Can Malware escape Virtual Machines?
ฝัง
- เผยแพร่เมื่อ 7 ต.ค. 2024
- Can Malware escape Virtual Machines?
Official Discord Server - / discord
Learn Reverse Engineering - skool.com/eric...
Follow me on X - / atericparker
Disclaimer: The content in this video is for education and entertainment purposes to showcase the dangers of malware & malicious software. I do not encourage any form of illegal hacking, nor do I encourage the usage of game cheats, cracks or hacks.
Cracks are sometimes shown to highlight the dangers of software piracy, my content is not intended to teach anybody how to pirate, or maliciously hack.
(C) Eric Parker 2024
But can worms escape from my PC's to power cable, then from power cable dig the way out and get inside me while I sleep?
🤨🤨🤨🤨
Yesish but no?
Idiot, they will got stuck by electricity
Not if you eat your vegetables. Have you been eating your vegetables?😐
yes
I remember Mutahar (someordinarygamers) mentioning in a video that he had to reimage his PC because he was doing a virus investigation and it managed to escape the VM. So yeah, it's absolutely possible. It's why I'm too scared to do it myself and instead watch TH-camrs take the risk.
I still think VMs are a good security measure, but as all security measures, don't assume it's a silver bullet because nothing is completely secure... Except TempleOS.
templeos the goat
templeos is the most secure OS because it is secured by the lord himself... amen
Best solution for testing is to have a dedicated box on its own subnet/vlan that cannot communicate with the rest of your network.
Even then, when you actually test you definitely should unplug Ethernet and setup a fakenet or something similar to look for network connections.
@@sakamocat and if it ever gets hacked then it was god's plan all along
@@raininafrica4620No way, LMAO
Love how humble you are, explaining these things without a big ego
Wouldn't happen in TempleOS
In the temple, viruses glow in the dark
Malware on TempleOS would download more ram and a car for us.
If you get a virus on TempleOS you might summon a D(a)emon
God is the anti-virus, he checks the malware for us before it runs
Daemons cannot tread upon holy ground
Can malware go through a brick wall next please.
No need to go through brick walls.
t̵͍͈͝ḧ̶̢̟̪͕́ë̷̡͚́̓̇͋͝y̶͇̠̗̬͛̏̐͆̓ ̸̡͗̿l̴̳͍̓̽͌͆̌ì̷̢̬͚͜ͅv̷̬̘̼̱͐̓͑́͝ͅe̸͇͚̪̱̅̎̊̓ ̸͙̾̾̍̀͝i̵̡͍͂̍̊͝n̸̢̡̢͍̥̓ͅs̴̤͓̈́͌̊̚ȋ̴͕̻͔̟͐͊̓̚d̸̫̫̻͖̐͗̄͐͝e̶̠͔͊̐́̚ ̷̩͚̹̈́̽̏̿̏̈́ÿ̶̢̜̗̱̩́̑͆̈́͋o̷̤͇͓̲̿̇̀͘ǘ̵͔̼̳͙͓̥̐͝r̶̪̞̅̉̐͝ ̷͈̥̠̱̐̅̊̆͌̌w̶̨̲̗͎͛̋̅̌͆̑ͅa̴̛̯͉̍͆̆̐l̸̛͓̯͕͑̌̄ͅl̷̛̙͖̪̼̾̐̐̈́ͅs̴̯͕̞͖̩̖̀̍͝͝͝
