Virus on a virtual machine

Fremen

Does anyone know if there's any malware that can test whether it's running on a virtual machine? If so, can it infect the host computer?

I'm interested because once I upgrade my comp, I'm going to start surfing the web exclusively in a VM. I know it's safer, but I want an idea of how much safer.

Martyr

yes, you can run some tests, no, theres not much can be done (although some bug may exist inside the VM)

check out the browser app its firefox on ubuntu.

hantakage

A lot of the more sophisticated threats detect the presence of a Virtual Machine. It is also possible in some cases for the threat to escape from the virtual machine

There is a paper by AV researcher Peter Ferrie on the topic at http://pferrie.tripod.com/papers/attacks2.pdf . It describes both detection of VMWare and the possibility of breaking out of the emulator (Page 4). Breaking out of VMs has not really been seen in practice though.

Generally speaking though - if you are worried about browsing, a Virtual Machine is a good extra measure of prevention to have. The more the merrier

Cake Fiend

A sensible thing to do would be to run the virtual machine on a unix-like OS.

Martyr

looks like a good read Hantakage.
found another article Detecting presence of virtual machines using LDT not sure how much plagiarism goin on there

its possible to fool some detection of VM by setting the trap flag (normally set when single-step debugging) the SIDT method will fail.
this is an old trick of MS-DOS viruses to fool emulators, think there is a mention in that paper Hantakage posted.

hantakage

In case people are still interested, there is a post on Googles Security Blog about the topic, which includes a link to another paper

http://googleonlinesecurity.blogspot.com/2007/05/on-virtualisation.html

NutJob

Average Joe wrote:

looks like a good read Hantakage.
found another article Detecting presence of virtual machines using LDT not sure how much plagiarism goin on there

its possible to fool some detection of VM by setting the trap flag (normally set when single-step debugging) the SIDT method will fail.
this is an old trick of MS-DOS viruses to fool emulators, think there is a mention in that paper Hantakage posted.

Joanna Rutkowska (invisiblethings.org) i think had the first paper on this back in 04.
http://www.invisiblethings.org/papers.html

Iv herd of malware refuseing to run in vm.
Iv never herd of malware that could actually break out into the host OS.

ethernet

Cake Fiend wrote:

A sensible thing to do would be to run the virtual machine on a unix-like OS.

Then install Wine!

p

Fremen wrote: »

Does anyone know if there's any malware that can test whether it's running on a virtual machine? If so, can it infect the host computer?

I'd say any that did, would probably do it by accident rather than on purpose.

Fremen wrote: »

I'm interested because once I upgrade my comp, I'm going to start surfing the web exclusively in a VM. I know it's safer, but I want an idea of how much safer.

Sounds like a pain in the ass. Do you have sever problems will malware or do you work on some kind of mission critical environment? I think I've got a virus abotu twice in the 8 or more years I've been using computers. Better just to be careful and install anti-virus software, and get a decent backup solution. Browsing in a VM just sounds like a waste of your time and your computers power. Bizare!