is it possible for that VM to execute commands on my primary pc or secondary pc?
Ok, but what about double virtual machine? No one thinks about that.
TLDW: yes, if they have worms on it/they can
Can you escape a jail?
I'm currently studying malware analysis and the common case is that Malware attempts to disable its functionality or makes analysis hellish if it detects that it's in a VM, because average malware authors don't have millions of dollars to exploit hardware related zero days.
Most modern malware contains routines that check if the machine is a VM (it could check the given resources to the guest, or get the process list of the guest and checks for the VMware tools process and many other techniques that I haven't fully studied/known about yet..), and from there decide whether it executes its normal malicious behavior or just doesn't execute it's malicious payload.
Additionally, when doing dynamic analysis (running the malware) you'd use services that simulate an internet connection in order to get an insight on what it does. (You wouldn't really allow the malware to connect to the internet directly, unless you're absolutely certain on what it does which you can know by using static analysis)
On top of that, most of the time you'd have to uninstall VMware Tools because malware is on the lookout for that process and therefore you can't use shared folders to begin with.
Its using a hardened vm on a rdp safe?
but what if you run a vm inside a vm to counteract a vm escape, like wouldn't that work?
check if parallels is safe
Why does no one speak about kaspersky as an AV?
But what if you make a vm inside a vm?
just run a virtual machine in a virtual machine, problem solved
It's best to assume yes.
What about sandbox on windows 10pro ?
what would happen if it was a Linux host on a Windows VM? or Vice-Versa?
can you turn on dark mode pls?
When it comes to security - how it was made when there was no VMs? Did we tested on production? XD
Why does your accent sound scarily familiar?
Which state do you live, if I may ask?
HOW IS THAT POSSIBLE
Now I understand why android requires root for virtualization.
Use a software based emulator running only in userspace. Further confined with selinux. Live boot the host OS. Safest way to virtualize.
Would also do this on a PC that is not a daily driver, networking disabled. When experimenting with malware, you really cannot take enough precautions.
There are also services like Triage that is way better to use.
This also includes windows sandbox?
The answer is always yes.
Why can't you emulate inside an emulator
Yes, its can happen if they works with infecting hardware not only system.
How private is Whonix?
i think you could enable hyper-v on windows while running a kvm on a linux host
pls boost your audio when editing
Can malware infect the user?