ṯ̸̨̛̘̥̈́̇͘͠h̵̛͈͍̰͙̑̎̒͝e̵̩̻͓̠͇̐͂͂͝y̸̛̪̟͇̟̞͑̽́̕ ̷̜̟̂̌̆͛͌ͅc̶̻̱̞͚͋̒̐̐͑͜a̴̤͉̍̈́͂̄̚ǹ̵̡̈́̆̽ ̷̛̠̦͙̗̽̓͛̕h̴̢̢̼̬̓͊͌̆̚é̶̪͇̰͚̠̀͘̚a̸̜͎̦̲̩̋̓̎̔r̶̛̪̫͎̱̖̅̓͠ ̶͍͉̫̀͂̊̎ȳ̸̡̛͕͔͍̯̋̕̚õ̷̫̪͆̒̀̑ư̵͇͕̈́̆̑̕ȓ̷̡̛̛͕͔̯̊̐ ̴͖̯̘̗̇̓͆͘͝h̵̢͖̹̥̘̀̄̓̇͝e̷̬̖̙̋̿͌̀͘á̶̛̼̻̯̟̪͛͗̾r̵̢̫̻̯͛̿̎̾͘t̵͉͉͎̀̀̎̐͝ͅb̷̝̫̦̦̋͆͌̕e̶̠̝̯̍̐̋̆͂a̷̱̫͓͑̅̿̄t̷̹̑͆͊̊̑ ̸̡͉̝̙̿̐̎̕͠a̸̛͖͖͛̓̽̕n̷͈̤̮̐͂̍̇͝ͅd̶̫̪̗͍̫͋̔̎̕͘ ̷̡̘͍͓̑̑̑̊͝f̵̱͚͚͌͌͋̕a̴̪͕̹͇̋͑̾̎ṟ̶̢̲͍͊́͌̑t̶̨͓̑͗͂́̚ͅs̸̟̞̼̠͒̀̈́͝ ̷͔͕͉̳̅̑̒̄ͅw̵̹̲̦̗͆̀̋̆́h̸̡̟̠͎́̀̔̿̚e̷̢͕͓̽̽̍̏ͅn̷̠̞̲̈́̋̀̔̕ ̷̰̋͐̇͝ỹ̷͖͔͇͎́̏̇͒ͅö̴͕̝͖̯̳́̈́͋́ǘ̶̱͇̖͉̟̅̓͒̕ ̵̢͍͚̘̃͊̾͂s̴̝̱͚̻̦̓̆̏̋ḻ̸̨̼͉̯̍̀͝͝e̷̢̢̖̗͑̆͋̚ę̵̩̟̠͑̍̐̿̔p̴̢̛̲͕̖͖̎͛̕͝
yes, they can.
thanks you helped me get my 9 minutes back from this video
@sebastianandres my guy, search it up
@@sebastianandreshe also says this 28 seconds onto the video, so yeah.
But it is not that simple
@@neztimar43 i lied to you i didnt even saw the video man
Can Malware escape Virtual Machine running inside a Virtual Machine which is running inside a Virtual Machine?
yes.
If it can escape one machine, then what is another machine for it to escape out of?
yes just the malware could just clone itself to the hypervisor and if it gets detected as a VM redo the process until the VM detection returns false
@@thatoneglitchpokemon(TL;DR at bottom)
That's assuming a lot. For one that either the same hypervisor is being used or that the exploit works for any hypervisor. Well as that that the computer can be detected as a VM in the first place and it's for example not like just a KVM Windows VM faking real hardware and has all possible security maximized (Proper Group Policy setup, UAC, none bruteforceable password, minimal version of Windows such as the IoT release (legal evaluation version can be legally used here), limited and minimized network capabilities, fully deleting any and all browsers including Edge and EdgeWebView, firewall enforced by the VM above it and so on...) And or the same being done with a more well equipped OS for this such as OpenBSD
TL;DR work with the principle of least privilage (such as minimal OS install with only what it needs), and use different hypervisors and OSes per layer of virtualization. And if possible use QubesOS for a more secured and streamlined process. The chances of virtualization fully being defeated even on an internetless fully locked down OS such as a properly configured OpenBSD in the middle of the VM chain is astronomically low, hackers have a higher chance of getting through waiting for a cosmic ray to flip enough bits to hack it for them. Or that they figure out a surefire undefatable way to hack all CPUs to their core.
