2

I have a program which I've been using for over a year that I recently discovered is laced with a virus. I do not want to reformat the entire computer mostly because even if I backed up the data, I wouldn't be able to tell if I'm porting the virus infected files with me.

So, if I were to create a new Virtual Machine, then run the infectious program, is there any way to pinpoint which files it has infected? (I.E. running a diff on the system and seeing what has changed?)

2nd question:

VMs are wholly and completely insulated from the outer system, correct?

There is no way for this virus to be run on the VM, and infect the main system? In my case, the outer system is already infected, so no big deal, but I was wondering if it was theoretically possible to write a virus that would infect the host systems while being run in a VM?

splattne
  • 28,508
  • 20
  • 98
  • 148
user8122
  • 121
  • 1
  • 5

4 Answers4

2

You had two questions, so I'll break out the answers:

So, if I were to create a new Virtual Machine, then run the infectious program, is there any way to pinpoint which files it has infected?

If you did things like Windows updates or install new software (think web browsers or version updates too) then this task can get pretty difficult due to the number of modified files. However, even if you did it, copied off all files that you didn't think were infected, and then built a new system, all it takes is one infected file and you're screwed.

VMs are wholly and completely insulated from the outer system, correct?

Only if they're not on a network or sharing files in any way. For example, with VMware Fusion, you can set up file sharing automatically between the host and the guest, thereby allowing the guest to write to your profile directory. Makes document sharing a lot easier, but also increases the likelihood of transferring viruses.

Plus, have you ever emailed a file to yourself from the VM guest to the host? Boom, you're screwed if the virus was in that file.

Brent Ozar
  • 4,425
  • 18
  • 21
  • Ironically enough, it was emailing the program to myself that got gmail to identify it as a virus for me. But, to clarify your answer to question one, I was planning on creating a completely fresh VM creating some sort of checkpoint (that's where *your* technical expertise comes in) then adding and executing the virus program. Creating a checkpoint again, and comparing the two checkpoints. – user8122 Jun 15 '09 at 12:12
2

I wholly support this methodology if you're doing it for forensic purposes, and to learn more about the virus, and perhaps as an exercise to determine ways to examine deltas in virtual machines.

If you're doing this from a "I want to recover my server from this virus without reinstalling" standpoint, then you should re-examine your goal.

I don't know a better way, so I'd do this the hard way, where you get the system to the point you want before the virus is introduced. Then you boot in with a Linux cd and make an image of the filesystem using 'dd'.

Then start the machine back up, introduce the virus, shut it down again, reboot with the CD, dd again into another image, then mount the images readonly with the noexec mount option and then write find command that would run diff between the filesystems one file at a time and output files which are different.

Now, some caveats. First, because this method is so bad and so slow, there has to be a better one, but I don't know what it is. Second, there are going to be some false positives. Windows writes to the registry all the damned time, so the registry files will be different. So will any config files that have been changed, any updates that started downloading on their own, etc etc.

It might actually be that you could use find -mtime to get the same data, then run diff on those files that have changed. Since you're in Linux, clamav might save you some time, as well.

Matt Simmons
  • 20,396
  • 10
  • 68
  • 116
  • I'm not sure if this makes a huge difference, but this is my home PC that I'm talking about. If this was a production server, or a work PC, I would be obliterating every trace of the virus and suffering the consequences as I deserve to. I'm doing it because I am curious to find out what exactly the virus is doing. Sidenote: I don't have a Linux CD. – user8122 Jun 15 '09 at 13:26
  • I'll pretend that I didn't read that, and therefore won't be tagging this with 'belongs-on-superuser' – Matt Simmons Jun 15 '09 at 13:58
1

Just wanted to add a warning: it is technically possible for a virus to escape from the VM! (Especially if the virus has been written to infect virtual machines and their hosts.) It is possible for any application to detect if it's running within a virtual machine and thus code could be added to break outside the box. It would be rare, though, to discover a virus that would infect VM hosts this way, though.

On the other hand, a VM is likely sharing it's network connection with it's host. This creates a second way to get infected. If you have multiple VM's running on the same host, it could even infect those other VM's over the network connection!

Of course, it could also happen that your host was infected and just forwarded the virus to your VM.

So, keep it safe: install a virus-scanner on your VM's and make sure you keep the virus-scanner and the OS itself up-to-date.

Wim ten Brink
  • 1,055
  • 1
  • 6
  • 13
  • I'm not aware of any vulnerabilities in the hypervisors that would allow this, but I can see how it would, with the "vmware tools" and what have you. Interesting concept. – Matt Simmons Jun 15 '09 at 14:02
1

Not sure what your VM platform is, but VMware offers a utility called mountvm.exe that allows you to mount a VMDK file to your file system and view the contents of the virtual disk. You could then use windiff (or something similar) to compare files within the mounted VM. I'm sure that other hypervisors offer similar tools

Regarding your second question, while I don't know if there have been exploits that have attacked via the hypervisor, I think there are some PoC's out there showing it might be possible (of course, some dispute these). Search for "Blue Pill" and see what you find. As others have mentioned, copying files between host and guest, and allowing direct network connectivity between host and guest would definitely increase the chance of infecting one from the other.