VMware

This Question is Possibly Answered

1 "correct" answer available (10 pts)
1 2 3 Previous Next 33 Replies Last post: Nov 19, 2009 7:22 AM by Texiwill  

Can malware in the guest access NON-shared folders? posted: Nov 5, 2009 9:25 PM

Click to view UlyssesOfEpirus's profile Enthusiast
UlyssesOfEpir…
50 posts since
Jul 20, 2009

I do not mind if shared folders are written to by any malware running in the guest, but is it possible that malware can also access folders other than the shared ones?

Can malware running in the guest do anything else to harm the host, other than messing with the contents of the shared folders?

Re: Can malware in the guest access NON-shared folders?

1. Nov 5, 2009 10:40 PM in response to: UlyssesOfEpir…
Click to view Anton V Zhbankov's profile Champion
Anton V Zhban…
2,871 posts since
May 26, 2008
If you mean HGFS shared folders then there is some other possibility. Standard Windows shares, including hidden - if guest can access then then malware have access to them.

---
MCSA, MCTS, VCP, VMware vExpert '2009
http://blog.vadmin.ru

Re: Can malware in the guest access NON-shared folders?

2. Nov 5, 2009 11:36 PM in response to: UlyssesOfEpir…
Click to view wila's profile Virtuoso
wila
3,266 posts since
Jun 27, 2006
Hi,

It is best to NOT give a test virtual machine that runs malware direct access to your network.
Are you sure that all your network machines are 100% patched?
If your test VM needs network access, then do so by using a separate network segment for the VM.
Also make sure that you are running the latest VMware products completely patched is a must in this type of case.

The HGFS shares are probably the safest to use, but there have been several directory traversal exploits in the past and I'm not sure if I would want to risk my host on that part.

If you need to share files to your malware guest then consider putting those files on a virtual CD Image.
If you need to get files from your malware guest, then you can always attach the disk to another VM when the guest has been shut down.


--
Wil
_____________________________________________________
VI-Toolkit & scripts wiki at http://www.vi-toolkit.com

Re: Can malware in the guest access NON-shared folders?

3. Nov 6, 2009 12:34 AM in response to: Anton V Zhban…
Click to view UlyssesOfEpirus's profile Enthusiast
UlyssesOfEpir…
50 posts since
Jul 20, 2009
1. Hidden shares are C$, IPC$ and ADMIN$ ? Will windows still function properly if these hidden shares are removed? If yes, how do I remove them?

2. Would HGFS shares be any faster than normal windows networking shares over a virtual ethernet adapter?

Re: Can malware in the guest access NON-shared folders?

4. Nov 6, 2009 12:37 AM in response to: wila
Click to view UlyssesOfEpirus's profile Enthusiast
UlyssesOfEpir…
50 posts since
Jul 20, 2009
Thanks wila, I only use virtual machines for secure browsing, and occasional access to the host is only for saving downloaded files and bookmarks. This file access is done through a separate network segment as you are suggesting, using the host-only network and netbeui instead of tcp/ip.

You said "If you need to get files from your malware guest, then you can always attach the disk to another VM". I'm not sure I understand this. How do I get files from the malware guest and write them onto a CD .iso image without using shared folders?

Re: Can malware in the guest access NON-shared folders?

5. Nov 6, 2009 8:28 AM in response to: UlyssesOfEpir…
Click to view UlyssesOfEpirus's profile Enthusiast
UlyssesOfEpir…
50 posts since
Jul 20, 2009
Instead of HGFS shared folders, would it be more secure to use "hot-pluggable" SCSI virtual drives and read them from the host using the vmdk mount tool?

Anyone know how to hot-plug/unplug SCSI virtual drives without switching off the VM?

Re: Can malware in the guest access NON-shared folders?

6. Nov 10, 2009 1:29 PM in response to: UlyssesOfEpir…
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004
Hello,

If you are using ESX/ESXi (Type 1 Hypervisors) then hgfs is NOT possible to be used and actions within a VM have very little chance of infecting the ESX OS.

If you are using Workstation, Fusion, Player, or Server (Type 2 Hypervisors) then hgfs may be used and yes it would infect the host. If you use hot plugged virtual disks and then open then on the host, then yes there is a chance to infect the host. Basically, your 'host' should never open a virtual disk directly, or allow direct access from a VM for better security. Actually all the guides say to disable this type of ability.

The act of opening a virtual disk could infect depending on how it was opened. Forensic scientists have this same problem, when they open a hard drive for analysis they do so on a completely reinstalled forensic workstation. They may reinstall between each analysis in order to cut down on cross contamination. It is just not safe to open virtual disks or hard drives if you know there is malware using critical systems. The critical systems are virtualization hosts, backup servers, management nodes, etc.... I would use a forensic workstation only, or perhaps a forensic virtual machine.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|
Virtualization Security Round Table Podcast

Re: Can malware in the guest access NON-shared folders?

7. Nov 11, 2009 4:57 AM in response to: Texiwill
Click to view UlyssesOfEpirus's profile Enthusiast
UlyssesOfEpir…
50 posts since
Jul 20, 2009
Thank you very much. ESXi seems to be the way to go then, I hope the ESX OS works on my hardware.

If I understand you correctly, even just the act of reading an infected hard disk can execute malicious code.


Hasn't anyone thought of a workaround so they can save data from the browsing VM onto the host without executing anything? What about saving the data onto a physical CD and disabling autorun, would that work?