@@thatoneglitchpokemonhow difficult would this be if every vm is a different OS?
Interesting video, but I'm curious about the specific vulnerabilities they exploited to escape the virtual machine. Were these known exploits that were patched or were they zero-day vulnerabilities?
I don't think there has ever been a case of a malicious exploit. All of the ones I showed are from pwn2own or other trade shows.
@@EricParker well that's the thing, an actual hacker or malware dev isn't going to be concered with exploiting the computer of a security researcher using a vm, because that's such a small number of people it isn't worth the dev time to actually acheive. so the fact these are hobbiest hackers doing it for fun makes sence to me.
VM escapes are one of the top-tier warchest 0-days since you can steal many huge servers with one for a massive attack, or steal data from the adjacent VMs stealthily.
all fun and games until it escapes into ANOTHER vm but doesnt realise it
I love the "Not that windows defender will detect anything".
But... It's the only solution you need.
@@alfonzo7822 Yes, and no. Depends on how u are using your pc. If u are careful the it's ok, but you know still bad. So getting a better av is a good idea.
Honestly not that long ago i thought a VM is a panacea when testing malware and other malicious stuff.
its never safe to download something period, if its a vm a malware could break out of it, if its a throwaway pc networms could reach your main pc through the network
@@bruhblox_ just buy internet from different internet providers for each PC
The can TH-camrs put the answer in the title situation is insane
how did we came from carving rocks in the cave to this specific malware issue man...
short answer yes long answer Y E S
What if you have a antivirus on the main system? Does it just bypass it? @Eric Parker
@@goldencheats23 If it can break out of vms its probably ud too
@@AdilKettani-n3b so the antivirus won't do anything once it gets into the main system? How does that work
but can malware escape physical machines?
Only other thing past physical is via network/wireless/bluetooth etc, to try spreading to another physical.
Some malware can infect the wifi and other pcs connected to the WiFi
@@SmilerRyanYT shut off your internet as soon as you know youve got a virus
Yes, they can affect all machines on a network
net worms can. This is why firewalls are important.
Ahh, good old operator error. Running a sample not in the specialised isolated section, but on the host. That's why they say never experiment if you're not prepared to lose everything. =^.^=
This video was really intreasting. I wonder if there's a way to completely prevent malware from escaping virtual machines, or if it's always going to be a cat-and-mouse game.
intreasting 😭😭 but yeah its probably always gonna be a cat and mouse game, because they is always vulnerabilities in programs, so people are always going to find a way to exploit this. but maybe in theory there will be a day that vms will have like an unstoppable firewall that prevents all malware from seeping through.
Well, I think instead
of focusing on the VM, we should focus on the host and perhaps create a special lockdown mode or ‘high alert mode’ when testing malware on a VM
There is no way to prevent all escapes
unnetworked and a host with nothing worthwhile on it is a good start
Full virtualization is an entirely impractical yet successful answer.
Malware can reach a host if it is installed on an imaginary operating system directly connected to the host hardware.
Malware cannot reach the host if it is installed on imaginary computer hardware in a simulated computer.
Love the way you explain man ❤❤
I've heard that some malware get "permanently" embedded in hard storage, staying there despite reformatting the disk
Iirc it's not embedded in the storage, but rather the firmware/CPU(?) somehow? I could be remembering wrong, but it's true that there are malwares that persist even through a disk reformat
Malware on bios
Not really, once you format a disk everything is gone. The problem is that they infect the UEFI which means that they're gonna live in your motherboard memory, so regardless of how many times you format your HDD, the virus will keep reinfecting it.
@@frankbucciantini388 what's the solution in that case?
But can malware escape my basement?
Thanks for making my sleeping even more nervous! :D
And thanks for the video!
