I remember Mutahar (someordinarygamers) mentioning in a video that he had to reimage his PC because he was doing a virus investigation and it managed to escape the VM. So yeah, it's absolutely possible. It's why I'm too scared to do it myself and instead watch UA-camrs take the risk. I still think VMs are a good security measure, but as all security measures, don't assume it's a silver bullet because nothing is completely secure... Except TempleOS.
Best solution for testing is to have a dedicated box on its own subnet/vlan that cannot communicate with the rest of your network. Even then, when you actually test you definitely should unplug Ethernet and setup a fakenet or something similar to look for network connections.
VM escapes are one of the top-tier warchest 0-days since you can steal many huge servers with one for a massive attack, or steal data from the adjacent VMs stealthily.
@@thatoneglitchpokemon(TL;DR at bottom) That's assuming a lot. For one that either the same hypervisor is being used or that the exploit works for any hypervisor. Well as that that the computer can be detected as a VM in the first place and it's for example not like just a KVM Windows VM faking real hardware and has all possible security maximized (Proper Group Policy setup, UAC, none bruteforceable password, minimal version of Windows such as the IoT release (legal evaluation version can be legally used here), limited and minimized network capabilities, fully deleting any and all browsers including Edge and EdgeWebView, firewall enforced by the VM above it and so on...) And or the same being done with a more well equipped OS for this such as OpenBSD TL;DR work with the principle of least privilage (such as minimal OS install with only what it needs), and use different hypervisors and OSes per layer of virtualization. And if possible use QubesOS for a more secured and streamlined process. The chances of virtualization fully being defeated even on an internetless fully locked down OS such as a properly configured OpenBSD in the middle of the VM chain is astronomically low, hackers have a higher chance of getting through waiting for a cosmic ray to flip enough bits to hack it for them. Or that they figure out a surefire undefatable way to hack all CPUs to their core.
Some malwares are smart: can recognize a VM and so it won’t fire so naturally you think it’s safe. And when it’s in the real system it fires. Maybe not a VM escape but a VM dodging.
No need to go through brick walls. t̵͍͈͝ḧ̶̢̟̪͕́ë̷̡͚́̓̇͋͝y̶͇̠̗̬͛̏̐͆̓ ̸̡͗̿l̴̳͍̓̽͌͆̌ì̷̢̬͚͜ͅv̷̬̘̼̱͐̓͑́͝ͅe̸͇͚̪̱̅̎̊̓ ̸͙̾̾̍̀͝i̵̡͍͂̍̊͝n̸̢̡̢͍̥̓ͅs̴̤͓̈́͌̊̚ȋ̴͕̻͔̟͐͊̓̚d̸̫̫̻͖̐͗̄͐͝e̶̠͔͊̐́̚ ̷̩͚̹̈́̽̏̿̏̈́ÿ̶̢̜̗̱̩́̑͆̈́͋o̷̤͇͓̲̿̇̀͘ǘ̵͔̼̳͙͓̥̐͝r̶̪̞̅̉̐͝ ̷͈̥̠̱̐̅̊̆͌̌w̶̨̲̗͎͛̋̅̌͆̑ͅa̴̛̯͉̍͆̆̐l̸̛͓̯͕͑̌̄ͅl̷̛̙͖̪̼̾̐̐̈́ͅs̴̯͕̞͖̩̖̀̍͝͝͝ ṯ̸̨̛̘̥̈́̇͘͠h̵̛͈͍̰͙̑̎̒͝e̵̩̻͓̠͇̐͂͂͝y̸̛̪̟͇̟̞͑̽́̕ ̷̜̟̂̌̆͛͌ͅc̶̻̱̞͚͋̒̐̐͑͜a̴̤͉̍̈́͂̄̚ǹ̵̡̈́̆̽ ̷̛̠̦͙̗̽̓͛̕h̴̢̢̼̬̓͊͌̆̚é̶̪͇̰͚̠̀͘̚a̸̜͎̦̲̩̋̓̎̔r̶̛̪̫͎̱̖̅̓͠ ̶͍͉̫̀͂̊̎ȳ̸̡̛͕͔͍̯̋̕̚õ̷̫̪͆̒̀̑ư̵͇͕̈́̆̑̕ȓ̷̡̛̛͕͔̯̊̐ ̴͖̯̘̗̇̓͆͘͝h̵̢͖̹̥̘̀̄̓̇͝e̷̬̖̙̋̿͌̀͘á̶̛̼̻̯̟̪͛͗̾r̵̢̫̻̯͛̿̎̾͘t̵͉͉͎̀̀̎̐͝ͅb̷̝̫̦̦̋͆͌̕e̶̠̝̯̍̐̋̆͂a̷̱̫͓͑̅̿̄t̷̹̑͆͊̊̑ ̸̡͉̝̙̿̐̎̕͠a̸̛͖͖͛̓̽̕n̷͈̤̮̐͂̍̇͝ͅd̶̫̪̗͍̫͋̔̎̕͘ ̷̡̘͍͓̑̑̑̊͝f̵̱͚͚͌͌͋̕a̴̪͕̹͇̋͑̾̎ṟ̶̢̲͍͊́͌̑t̶̨͓̑͗͂́̚ͅs̸̟̞̼̠͒̀̈́͝ ̷͔͕͉̳̅̑̒̄ͅw̵̹̲̦̗͆̀̋̆́h̸̡̟̠͎́̀̔̿̚e̷̢͕͓̽̽̍̏ͅn̷̠̞̲̈́̋̀̔̕ ̷̰̋͐̇͝ỹ̷͖͔͇͎́̏̇͒ͅö̴͕̝͖̯̳́̈́͋́ǘ̶̱͇̖͉̟̅̓͒̕ ̵̢͍͚̘̃͊̾͂s̴̝̱͚̻̦̓̆̏̋ḻ̸̨̼͉̯̍̀͝͝e̷̢̢̖̗͑̆͋̚ę̵̩̟̠͑̍̐̿̔p̴̢̛̲͕̖͖̎͛̕͝
@@alfonzo7822 Yes, and no. Depends on how u are using your pc. If u are careful the it's ok, but you know still bad. So getting a better av is a good idea.
