Cryptolocker, Ransomware and VMs

[Armando]

Supposing a VM (used for Internet access) gets infected by one of those delightful programs, is it likely that the malware can act outside the VM, thus affecting (encrypting) the host system's hard disk(s)?

[mpack]

The guest has no access to the host, so no.

[towo2099]

But shared folders and network shares can be affected.

[socratis]

If they are given read-write access, maybe. But if you want to be testing for malware, common sense dictates that you would not share things. Especially read-write. Which BTW, is the default. Exactly what mpack was saying.

[mpack]

But shared folders and network shares can be affected.

No, they can't. Executable files which are stored in shared folders with read/write permission could be infected, but there is no risk until the user performs the additional step of running this executable in the host OS context, without checking them first. Frankly, anyone who is that dumb deserves to be scammed.

And note: this is no different than copying infected files around on a USB stick. The fact that the files originated inside a VM added nothing to the risk factor.

[socratis]

No, they can't. Executable files which are stored in shared folders with read/write permission could be infected

Well, technically you're right, if you're thinking of actual executable viruses. But, I just recently had a friend of mine that called me in panic because he got gotten a ransomware virus which was encrypting all his files. All of them. So, if you had read-write access to your host's photos or music library, and you got yourself a ransomware in the guest... you're not gonna be a happy camper

PS. As far as my friend goes, thankfully I had gotten him into full and incremental backup schedule, which (miraculously) he kept. Minimal harm done.

[mpack]

I'm not sure what distinction you're making there for "actual executable virus". Computers run code - there is no other mechanism whereby planned changes can occur in a computer system (i.e. changes caused by anything except physical damage). Encrypted files only became encrypted because the mark (no one else) ran a program that encrypted them, and that can only happen when he fails to follow basic precautions - like not running code that comes from questionable sources, at least not without checking it first (e.g. in a VM).

[Armando]

I think the distinction socratis is making is somehow similar to what I was meaning with "the malware can ACT outside the VM".

I (obviously) agree with you when you say that nothing happens without some program causing it.
A program, however, can actually be launched by another one (virus or malware), even if the user follows basic precautions (isn't that the main goal of malware engineers?).

You are extremely right when you suggest "checking it first (e.g. in a VM)" and that is exactly the case I was wondering about when I made my question yesterday. Supposing I test a suspect program in a VM and supposing this program actually contains and launches a ransomware, it can actually "act" outside the VM by encrypting all files in any shared folders and connected drives.

Anyway, I think I got your point:
as long as a VM is "sealed" (no usb drives connected, non writable shared folders or LAN drives...), no harm can be done outside the VM by any software running inside the VM.

Thanks.

[mpack]

A program, however, can actually be launched by another one (virus or malware)

Circular argument. Where did that first program come from? It didn't appear by magic, it appeared because basic rules were not followed, as already said.

[socratis]

The point I was trying to make is that a virus can run in the VM and can affect any file in the host, if there are read-write shared folders or read-write network shares.

@Armando: You got it right

as long as a VM is "sealed" (no usb drives connected, non writable shared folders or LAN drives...), no harm can be done outside the VM by any software running inside the VM.

I'll just add one more advice if you're going to be using your VM for testing malware; since you're going to be accessing the internet (either Bridged or NAT) make sure that you follow proper firewall and antivirus protection rules on your host, because the VM still has network access to your host (they're on the same subnet) and could be attacking by other means.

I would suggest if you download potential malware, but before testing it, to disconnect your VM from the network altogether. The cable connected Yes/No would be the easiest way to do this.

This could also be a good use for snapshots. You make a snapshot that you know is clean, you test the malware, you revert to the basic image. Never happened.

[ChipMcK]

This could also be a good use for snapshots. You make a snapshot that you know is clean, you test the malware, you revert to the basic image. Never happened.

First reasonable use of snapshots I ever read; otherwise, not of much use.

[mpack]

I would use a clone for testing, and delete it or keep it when done. I do not trust VirtualBox to undo changes made to add a snapshot to the VM. Yes, I could make a backup first - but if I'm going to copy the VM anyway then it might as well be a clone.

[mpack]

since you're going to be accessing the internet (either Bridged or NAT) make sure that you follow proper firewall and antivirus protection rules on your host

Other than shared folders, which we already discussed, I don't see what threat this counters. And I'm not sure that a host firewall or AV does much for a guest.

[socratis]

I wasn't talking about having a host firewall/AV to protect the guest; only to protect the host itself. Since there are known viruses that attack machines on the same subnet (especially Windows), I wouldn't want to have a known infection on my local subnet. That's why the extra precautions. I mean you wouldn't want to walk in a biosafety level 3 lab without at least your gloves, a mask and protective clothing, right?

[rpmurray]

I have read that some malware disguised as innocuous programs will test to see if it's in a VM and if it determines that is the case does not install it's malicious bits. So testing software on a VM is not always a guarantee that it is clean or safe to move it to the host.