Matrix level threat, still trying to escape reality
What I do is I bought a cheap old intel Nuc off ebay for 50 usd and run a linux based hypervisor on it. I then run windows in that to mess with windows malware. I believe it is highly unlikely that a malware that targets windows will attack my linux host. Additionally I do have that machine on an entirely physically separate network. No vlan or subnetting or anything. Literally no physical connection. I use one of those old 3g data sticks on it to connect it to the internet.
That tiny little box is generally my testing environment for all sorts of things that i don‘t want on my actual machine.
Some malwares are smart: can recognize a VM and so it won’t fire so naturally you think it’s safe. And when it’s in the real system it fires. Maybe not a VM escape but a VM dodging.
I am too afraid of somehow messing up my host computer so instead i just mess around in triage
We're still waiting for the cat ears at 100k bro... 😼
Can they escape a virtual machine running inside of another, running inside of templeOS?
What about remote desktops?
Sorry if that's a dumb question I do not have much knowledge on these subjects.
Well a remote desktop is basically like you're watching a video so it's quite unlikely to have an escape.
But if your remote desktop supports drag and drop files from the remote desktop to the normal desktop or other similar interaction features it's maybe possible that they could be exploitable. But if you don't have any fancy features, so basically you can just look and click then there is no way to have an exploit
Yes, malware can spread via remote desktop protocol. You should not ever make rdp with untrusted entities as it can compromise not only your PC but whole network you are connected to. Your PC can serve as pivot point to attack all other devices at same network
@@wchodala9263 that would only work if you had unauthenticated rdp on your host and that was visible to the untrusted machine... a client to a server (untrusted machine) would be safe.
Can Malware escape RDP?
That's actually an interesting question. In theory it's possible such an exploit exists, haven't reversed RDP much.
RDP to newer versions of windows have drag and drop file transfer enbaled by default so id imagine it would be pretty easy
You forgot to talk about clipboard sharing and auto usb mounting to VM
My laptop speaker audio has been reduced recently, tried using Malwarebytes to remove malware since I thought of a correlation here, but I still think that my laptop is working weirdly
Ok that escaping is very specific on the used vm software and os you are running on, isn't it. I don't think quemu emulation would allow that, or would there be the same issues?
TLDW: yes, if they have worms on it/they can
im not concerned about guest to host escape as its wildly unlikely, what im worried about is malware that requires an internet connection to run like some infostealers? wouldnt connecting the VM to the internet allow some LAN-escape to infect other REAL computers on the same network?
Thats why it should be isolated from the rest and firewalls in place. Some smart malwares that detect vm just behave nicely while at the vm so u think they r not doing anything nasty.
so i'll admit, im not that skilled, but i am aiming towards being a pen-tester personally (been interested in cyber sec for ~ the last 7 years, and actively learning the last 2-3ish), and before watching, my thought would be theoretically yes, but its gonna be easier for it todo network traversal, rather than direct VM escape (ie, you make the VM, and don't take it off the network by accident or whatever, and it jumps to your main system that way). Will edit after finishing the vid.
Edit: after finishing, while I missed some of the more nuance portion (namely the last bit about AWS, and other VM sellers being the primary targets), I am glad to know I was more or less correct it would seem in that you have to have really bad luck w/ a 0 day (aka the "theorectically yes" portion), or user error. not trying to sound like im bragging or anything, more just proud that my thought process was accurate
yea directly escaping might be harder. What most do is just "behave nicely" under strange circunstances. That means some infected steam malware will just behave properly if it detects no network or a vm and it will just be "steam". U think its safe and when u run it outside of the vm it deploys the payload. Obv that approach wont work when you KNOW its malicious but the point is when finding IF it's malicious. If it behaves as expected under the vm and does what it says nothing more it may look safe.
great video! out of curiosity, are there similar methods where malware can escape KERNEL VMs? like qume kvm and oracle virtual box running on docker containers?
depends on a virtual machine in question
All depends how malicious the malware is
Use a software based emulator running only in userspace. Further confined with selinux. Live boot the host OS. Safest way to virtualize.