@@S.S.S759When it comes to scanning windows defender uses almost the same virus definitions as other av. the only difference is windows defender doesn't have a good realtime protection like checking for malicious connections etc. But if you're someone who knows what they're doing, windows defender is fine. i only use windows defender ans npe when i suspect malware. npe has been the best at removing malware. but for offline i use msert
Just don't let them get anything they can pick the lock with and you should be good. Remember to feed your basement malware, the stink is terrible otherwise.
Most vm escape in the early 2000s were just network based as most applications back then used NAT without a firewall. This especially under XP caused many headaches.
Interesting video, but I'm curious about the specific vulnerabilities they exploited to escape the virtual machine. Were these known exploits that were patched or were they zero-day vulnerabilities?
@@EricParker well that's the thing, an actual hacker or malware dev isn't going to be concered with exploiting the computer of a security researcher using a vm, because that's such a small number of people it isn't worth the dev time to actually acheive. so the fact these are hobbiest hackers doing it for fun makes sence to me.
@@EricParker exploits like this can be tough to use in a widespread way in the wild, because whatever entity using it risks tipping their hand or allowing someone else to reverse engineer the technique for themselves
Iirc it's not embedded in the storage, but rather the firmware/CPU(?) somehow? I could be remembering wrong, but it's true that there are malwares that persist even through a disk reformat
Not really, once you format a disk everything is gone. The problem is that they infect the UEFI which means that they're gonna live in your motherboard memory, so regardless of how many times you format your HDD, the virus will keep reinfecting it.
I asked this question to a security "expert" back in 2012 if this was possible. Their answer was "no". Glad to see that if I can imagine it, it becomes so. I have seen that happen a lot recently.
Just a note: KVM doesn't necesarrily have to be a software virtualizing hardware, it can be a hardware itself that sits between the dedicated physical machine and the network input, and with that piece of hardware, you can fully control the physical machine remotely (which is used by number of data centers worldwide). You can power it off, you can even power it on. It's a full control node. It shares the same abbreviation with the KVM software that does virtualization.
@@Isaac-eq7xk Isaac. I have at least 2 active NDA's from the work Ive done in cybersecurity and general tech. What I said is a fact that Eric would likely agree with. If he tries to deny that hes on the wrong side of the bell curve because the skill gap in this industry goes from kiddy playing in HTML editor to literal god who was in the FBI watchlist at 13 and wrote his own kernel and compiler and only went to work for the good guys after he got arrested and faced 300 years in prison. Eric is a hobbyist who makes videos for other less experienced hobbyists. Nothing Eric has covered is advanced in any shape way or form. Its literally entry level stuff, its only considered more than that by people with zero actual experience in the field. Thats not a slight against him or his content its just a fact, his videos are entertaining, mildly educational and good. Im sorry your feelings were hurt.
What I do is I bought a cheap old intel Nuc off ebay for 50 usd and run a linux based hypervisor on it. I then run windows in that to mess with windows malware. I believe it is highly unlikely that a malware that targets windows will attack my linux host. Additionally I do have that machine on an entirely physically separate network. No vlan or subnetting or anything. Literally no physical connection. I use one of those old 3g data sticks on it to connect it to the internet. That tiny little box is generally my testing environment for all sorts of things that i don‘t want on my actual machine.
This video was really intreasting. I wonder if there's a way to completely prevent malware from escaping virtual machines, or if it's always going to be a cat-and-mouse game.
intreasting 😭😭 but yeah its probably always gonna be a cat and mouse game, because they is always vulnerabilities in programs, so people are always going to find a way to exploit this. but maybe in theory there will be a day that vms will have like an unstoppable firewall that prevents all malware from seeping through.
Well, I think instead of focusing on the VM, we should focus on the host and perhaps create a special lockdown mode or ‘high alert mode’ when testing malware on a VM
Full virtualization is an entirely impractical yet successful answer. Malware can reach a host if it is installed on an imaginary operating system directly connected to the host hardware. Malware cannot reach the host if it is installed on imaginary computer hardware in a simulated computer.
When I was young, I used to test viruses in VM, for fun, 1 virus got out(as i know) and put a nest in the WiFi router, it was somehow physically overwritten from above, no antivirus could help, finally we threw it in the trash
its never safe to download something period, if its a vm a malware could break out of it, if its a throwaway pc networms could reach your main pc through the network
A VM was still a safe environment to test malware and such. These were exploits that got patched, and the likelihood that any virus you're going to come across is going to break through the VM and infect your entire network is around zero.
There is no secure way to "test" malware. It's some scary shit. It's unlikely to break out of a VM or to spread through your network, but it's not impossible. Unless it's your job and you know EXACTLY what you're doing, never deliberately download malware and be very cautious with downloading even legit software.