Re: Can malware in the guest access NON-shared folders?

8. Nov 11, 2009 5:50 AM in response to: UlyssesOfEpir…
Click to view UlyssesOfEpirus's profile Enthusiast
UlyssesOfEpir…
50 posts since
Jul 20, 2009
Is there any filing system that makes it impossible to execute anything that resides on it, for example if there is no MBR or partitions and data is written to every single sector?

Re: Can malware in the guest access NON-shared folders?

9. Nov 11, 2009 8:15 AM in response to: UlyssesOfEpir…
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004
Hello,

There are virus' that infect the fielsystem not a specific program, opening a file system infects the machine. There are virus' that infect a program, executing said program infects the machine. THere are virus' that live in 'data', opening the data infects the machine.

Read-only media may work if what you write is virus free at time of write. Not it can not be infected, but there are virus' that could live in data on the CD and still infect a machine.

ESX/ESXi is safer than others, but also is good management. If you are unsure of WHAT is in a VM, then do not do analysis on the host, use a VM to do the analysis or another host.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|
Virtualization Security Round Table Podcast

Re: Can malware in the guest access NON-shared folders?

10. Nov 11, 2009 9:01 AM in response to: Texiwill
Click to view UlyssesOfEpirus's profile Enthusiast
UlyssesOfEpir…
50 posts since
Jul 20, 2009
Of course an .exe can contain malware so you won't execute it, and of course a filing system can hold malware in its boot record, so I wonder, hasn't any of those bright sparks at VMWare thought of a way to transfer data to the host safely? In other words without anything infected executing itself automatically, but only when the user explicitly executes it? Why is a boot record needed anyway, cd's don't have a boot record and I thought the boot record is where the automatically executed malware lives, or in .doc files with macros (that you can disable). Where else, what other data can malware live in so it can execute itself automatically without the user's consent?

Re: Can malware in the guest access NON-shared folders?

11. Nov 11, 2009 1:18 PM in response to: UlyssesOfEpir…
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004
Hello,

This is not really a VMware issue, it is an Operating System issue and how it reads the file system, virtual disk, or a file. This is why there exists physical write-block devices as well as write-blocking software for an operating system. Forensic scientists use them as well. With a VM you can mark a virtual disk read-only. However virus' can infect memory and whatever is writable could be written to. SO extreme care should be taken when investigating virus' laden virtual machines/physical disks.

I would just NOT use the virtualization host's operating system as a Forensic workstation, use something entirely different on a private firewalled network and you should be fine.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|
Virtualization Security Round Table Podcast

Re: Can malware in the guest access NON-shared folders?

12. Nov 11, 2009 2:57 PM in response to: Texiwill
Click to view UlyssesOfEpirus's profile Enthusiast
UlyssesOfEpir…
50 posts since
Jul 20, 2009
So are you recommending to do forensic analysis on the entire VM every time I want to save a picture or video from the browser appliance to the host?

No way to isolate the picture and save it without anything being executed?

We do not mind if a picture is holding the data of a secret message or virus executable bytes by means of steganography, as long as the code does not ever get executed we can live happily with it.

Re: Can malware in the guest access NON-shared folders?

13. Nov 12, 2009 10:12 AM in response to: UlyssesOfEpir…
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004
Hello,

If you save a file to the desktop of a VM and are not using a 'shared folder' as seen by the host and the VM (whether network, or vmhgfs) then you should be just fine. The key is to never share a disk between a host and a VM. You did state a VM with known malware in it.... Which if you opened that VMs disk within the host using standard tools and made that file system available to the host either via vmhgfs, network means, or direct writes to a USB stick, which you then attach to the host, then yes you can infect the host.

The standard 'download' and save to the VMDK will NOT infect the host. The rules of 'infection' do not really change all that much. A guest cannot directly infect a host unless you are 'sharing' data/filesystems with the host, which is not the default configuration.

Also, run a virus/malware scanner on any media you do share anything between a VM and a Virtualization Host.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|
Virtualization Security Round Table Podcast

Re: Can malware in the guest access NON-shared folders?

14. Nov 12, 2009 11:51 AM in response to: Texiwill
Click to view UlyssesOfEpirus's profile Enthusiast
UlyssesOfEpir…
50 posts since
Jul 20, 2009
I guess doing everything in a browser appliance is not so bad after all, you can still run all your applications like video editors and Ms Office in the VM, even if it's infected. And if you get a nasty infection that formats your virtual drives, you dump the VM and get a new one.

Except then you lose your data, and all work done. Which brings us back to the previous problem, how do you isolate your data and back up just your data onto external media.

Backing up the .vmdk of the entire VM with all apps installed is not an option for me, it would take 6 GB just for the system drive and a gig or two or more for data like videos. And it's just not sound practise to keep backups of infected VM's.

1 2 3 Previous Next Go to original post

Actions

VMware Developer

SDKs, APIs, Videos, Learn and much more in the Developer community.

Learn More

Developer Sample Code

Increase your developer productivity with VMware API sample code.

Learn More

VMworld Sessions & Labs

Online access to the latest VMworld Sessions & Labs and online services.

Learn more

Purchase PSO Credits Online

Purchase credits to redeem training and consulting services online.

Buy Now

Community Hardware Software

View reported configurations or report your own.

Learn More

VMware vSphere

Come witness the next giant leap in virtualization.

Register Today

Communities