Yes, its can happen if they works with infecting hardware not only system.
How about a VM inside a VM?
7:36
Anything connected to the internet is not completly safe
just run a virtual machine in a virtual machine, problem solved
Short answer: It can if you set it up wrong.
i think you could enable hyper-v on windows while running a kvm on a linux host
Why does no one speak about kaspersky as an AV?
If you can get hyper v to run inside virtual box to run inside vmware inside kvm...
Malware inception.
Mutahar be sweatin'.
but what if you run a vm inside a vm to counteract a vm escape, like wouldn't that work?
hi mr eric
The question is can u hack pc with eth cable .. other question can u hack using hardisk or gpu devices
What about sandbox on windows 10pro ?
How private is Whonix?
great video.
i am waiting for cat ears
HOW IS THAT POSSIBLE
It seemed very easy at first
What about iPhones?
Do something about your voice EQ man, literally had to turn up the volume to hear you but my subwoofer started shaking because your voice is drowned in bass
Its using a hardened vm on a rdp safe?
Malware cant escape triage tho. Or maybe triage is not a VM? Or doesn't work in a similar way
What if I run a VM..inside a VM,inside a VM? xD
can you turn on dark mode pls?
Mr. Anderson...
This also includes windows sandbox?
The answer is always yes.
hello im escaped from vm, now im in da woda
I'm currently studying malware analysis and the common case is that Malware attempts to disable its functionality or makes analysis hellish if it detects that it's in a VM, because average malware authors don't have millions of dollars to exploit hardware related zero days.
Most modern malware contains routines that check if the machine is a VM (it could check the given resources to the guest, or get the process list of the guest and checks for the VMware tools process and many other techniques that I haven't fully studied/known about yet..), and from there decide whether it executes its normal malicious behavior or just doesn't execute it's malicious payload.
Additionally, when doing dynamic analysis (running the malware) you'd use services that simulate an internet connection in order to get an insight on what it does. (You wouldn't really allow the malware to connect to the internet directly, unless you're absolutely certain on what it does which you can know by using static analysis)
On top of that, most of the time you'd have to uninstall VMware Tools because malware is on the lookout for that process and therefore you can't use shared folders to begin with.
I use triage to test malwere
Big YES
Adding something that allows malware to escape a virtual machine definitely adds to the detectability and the size not to mention it's overly complex and limited use. So while it can happen it just isn't worth making or using
can malware running inside of a windows vm infect a linux machine and how commen is this? (sorry if this is a stupid question)
Because im thinking that it wouldn't be able to work inside a whole different system, but also, it could escape and then just secretly install the Linux version of the malware???
@@insertOwO
I actually don't believe this is possible at all.
The virus.exe thing if trying to target the host would have to run on wine, it could affect it negatively(cause wine can access your FS in userspace) but not widely affect the OS, like the root directory.
Altho i am basing this from another video about how running exe virus can still affect your host smh, therefore the setup should alot better in that regard.
It has to do a vm escape then check if the operating system is linux and install a version of malware that supports linux
Yes it can, but requires more effort. If the malware is using an expensive 0-day, they might as well invest in cross-platform capabilities as well. At this point we are talking about nation-state actors.
Most likely scenario is that a less advanced actor would try to abuse a known sandbox escape and focus on Windows to Windows.
Escape the matrix 😅
Could you do bakkesmod? I'm sure it's legit and safe
You really need to make a video about this? lol I already knew the answer.....
Wow, of course it can, and it makes no difference if the machine is virtualized or not, it's called the network card. Many viruses scan the network for machines which are accessible and vulnerable, and try to infect it. Been there when it's happening. Some machines got infected as the network was coming up, whilst the OS was being installed.
third!
No it can't but it Download beautiful copies of itself after break out of the virtuliziation. 😂😜😂
Huh!?
First like then watch
ELITE CONTENT - MCLIZ