@@plebisMaximussay what you want but if it’s your experience there’s no secure way to do it, you must have poor updating habits, or, like he said in the video, get extraordinarily unlucky with a zero-day i test all sorts of malware in vm’s, i have for a decade i just don’t disable any of the side-channel mitigations when working with malware as i don’t want it potentially seeing my host’s memory spaces
im not concerned about guest to host escape as its wildly unlikely, what im worried about is malware that requires an internet connection to run like some infostealers? wouldnt connecting the VM to the internet allow some LAN-escape to infect other REAL computers on the same network?
Thats why it should be isolated from the rest and firewalls in place. Some smart malwares that detect vm just behave nicely while at the vm so u think they r not doing anything nasty.
We were doing infrastructure clouds for that company related to Ebay. First production workloads kicked in, somebody hacked the front-end software, escaped the VM and spilled onto the hypervisor, using another exploit to expose the ssh keys. We were highly praised the next day because we were schmucks who didn't know shit and completely f-d up the inter-hypervisor networking that evening. The hacker couldn't figure out how to fix it and just gave up.
Ahh, good old operator error. Running a sample not in the specialised isolated section, but on the host. That's why they say never experiment if you're not prepared to lose everything. =^.^=
@@goldencheats23 to be able to code a virus that is able to break Out of vm's ,you must have really good knowledge in malware development , and the basics of malware development is to know how to bypass antiviruses. Meaning that the person who made that malware probably also coded it in a way that it wont be detected by any Antivirus
Any time I've ever done any screwing about with malware, I used linux as my host system with a windows vm. I'd wager the chances of a virus running on windows not only being able to escape a vm but to also successfully have an impact on linux to be very low.
Since I know this I never do Malware analysis in Vmware or virtualbox anymore. I use Recorded future Triage which is free and safe. Even though I'm still use VMware, it's only for experimenting with Windows systems.
Guys, it may seem silly, but this happened to me. I was testing in a virtualized environment inside my W10 using Virtual Box with a W10 and suddenly I heard a super strange sound coming from the mouse. The sound sounded like a flat tire with a flooded lawnmower at the moment of use. I was scared to death, but the spirit for discoveries was greater. I continued with my tests and after several sounds described above I saw a message on the screen. It said the following: "Never mix coffee with cola!" Then I started to put the pieces together: how did the virus discover that I was using carbon paper to draw the pyramids in the third grade in the afternoon?! Guys, this left me astonished to the point of reviewing the settings of my computer that was bought at a stand in Bangladesh in exchange for some corn that was said to be super corn, where a single grain of corn was enough to make more than a billion Cereals for all of us in the world. In short: the color purple is better than confetti on the floor.
Nice video, but throughout watching your videos, there were several audio hitches like at 2:40 here sounding like a misplaced cut, cutting off the information and the sentence. Just FYI!
They do can but now days it's rather a low possibilty of happening since virtual machines have leveled up and viruses had rather leveled down than leveled up in being dangerous
@@younes1815because if a virus wants to escape windows from inside a VM it usually wants to virus the host. Linux is built different, so a virus written for infecting windows wouldn't work. Also, people like to believe linux is much more secure, but that's only because most targets are on windows machinez
As usual security is never absolute, but you shoot for the most practical solution weighed against what you have to protect. If you have 2 identical houses side by side with the only difference being that one has a security sign in the window, which do you think will get robbed first? Neither house is truly secure, but the house with no security sign is more likely to get hit by a burglar of opportunity. Now, if you put a stack of money in full view of a window in the house with the sign then you obviously will need more than a sign. Security is way more nuanced than that example, but I hope it illustrates the point.
I guess that top antivirus companies test on special virtualization that closely emulates real hardware including 3D or they test on real hardware and watch through DMA card and some custom remote connection drivers.
Ok that escaping is very specific on the used vm software and os you are running on, isn't it. I don't think quemu emulation would allow that, or would there be the same issues?
so i'll admit, im not that skilled, but i am aiming towards being a pen-tester personally (been interested in cyber sec for ~ the last 7 years, and actively learning the last 2-3ish), and before watching, my thought would be theoretically yes, but its gonna be easier for it todo network traversal, rather than direct VM escape (ie, you make the VM, and don't take it off the network by accident or whatever, and it jumps to your main system that way). Will edit after finishing the vid. Edit: after finishing, while I missed some of the more nuance portion (namely the last bit about AWS, and other VM sellers being the primary targets), I am glad to know I was more or less correct it would seem in that you have to have really bad luck w/ a 0 day (aka the "theorectically yes" portion), or user error. not trying to sound like im bragging or anything, more just proud that my thought process was accurate
yea directly escaping might be harder. What most do is just "behave nicely" under strange circunstances. That means some infected steam malware will just behave properly if it detects no network or a vm and it will just be "steam". U think its safe and when u run it outside of the vm it deploys the payload. Obv that approach wont work when you KNOW its malicious but the point is when finding IF it's malicious. If it behaves as expected under the vm and does what it says nothing more it may look safe.
Can Malware from a windows partition jump to a Linux partition on the same machine, or vise versa, or just between different windows partitions? If so, is it a common type of malware feature seen in the wild (spreading between OS partitions).
Well obviously they can get out of a vm, but isnt a big obvious one being the virus getting into the internet? Or alternatively ive heard of some detecting that they are in a VM, therefore stopping the code, but when its ran outside a VM, it actually runs?
