It is Alright as the headline says you can’t trust your VM machine for malware analysis. it has multiple reasons. Let me explain the process, first lest discuss about virtual machine: a software by which we can run different Applications and OS in a single Host Machine.
It provides a virtual environment like a new physical Machine in a Host machine. In which we can run different platform software in it.
How Malware knows that it is being executed in Virtual Machine Environment:
Malware are the malicious code which are used to infect the target machine.Nowadays Malware have become so much intelligent that they can tell that in which environment they are being run on e.g on Windows, Mac, Linux, Virtual Machine, Mobile
Here’s How they do that:
MAC address checks :
Malware runs a code to check for the MAC address of Machine. And if it starts with specific HEX CODE malware knows that its in VM environment. (AS virtual machines use different MAC Addresses)
Registry checks:
Virtualized Machine Environment will often contain various registry entries not commonly found on physical machines.
Temperature check:
In old out-dated VM if malware runs a code to check for system temperature, the returning value be NULL as VM were not allowed to do so.
How malware effects the host machine:
The malware works on some of the vulnerabilities which were found on VM. It takes the advantages of these vulnerabilities to exploit Host Machine.
These are:
CVE-2019-5521 – Out-of-bounds read vulnerability – CVSSv3 = 6.3-7.7
This Out-of-bounds read vulnerability allows attackers to read sensitive information from other memory locations
CVE-2019-5684 – Out-of-bounds write vulnerability – CVSSv3 = 8.5
The out-of-bounds writes data past the end, or before the beginning, this vulnerability can be exploited only if the host has an affected NVIDIA graphics driver. Successful exploitation of the attack allows an attacker to executed code on the host.
Products Affected
-
VMware vSphere ESXi (ESXi) -
VMware Workstation Pro / Player (Workstation) -
VMware Fusion Pro / Fusion (Fusion)
MALWARE can also escape from interconnected N/W in VM to effect other machines connected to it. Also it can affect Host Machine through the Shared folder in VMs.
LIST of these kinds of malware:
VENOM
Acronym for Virtualized Environment Neglected Operations Manipulation,
this malware uses those vulnerabilities in VMs to allow an attacker to escape from the restricted environment of an affected VM guest and potentially obtain code-execution access to the host machine.
Experts say that it dates from 2004 when the virtual Floppy Disk Controller was first added to the QEMU codebase.
CRISIS
This Malware can actively seek out VMware virtual machine files stored on systems it has compromised. Once VMware virtual machine disk files have been discovered, Crisis mounts the disk and then uses a native VMware facility to insert itself into the disk file, thus creating a newly infected VM
Preventive measures we can take:
1.) STAY UPDATED :VMs are created by big software developing companies, And to remain on top of each other they also seek out for their vulnerabilities and removes them. And constantly update their software.
2.) Turn of internet connection: Told above malware can escape through interconnected hosts, so before running malware in VM we could disconnect the VM interconnections.
3.) RESTORE Points: Before Executing malware we can create a safe restore point for machine. So that after researching malware we could rollback our machine to safe point.
Source: hacknews
!