Internet privacy and security course
About translation
Previous Next

Chapter 32

Virtual machines’ vulnerabilities. How hackers go beyond the virtual environment.

Many of you have already installed and configured a virtual system for safe work, opening suspicious files, documents, websites. Virtual isolation is a really great security tool, but it is far from being flawless. In this chapter we will describe how hackers and special services overcome the barrier of a virtual environment and how to protect yourselves from this threat.

Suppose there is a document, link or application created by a malefactor to gain access to your device and your data. You being an intelligent person launch it in a virtual environment in the hope that it will protect you from a potential threat. But this time you have against you not a script kiddie with a popular trojan, but a professional hacker who wants to get access to your system by any means.

For a successful attack they need to go beyond the virtual environment. Let's have a look how this is possible.

Going beyond the virtual environment with standard VirtualBox tools

You probably already know the tools for interaction between the guest and the host system, such as shared clipboard, shared folder and Drag'n'Drop. This is really convenient, as you just need to copy to the main system and paste into a virtual one or simply drag the necessary file from one system to another.

Creating a bridge between the guest and the host system is not the most reasonable step in terms of security. I do hope you understand that a hacker will also be able to use these tools to get into your main system. We recommend refusing them in favor of safer data transfer routes.

No-no, do not think that it is very simple to “escape” from a virtual system, for example, if the shared clipboard is enabled, but it is much easier than without it.

 

Tip

Stop using shared folder, shared clipboard and Drag'n'Drop. Although it is convenient, but it is not safe.

Wi-Fi routers and external devices

You can find a lot of materials on the Internet how to create a virtual machine, install the Kali Linux distribution kit or a special program on it and attack Wi-Fi devices nearby. What prevents a hacker, having penetrated your virtual system, to attack nearby Wi-Fi routers? This can be your home or work Wi-Fi router.

Unfortunately, routers, as a rule, are vulnerable to attack, and by gaining access to it, one can arrange a complex attack on devices connected to it. We will talk about the consequences of a compromised Wi-Fi router in a separate chapter, but believe me, that is extremely dangerous.

The advice may be just to take care of the security of your Wi-Fi router, what we will teach you in the course. In addition, it is recommended to use VPN, although it will not protect against Wi-Fi device being compromised, but it will help to prevent a subsequent attack on you, such as intercepting Internet traffic or DNS replacement.

 

Tip

Take care of the safety of your Wi-Fi router.

You can go beyond the limits of virtualization via a USB flash drive, if it is currently connected to the virtual machine, and then you connect it to the main system. But in this case too many circumstances must get together. In some cases it is possible to perfotm an attack via Bluetooth on nearby devices, but this is also a complicated path that requires many coincidences.

Vulnerabilities

Unfortunately, vulnerabilities are discovered annually in virtualization products, allowing malefactors to leave the virtual isolation and attack the host machine. The necessary services for this are almost for sure in the special services and related hacker groups range, such tools are demonstrated annually at hacker conferences.

For example, in 2017 on Pwn2Own the Chinese teams 360 Security and Tencent Security successfully escaped from the virtual operating system deployed on the basis of VMware Workstation. In both cases complex exploit combinations were used; in both cases the first attack was carried out on a guest machine running Windows.

By the way, besides VMware, macOS, Ubuntu, Windows, Firefox, Edge, Safari, Adobe Reader, Adobe Flash were hacked at this conference as well. The latter was said to have broken itself before the start of the demonstration. Joking.

There can be only one solution, which is the following: if you are afraid of highly skilled hackers to work against you, use hardware isolation, this way a computer is completely isolated from the main machine. We will talk about hardware isolation in a separate chapter of the course and will help you to set up the environment for running suspicious files and documents. Virtual isolation is vulnerable and you can never rule out the possibility of your detractors having the tools to get out of your virtualization system.

 

Tip

If you are afraid of attacks by highly skilled hackers, use only hardware isolation.

If you are using software isolation, be sure to keep your virtualization solution up to date with the latest version. It is equally important to update all components used in the virtual machine: from the browser to the operating system.

 

Tip

Keep up to date all components of the virtual machine from the browser to the operating system.

Social engineering

One doesn’t have to go beyond the virtual environment using a vulnerability in the virtualization system or a Wi-Fi router when there is good old social engineering. No wonder they say that the most vulnerable spot of a computer is a gasket between the chair and the monitor.

Many modern malwares analyze the environment for the presence of virtualization and, if they detect one they either do not start at all or do not activate malicious functions. It helps to hide from the analysis by experts and various automatic and semi-automatic checks.

For ordinary users, this moment is crucially important, as you have to remember that the absence of malicious activity in a virtual environment does not mean that it will not be there at running on your main system.

 

Attention

The absence of malicious activity in a virtual environment does not mean the security of the main system.

I know several cases when people tested a program on a virtual machine; not having found anything suspicious, they launched it in the main system and received an encrypted disk. But sometimes the malware is not disguised, but informs the user about the impossibility of launching it in a virtual environment, thereby pushing them to run the file in the main system.

It is worth noting that some programs are really unable to be run in a virtual environment, for example, because of the high requirements for video memory, but the malicious program does this intentionally and you should not fall for this hook. For these cases it is worth having a computer for tests or purchasing a remote dedicated server.

Previous
11654
Next