My laptop speaker audio has been reduced recently, tried using Malwarebytes to remove malware since I thought of a correlation here, but I still think that my laptop is working weirdly
I think its possible and there has been few cases, but it really depends about how the rdp has been configured. At my work it is often done so that only user inputs and video is allowed trough.
While the virtual machine example is important and interesting, I’m also interested in what viruses or malware can do when downloaded through a code translator like wine on linux. Say for example you are running Windows games on a linux machine and a windows virus is sent to your computer, does the translation layer make that windows virus now linux compatible?
Well a remote desktop is basically like you're watching a video so it's quite unlikely to have an escape. But if your remote desktop supports drag and drop files from the remote desktop to the normal desktop or other similar interaction features it's maybe possible that they could be exploitable. But if you don't have any fancy features, so basically you can just look and click then there is no way to have an exploit
Yes, malware can spread via remote desktop protocol. You should not ever make rdp with untrusted entities as it can compromise not only your PC but whole network you are connected to. Your PC can serve as pivot point to attack all other devices at same network
@@wchodala9263 that would only work if you had unauthenticated rdp on your host and that was visible to the untrusted machine... a client to a server (untrusted machine) would be safe.
Adding something that allows malware to escape a virtual machine definitely adds to the detectability and the size not to mention it's overly complex and limited use. So while it can happen it just isn't worth making or using
I remember Mutahar (someordinarygamers) mentioning in a video that he had to reimage his PC because he was doing a virus investigation and it managed to escape the VM. So yeah, it's absolutely possible. It's why I'm too scared to do it myself and instead watch UA-camrs take the risk.
I still think VMs are a good security measure, but as all security measures, don't assume it's a silver bullet because nothing is completely secure... Except TempleOS.
templeos is the most secure OS because it is secured by the lord himself... amen
Best solution for testing is to have a dedicated box on its own subnet/vlan that cannot communicate with the rest of your network.
Even then, when you actually test you definitely should unplug Ethernet and setup a fakenet or something similar to look for network connections.
@@sakamocat and if it ever gets hacked then it was god's plan all along
@@raininafrica4620No way, LMAO
Having read the Wikipedia article on TempleOS, I’m convinced that it might be the way forward.
But can worms escape from my PC's to power cable, then from power cable dig the way out and get inside me while I sleep?
🤨🤨🤨🤨
Yesish but no?
Idiot, they will got stuck by electricity
Not if you eat your vegetables. Have you been eating your vegetables?😐
yes
VM escapes are one of the top-tier warchest 0-days since you can steal many huge servers with one for a massive attack, or steal data from the adjacent VMs stealthily.
if they're unicersal yes but since vms are so complex they're usually highly dependent on the configuration and hardware used
yes, they can.
thanks you helped me get my 9 minutes back from this video
@sebastianandres my guy, search it up
@@sebastianandreshe also says this 28 seconds onto the video, so yeah.
But it is not that simple
@@neztimar43 i lied to you i didnt even saw the video man
Can Malware escape Virtual Machine running inside a Virtual Machine which is running inside a Virtual Machine?
yes.
If it can escape one machine, then what is another machine for it to escape out of?
yes just the malware could just clone itself to the hypervisor and if it gets detected as a VM redo the process until the VM detection returns false
@@thatoneglitchpokemon(TL;DR at bottom)
That's assuming a lot. For one that either the same hypervisor is being used or that the exploit works for any hypervisor. Well as that that the computer can be detected as a VM in the first place and it's for example not like just a KVM Windows VM faking real hardware and has all possible security maximized (Proper Group Policy setup, UAC, none bruteforceable password, minimal version of Windows such as the IoT release (legal evaluation version can be legally used here), limited and minimized network capabilities, fully deleting any and all browsers including Edge and EdgeWebView, firewall enforced by the VM above it and so on...) And or the same being done with a more well equipped OS for this such as OpenBSD
TL;DR work with the principle of least privilage (such as minimal OS install with only what it needs), and use different hypervisors and OSes per layer of virtualization. And if possible use QubesOS for a more secured and streamlined process. The chances of virtualization fully being defeated even on an internetless fully locked down OS such as a properly configured OpenBSD in the middle of the VM chain is astronomically low, hackers have a higher chance of getting through waiting for a cosmic ray to flip enough bits to hack it for them. Or that they figure out a surefire undefatable way to hack all CPUs to their core.
@@thatoneglitchpokemonhow difficult would this be if every vm is a different OS?
Some malwares are smart: can recognize a VM and so it won’t fire so naturally you think it’s safe. And when it’s in the real system it fires. Maybe not a VM escape but a VM dodging.
He mentioned it here and I believe he has a video about hiding that your VM is a VM so that malware can't tell
Yes it is a common attack, see MITRE Technique T1497 "Virtualization/Sandbox Evasion" for more Information and examples.
Wouldn't happen in TempleOS
In the temple, viruses glow in the dark
Malware on TempleOS would download more ram and a car for us.
If you get a virus on TempleOS you might summon a D(a)emon
God is the anti-virus, he checks the malware for us before it runs
Daemons cannot tread upon holy ground
Can malware go through a brick wall next please.
