What is a VM?
A virtual machine is an emulation of a computer system, generally run on top of an existing system, logically separate from the existing system. Basically its a computer running inside of another computer. The important part is that each system is “sand-boxed” from the other system, which prevents data flow from one system to another unless explicitly allowed.
Why Use a VM?
There are multiple reason you might want to virtualize another machine. Maybe you want to try out an new operating system without affecting your current environment (i.e. no dual booting/re-imaging etc.) or maybe you want to run two operating systems side by side intentionally. This is very common when setting up a security environment. Tools like Security Onion, PfSense or Kali Linux can all be run side by side depending on what your individual goals and the purposes of your environment are.
Today we are looking at using a virtual environment to help protect ourselves from malware and to protect our privacy while surfing the internet, opening risky attachments, or downloading something from an untrusted source.
The important thing to remember about virtual environments is that they are logically separate from the host environment. In general this means that what ever happens in the virtual environment, stays in the virtual environment. This gives us an additional layer of security while we surf, or in other words: Defense in Depth. Using a VM creates an additional layer in our security and helps reduce our overall attack surface.
Just because you’re using a virtual machine DOES NOT mean your invulnerable to malware, spyware, trojans, rats, viruses or anything else. Software bugs can and do exist in virtualization applications. They can and have been exploited in the past! VM’s are a widely used technology in corporate environments and are actively targeted by hacking groups and malware developers. It IS POSSIBLE for malware to escape your virtual environment!
It’s just unlikely.
Pwn2own 2016 offered a $75,ooo purse for a successful VM escape exploit. Thats a pretty hefty prize for one single exploit. The results (this is a really good write up of the event) from the event were as follows:
- 6 Windows OS exploits
- 5 OSX exploits
- 4 Adobe exploits
- 3 Safari exploits
- 2 Microsoft Edge exploits
- 1 Google Chrome exploit
- 0 VM escape exploits
As far as my (quick) research has shown there have been 9 documented VM escapes. So while it is possible to for malware to successfully detect and escape a VM, it’s rare enough that we can put a modicum of trust in our virtualized environment.
What OS should you use?
Really, that all depends on how paranoid you are and how comfortable you feel around linux, the command line, troubleshooting, and computers in general. There are multiple options offering different levels of security, and complexity.
Tails – I don’t know much about Tails, I’ve never used it. However it is recommend as a good, secure OS among security circles, so its worth looking into.
Whonix – Whonix forces all web traffic to occur over TOR. Can be difficult to configure.
Qubes – Treats every application as an individual “sandbox”.
Mint/Ubuntu – In general I think Mint feels like Windows and Ubuntu feels like OS X. They both have their pros and cons, but are good stable operating systems that most everyone can configure. Im going to setup Mint in a virtual environment for our example.
Always Check the integrity of your OS download. If you download a compromised image, you’ve lost before you’ve even tried.
Setting up a Virtual Environment:
1) First download the ISO file for the OS of choice (Mint in this case).
2) Then download VirtualBox and get it installed.
- Alternatively, if your running linux distro you probably already have Virtual box installed, or its available in the distro application store.
3) Once you have virtual box up and running it should look something like this when you first start it up:
- Click new to begin setting up your virtual machine
4) Name your VM and provide the type of OS your running and the version.
- If your running a version of linux that isn’t listed try and figure out what the OS is based off of. For instance, Mint is based off of Ubuntu and Debian. If you can figure that out you may be able to get your VM to work even its not listed as a supported VirtualBox OS.
5) Allocate Memory to your virtual machine.
- Allocating too few resources can result in performance issues for your machine.
- All remember that resource allocation is dependent on your underlying physical hardware. You can’t allocate 8gbs of RAM when you only have 4.
6) Create your virtual hard disk.
- At this point you can load a previous virtual disk if you wanted or create a new one
- When picking the type of disk you want to create you may have other use cases, but the default VDI is probably the best option for simple local virtualization.
- VDI – Native Virtual box format
- VHD- Native format of Microsoft Virtual PC
- VMDK- Native for and used by VMWare
- All versions supported by virtual box
7)Storage on Disk
- This allocates the the amount of “physical disk” your virtual machine is going to use
- Dynamic- stretches as needed up to a maximum specified amount, but it does not recompress after space has been freed up
- Fixed- One size, does not shrink or expand
- many OS’s have recommended minimum amount of storage.
8) Your VM is all configured! Hit start to select the OS image and start the VM!
9) Navigate to your ISO folder location, select the operating system you wish to use and hit start again.
10) Your new VM is up and running! At this point I would recommend installing all upgrades, updates, and patches available onto your virtual image. This will help protect your machine from older exploits.
- On Linux (since thats our example OS)
- sudo apt- get upgrade
- sudo apt- get update
- I would also recommend installing an anti-virus of some sort. Something like Comodo on Linux or activating and configuring your built in Windows AV if thats what your using.
At this point you are up and running, ready to use your virtual machine!
I would also recommend buying a USB wireless card so that you are not sharing a NIC with your VM, though unlikely it is possible for malware to infect your host machine through this bridged connection. The goal of this whole exercise is to logically separate your virtual machine as much as possible from your physical machine.
Additionally, I would strongly discourage the use of add ons with your virtual machine. You can download and install add ons allowing you to do this like copy/cut from your VM and paste to a folder/document running on your physical machine. Using tools like this is how many of the malware thats achieve a VM escape in the past worked. (*cough* Cloudburst *cough*). Also look at ensuring you have any features your not using turned off. The most recent VM escape exploit, Venom, used a plug in that allowed the VM to use a built in 3.5″ floppy drive to escape the virtual environment and infect the host machine.
Always remember, this is just another layer in your security onion. IT IS POSSIBLE FOR MALWARE TO INFECT YOUR HOST PLATFORM EVEN IF YOUR RUNNING A VIRTUAL ENVIRONMENT.