No need to go through brick walls.
t̵͍͈͝ḧ̶̢̟̪͕́ë̷̡͚́̓̇͋͝y̶͇̠̗̬͛̏̐͆̓ ̸̡͗̿l̴̳͍̓̽͌͆̌ì̷̢̬͚͜ͅv̷̬̘̼̱͐̓͑́͝ͅe̸͇͚̪̱̅̎̊̓ ̸͙̾̾̍̀͝i̵̡͍͂̍̊͝n̸̢̡̢͍̥̓ͅs̴̤͓̈́͌̊̚ȋ̴͕̻͔̟͐͊̓̚d̸̫̫̻͖̐͗̄͐͝e̶̠͔͊̐́̚ ̷̩͚̹̈́̽̏̿̏̈́ÿ̶̢̜̗̱̩́̑͆̈́͋o̷̤͇͓̲̿̇̀͘ǘ̵͔̼̳͙͓̥̐͝r̶̪̞̅̉̐͝ ̷͈̥̠̱̐̅̊̆͌̌w̶̨̲̗͎͛̋̅̌͆̑ͅa̴̛̯͉̍͆̆̐l̸̛͓̯͕͑̌̄ͅl̷̛̙͖̪̼̾̐̐̈́ͅs̴̯͕̞͖̩̖̀̍͝͝͝
ṯ̸̨̛̘̥̈́̇͘͠h̵̛͈͍̰͙̑̎̒͝e̵̩̻͓̠͇̐͂͂͝y̸̛̪̟͇̟̞͑̽́̕ ̷̜̟̂̌̆͛͌ͅc̶̻̱̞͚͋̒̐̐͑͜a̴̤͉̍̈́͂̄̚ǹ̵̡̈́̆̽ ̷̛̠̦͙̗̽̓͛̕h̴̢̢̼̬̓͊͌̆̚é̶̪͇̰͚̠̀͘̚a̸̜͎̦̲̩̋̓̎̔r̶̛̪̫͎̱̖̅̓͠ ̶͍͉̫̀͂̊̎ȳ̸̡̛͕͔͍̯̋̕̚õ̷̫̪͆̒̀̑ư̵͇͕̈́̆̑̕ȓ̷̡̛̛͕͔̯̊̐ ̴͖̯̘̗̇̓͆͘͝h̵̢͖̹̥̘̀̄̓̇͝e̷̬̖̙̋̿͌̀͘á̶̛̼̻̯̟̪͛͗̾r̵̢̫̻̯͛̿̎̾͘t̵͉͉͎̀̀̎̐͝ͅb̷̝̫̦̦̋͆͌̕e̶̠̝̯̍̐̋̆͂a̷̱̫͓͑̅̿̄t̷̹̑͆͊̊̑ ̸̡͉̝̙̿̐̎̕͠a̸̛͖͖͛̓̽̕n̷͈̤̮̐͂̍̇͝ͅd̶̫̪̗͍̫͋̔̎̕͘ ̷̡̘͍͓̑̑̑̊͝f̵̱͚͚͌͌͋̕a̴̪͕̹͇̋͑̾̎ṟ̶̢̲͍͊́͌̑t̶̨͓̑͗͂́̚ͅs̸̟̞̼̠͒̀̈́͝ ̷͔͕͉̳̅̑̒̄ͅw̵̹̲̦̗͆̀̋̆́h̸̡̟̠͎́̀̔̿̚e̷̢͕͓̽̽̍̏ͅn̷̠̞̲̈́̋̀̔̕ ̷̰̋͐̇͝ỹ̷͖͔͇͎́̏̇͒ͅö̴͕̝͖̯̳́̈́͋́ǘ̶̱͇̖͉̟̅̓͒̕ ̵̢͍͚̘̃͊̾͂s̴̝̱͚̻̦̓̆̏̋ḻ̸̨̼͉̯̍̀͝͝e̷̢̢̖̗͑̆͋̚ę̵̩̟̠͑̍̐̿̔p̴̢̛̲͕̖͖̎͛̕͝
LMAO 😂
Easy, just use wireless connections such as using your ram as an antenna.
I love the "Not that windows defender will detect anything".
But... It's the only solution you need.
@@alfonzo7822 Yes, and no. Depends on how u are using your pc. If u are careful the it's ok, but you know still bad. So getting a better av is a good idea.
@@S.S.S759When it comes to scanning windows defender uses almost the same virus definitions as other av. the only difference is windows defender doesn't have a good realtime protection like checking for malicious connections etc. But if you're someone who knows what they're doing, windows defender is fine. i only use windows defender ans npe when i suspect malware. npe has been the best at removing malware. but for offline i use msert
@@alfonzo7822WinDef is great yeah but if you're like me who's a power user who doesn't know the nitty details then yeaaaah you might need more layers
@@strob5657 Can you really call yourself a power user if you keep frying your system with malware? lmao
But can malware escape my basement?
It can, unless you put all the devices on your network into your basement and keep them there.
yes, net worms can
Just don't let them get anything they can pick the lock with and you should be good. Remember to feed your basement malware, the stink is terrible otherwise.
all fun and games until it escapes into ANOTHER vm but doesnt realise it
Most vm escape in the early 2000s were just network based as most applications back then used NAT without a firewall. This especially under XP caused many headaches.
but can malware escape physical machines?
Only other thing past physical is via network/wireless/bluetooth etc, to try spreading to another physical.
Some malware can infect the wifi and other pcs connected to the WiFi
@@SmilerRyanYT shut off your internet as soon as you know youve got a virus
Yes, they can affect all machines on a network
net worms can. This is why firewalls are important.
Interesting video, but I'm curious about the specific vulnerabilities they exploited to escape the virtual machine. Were these known exploits that were patched or were they zero-day vulnerabilities?
I don't think there has ever been a case of a malicious exploit. All of the ones I showed are from pwn2own or other trade shows.
@@EricParker well that's the thing, an actual hacker or malware dev isn't going to be concered with exploiting the computer of a security researcher using a vm, because that's such a small number of people it isn't worth the dev time to actually acheive. so the fact these are hobbiest hackers doing it for fun makes sence to me.
@@EricParker exploits like this can be tough to use in a widespread way in the wild, because whatever entity using it risks tipping their hand or allowing someone else to reverse engineer the technique for themselves
I've heard that some malware get "permanently" embedded in hard storage, staying there despite reformatting the disk
Iirc it's not embedded in the storage, but rather the firmware/CPU(?) somehow? I could be remembering wrong, but it's true that there are malwares that persist even through a disk reformat
Malware on bios
Not really, once you format a disk everything is gone. The problem is that they infect the UEFI which means that they're gonna live in your motherboard memory, so regardless of how many times you format your HDD, the virus will keep reinfecting it.
@@frankbucciantini388 what's the solution in that case?
Flashing the bios with a brand new image downloaded from the manufacturer website and onto a USB stick using a different computer.
I asked this question to a security "expert" back in 2012 if this was possible. Their answer was "no". Glad to see that if I can imagine it, it becomes so. I have seen that happen a lot recently.
Anything connected to the internet is not completly safe
Just a note: KVM doesn't necesarrily have to be a software virtualizing hardware, it can be a hardware itself that sits between the dedicated physical machine and the network input, and with that piece of hardware, you can fully control the physical machine remotely (which is used by number of data centers worldwide). You can power it off, you can even power it on. It's a full control node. It shares the same abbreviation with the KVM software that does virtualization.
Love how humble you are, explaining these things without a big ego
Cant have an ego when you havent earned one
Hes very much still a beginner himself just explaining things as best he can for the layman
@@User-kq3odvery untrue
@@Isaac-eq7xk Isaac. I have at least 2 active NDA's from the work Ive done in cybersecurity and general tech. What I said is a fact that Eric would likely agree with. If he tries to deny that hes on the wrong side of the bell curve because the skill gap in this industry goes from kiddy playing in HTML editor to literal god who was in the FBI watchlist at 13 and wrote his own kernel and compiler and only went to work for the good guys after he got arrested and faced 300 years in prison.
Eric is a hobbyist who makes videos for other less experienced hobbyists. Nothing Eric has covered is advanced in any shape way or form. Its literally entry level stuff, its only considered more than that by people with zero actual experience in the field.
Thats not a slight against him or his content its just a fact, his videos are entertaining, mildly educational and good. Im sorry your feelings were hurt.
@@User-kq3od shouldve been more specific, people have unearned egos all the time
@@Isaac-eq7xk Shouldve gotten a higher level reading comprehension, dont blame me for your own inadequacy.
What I do is I bought a cheap old intel Nuc off ebay for 50 usd and run a linux based hypervisor on it. I then run windows in that to mess with windows malware. I believe it is highly unlikely that a malware that targets windows will attack my linux host. Additionally I do have that machine on an entirely physically separate network. No vlan or subnetting or anything. Literally no physical connection. I use one of those old 3g data sticks on it to connect it to the internet.
That tiny little box is generally my testing environment for all sorts of things that i don‘t want on my actual machine.
Thats neat!
This video was really intreasting. I wonder if there's a way to completely prevent malware from escaping virtual machines, or if it's always going to be a cat-and-mouse game.
intreasting 😭😭 but yeah its probably always gonna be a cat and mouse game, because they is always vulnerabilities in programs, so people are always going to find a way to exploit this. but maybe in theory there will be a day that vms will have like an unstoppable firewall that prevents all malware from seeping through.
Well, I think instead
of focusing on the VM, we should focus on the host and perhaps create a special lockdown mode or ‘high alert mode’ when testing malware on a VM
There is no way to prevent all escapes
unnetworked and a host with nothing worthwhile on it is a good start
Full virtualization is an entirely impractical yet successful answer.
Malware can reach a host if it is installed on an imaginary operating system directly connected to the host hardware.
Malware cannot reach the host if it is installed on imaginary computer hardware in a simulated computer.
When I was young, I used to test viruses in VM, for fun, 1 virus got out(as i know) and put a nest in the WiFi router, it was somehow physically overwritten from above, no antivirus could help, finally we threw it in the trash
Honestly not that long ago i thought a VM is a panacea when testing malware and other malicious stuff.
its never safe to download something period, if its a vm a malware could break out of it, if its a throwaway pc networms could reach your main pc through the network
@@bruhblox_ just buy internet from different internet providers for each PC
A VM was still a safe environment to test malware and such. These were exploits that got patched, and the likelihood that any virus you're going to come across is going to break through the VM and infect your entire network is around zero.
There is no secure way to "test" malware. It's some scary shit. It's unlikely to break out of a VM or to spread through your network, but it's not impossible. Unless it's your job and you know EXACTLY what you're doing, never deliberately download malware and be very cautious with downloading even legit software.
@@plebisMaximussay what you want
but if it’s your experience there’s no secure way to do it, you must have poor updating habits, or, like he said in the video, get extraordinarily unlucky with a zero-day
i test all sorts of malware in vm’s, i have for a decade
i just don’t disable any of the side-channel mitigations when working with malware as i don’t want it potentially seeing my host’s memory spaces
im not concerned about guest to host escape as its wildly unlikely, what im worried about is malware that requires an internet connection to run like some infostealers? wouldnt connecting the VM to the internet allow some LAN-escape to infect other REAL computers on the same network?
Thats why it should be isolated from the rest and firewalls in place. Some smart malwares that detect vm just behave nicely while at the vm so u think they r not doing anything nasty.
We were doing infrastructure clouds for that company related to Ebay. First production workloads kicked in, somebody hacked the front-end software, escaped the VM and spilled onto the hypervisor, using another exploit to expose the ssh keys. We were highly praised the next day because we were schmucks who didn't know shit and completely f-d up the inter-hypervisor networking that evening. The hacker couldn't figure out how to fix it and just gave up.
Ahh, good old operator error. Running a sample not in the specialised isolated section, but on the host. That's why they say never experiment if you're not prepared to lose everything. =^.^=
A good strategy running a different OS on the VM than the host machine. For example, macOS host with Windows VM.
how did we came from carving rocks in the cave to this specific malware issue man...
short answer yes long answer Y E S
What if you have a antivirus on the main system? Does it just bypass it? @Eric Parker
@@goldencheats23 If it can break out of vms its probably ud too
@@AdilKettani-n3b so the antivirus won't do anything once it gets into the main system? How does that work
@@goldencheats23 to be able to code a virus that is able to break Out of vm's ,you must have really good knowledge in malware development , and the basics of malware development is to know how to bypass antiviruses. Meaning that the person who made that malware probably also coded it in a way that it wont be detected by any Antivirus
All depends how malicious the malware is
Any time I've ever done any screwing about with malware, I used linux as my host system with a windows vm. I'd wager the chances of a virus running on windows not only being able to escape a vm but to also successfully have an impact on linux to be very low.
I do wonder one thing, why there are not escapes using external devices with macro functions like mouses.
You forgot to talk about clipboard sharing and auto usb mounting to VM
Can they escape a virtual machine running inside of another, running inside of templeOS?
Matrix level threat, still trying to escape reality
Since I know this I never do Malware analysis in Vmware or virtualbox anymore. I use Recorded future Triage which is free and safe. Even though I'm still use VMware, it's only for experimenting with Windows systems.
Guys, it may seem silly, but this happened to me. I was testing in a virtualized environment inside my W10 using Virtual Box with a W10 and suddenly I heard a super strange sound coming from the mouse. The sound sounded like a flat tire with a flooded lawnmower at the moment of use. I was scared to death, but the spirit for discoveries was greater. I continued with my tests and after several sounds described above I saw a message on the screen. It said the following: "Never mix coffee with cola!" Then I started to put the pieces together: how did the virus discover that I was using carbon paper to draw the pyramids in the third grade in the afternoon?! Guys, this left me astonished to the point of reviewing the settings of my computer that was bought at a stand in Bangladesh in exchange for some corn that was said to be super corn, where a single grain of corn was enough to make more than a billion Cereals for all of us in the world. In short: the color purple is better than confetti on the floor.
This started out great.... Then got infected. 😕
Vivid imagination
Purpl🤤
Nice video, but throughout watching your videos, there were several audio hitches like at 2:40 here sounding like a misplaced cut, cutting off the information and the sentence. Just FYI!
Not a cut, just an audio issue. Hopefully fixed with the new platform I'm building next week.
They do can but now days it's rather a low possibilty of happening since virtual machines have leveled up and viruses had rather leveled down than leveled up in being dangerous
you can do pcie passthrough for 3d acceleration which is secure as long as you respect the iommu groups.
Love the way you explain man ❤❤
Malware: *escapes windows vm*
Malware: where am i
Linux: death
Why?
@@younes1815because if a virus wants to escape windows from inside a VM it usually wants to virus the host. Linux is built different, so a virus written for infecting windows wouldn't work. Also, people like to believe linux is much more secure, but that's only because most targets are on windows machinez
@@katarnsside note but most viruses target mac and windows because most people are on those
@@kowaihanaMost valuable data is stored on Linux machines though, like 99% of all servers in the world run Linux.
@@d.sherman8563 "PEOPLE"
As usual security is never absolute, but you shoot for the most practical solution weighed against what you have to protect. If you have 2 identical houses side by side with the only difference being that one has a security sign in the window, which do you think will get robbed first? Neither house is truly secure, but the house with no security sign is more likely to get hit by a burglar of opportunity. Now, if you put a stack of money in full view of a window in the house with the sign then you obviously will need more than a sign. Security is way more nuanced than that example, but I hope it illustrates the point.
I guess that top antivirus companies test on special virtualization that closely emulates real hardware including 3D or they test on real hardware and watch through DMA card and some custom remote connection drivers.
Can the malware escape if I break the computer?
Ok that escaping is very specific on the used vm software and os you are running on, isn't it. I don't think quemu emulation would allow that, or would there be the same issues?
so i'll admit, im not that skilled, but i am aiming towards being a pen-tester personally (been interested in cyber sec for ~ the last 7 years, and actively learning the last 2-3ish), and before watching, my thought would be theoretically yes, but its gonna be easier for it todo network traversal, rather than direct VM escape (ie, you make the VM, and don't take it off the network by accident or whatever, and it jumps to your main system that way). Will edit after finishing the vid.
Edit: after finishing, while I missed some of the more nuance portion (namely the last bit about AWS, and other VM sellers being the primary targets), I am glad to know I was more or less correct it would seem in that you have to have really bad luck w/ a 0 day (aka the "theorectically yes" portion), or user error. not trying to sound like im bragging or anything, more just proud that my thought process was accurate
yea directly escaping might be harder. What most do is just "behave nicely" under strange circunstances. That means some infected steam malware will just behave properly if it detects no network or a vm and it will just be "steam". U think its safe and when u run it outside of the vm it deploys the payload. Obv that approach wont work when you KNOW its malicious but the point is when finding IF it's malicious. If it behaves as expected under the vm and does what it says nothing more it may look safe.
Can Malware from a windows partition jump to a Linux partition on the same machine, or vise versa, or just between different windows partitions? If so, is it a common type of malware feature seen in the wild (spreading between OS partitions).
Your Answer: 8:14
Well obviously they can get out of a vm, but isnt a big obvious one being the virus getting into the internet? Or alternatively ive heard of some detecting that they are in a VM, therefore stopping the code, but when its ran outside a VM, it actually runs?
My laptop speaker audio has been reduced recently, tried using Malwarebytes to remove malware since I thought of a correlation here, but I still think that my laptop is working weirdly
Thanks for making my sleeping even more nervous! :D
And thanks for the video!
Can Malware escape RDP?
That's actually an interesting question. In theory it's possible such an exploit exists, haven't reversed RDP much.
RDP to newer versions of windows have drag and drop file transfer enbaled by default so id imagine it would be pretty easy
I think its possible and there has been few cases, but it really depends about how the rdp has been configured. At my work it is often done so that only user inputs and video is allowed trough.
While the virtual machine example is important and interesting, I’m also interested in what viruses or malware can do when downloaded through a code translator like wine on linux. Say for example you are running Windows games on a linux machine and a windows virus is sent to your computer, does the translation layer make that windows virus now linux compatible?
What about remote desktops?
Sorry if that's a dumb question I do not have much knowledge on these subjects.
Well a remote desktop is basically like you're watching a video so it's quite unlikely to have an escape.
But if your remote desktop supports drag and drop files from the remote desktop to the normal desktop or other similar interaction features it's maybe possible that they could be exploitable. But if you don't have any fancy features, so basically you can just look and click then there is no way to have an exploit
Yes, malware can spread via remote desktop protocol. You should not ever make rdp with untrusted entities as it can compromise not only your PC but whole network you are connected to. Your PC can serve as pivot point to attack all other devices at same network
@@wchodala9263 that would only work if you had unauthenticated rdp on your host and that was visible to the untrusted machine... a client to a server (untrusted machine) would be safe.
@@art0007i Unless there's a vulnerability in the protocol itself.
Why does Terrabox cloud insist that I install the desktop app?
I am too afraid of somehow messing up my host computer so instead i just mess around in triage
Use a software based emulator running only in userspace. Further confined with selinux. Live boot the host OS. Safest way to virtualize.
what is the .mal file extension? just wondering
How about use different OS? Like, Host with Linux, Guest with Windows, is that still possible?
depends on a virtual machine in question
Can you escape a jail?
Yes, its can happen if they works with infecting hardware not only system.
for some reason I really like the sound of your voice and I am really intruiged by the video aha but interesting to see how malware can escape VMs
I think the best way to avoid this is just running a vm in an external drive like a pendrive or external ssd and linux on top for extra control
other drives will be visible in the system and the virus code will very likely copy itself to all of them.
but what if you run a vm inside a vm to counteract a vm escape, like wouldn't that work?
yes but it needs to be made for that and most virus creators won't bother
Ok, but what about double virtual machine? No one thinks about that.
what would happen if it was a Linux host on a Windows VM? or Vice-Versa?
When it comes to security - how it was made when there was no VMs? Did we tested on production? XD
Why can't you emulate inside an emulator
TLDW: yes, if they have worms on it/they can
I wonder if vinny got malware on his pc after destroying windows video series and didnt even realized
vinny's proc would have corrupted the virus itself. it's jobel that did the windows destructions
check if parallels is safe
What about win10 kvm vm with gpu pci passtrough on fedora?
But what if you make a vm inside a vm?
Why does no one speak about kaspersky as an AV?
I don't think this
The malware can’t escape because malware think virtual machine or windows is really pc but
Just for pc use Antivirus
Now I want to use vm inside a vm. I dont think any malware would expext that to double attempt escaping
i think you could enable hyper-v on windows while running a kvm on a linux host
Malware cant escape triage tho. Or maybe triage is not a VM? Or doesn't work in a similar way
The question is can u hack pc with eth cable .. other question can u hack using hardisk or gpu devices
If you can get hyper v to run inside virtual box to run inside vmware inside kvm...
pls boost your audio when editing
Its using a hardened vm on a rdp safe?
Can malware infect the user?
What about iPhones?
Now I understand why android requires root for virtualization.
The can UA-camrs put the answer in the title situation is insane
it would get less views
@@Isaac-eq7xk no views
can you turn on dark mode pls?
What about sandbox on windows 10pro ?
So it means I can escape the Matrix?
For me, a vm escape virus 8s the worst thing that for me
It's best to assume yes.
I remember being infected while having fun with trojans in VM
Don't use your own PC for this
Thanks great video
This also includes windows sandbox?
The answer is always yes.
Adding something that allows malware to escape a virtual machine definitely adds to the detectability and the size not to mention it's overly complex and limited use. So while it can happen it just isn't worth making or using
How private is Whonix?
Short answer it can and it has