Security Hero Rotating Header Image

a new type of threat?

Virtual Machine Trojans: a new type of threat?

Posted by sergio_at_infosegura.net on Apr 17

Normal trojans are a known threat, and we know how to mitigate them. But what about virtual machine trojans? This is a proof-of-concept Virtual Machine Trojan Visit www.infosegura.net/vimtruder.html for details.
Normal trojans are a known threat, and we know how to mitigate them. But what about…

URL: http://seclists.org/fulldisclosure/2009/Apr/0188.html

7 Comments

  1. "Full Disclosure (fulldisclosure) Mailing List" says:

    Re: Virtual Machine Trojans: a new type of threat?

    Posted by Peter Ferrie on Apr 17

    > When a user downloads a virtual machine from the Internet, and then
    > runs it on his/her computer, the antivirus installed in the host machine
    > simply does not have access to the virtual machine, so the virtual machine
    > does not get scanned.

    That is simply not true. AVs can…

    URL: http://seclists.org/fulldisclosure/2009/Apr/0190.html

  2. "Full Disclosure (fulldisclosure) Mailing List" says:

    Re: Virtual Machine Trojans: a new type of threat?

    Posted by Julio César García Vizcaíno on Apr 17

    This is a very known issue in malware testing.

    The threat depends on the AV used in the host.

    It would be interesting which AVs really scan the virtual machines
    files.

    Bye!!

    El vie, 17-04-2009 a las 14:09 -0700, Peter Ferrie escribió:
    > > When a user downloads a virtual machine from…

    URL: http://seclists.org/fulldisclosure/2009/Apr/0191.html

  3. "Full Disclosure (fulldisclosure) Mailing List" says:

    Re: Virtual Machine Trojans: a new type of threat?

    Posted by sergio_at_infosegura.net on Apr 18

    Hi,

    Of course users can install an AV inside de VM. The whole point of the article is, how does the IT manager prevent users from downloading VMs without permission and bring a Trojan into the network?
    When a user downloads software without permission, the IT manager at least knows that the AV…

    URL: http://seclists.org/fulldisclosure/2009/Apr/0194.html

  4. "Full Disclosure (fulldisclosure) Mailing List" says:

    Re: Virtual Machine Trojans: a new type of threat?

    Posted by sergio_at_infosegura.net on Apr 18

    In the case of normal, known trojans inside a virtual machine using Windows, yes, maybe the AV int the host could find the pattern of the trojan in the VM image before running.
    But loading a trojan into a Linux virtual machine and then distributing is a very targetet attack. The attacker has root…

    URL: http://seclists.org/fulldisclosure/2009/Apr/0195.html

  5. "Full Disclosure (fulldisclosure) Mailing List" says:

    Re: [inbox] Re: Virtual Machine Trojans: a new type of threat?

    Posted by Exibar on Apr 18

    You’re not correct, sorry. Or maybe you’re just confused about the
    question…
      I don’t know of any AV products running on the host operating system that
    will scan within a virtual machine. You have to run AV on the virtual
    machine itself in order for anything downloaded to be…

    URL: http://seclists.org/fulldisclosure/2009/Apr/0196.html

  6. "Full Disclosure (fulldisclosure) Mailing List" says:

    Re: Virtual Machine Trojans: a new type of threat?

    Posted by Pavel Kankovsky on Apr 19

    On Sat, 18 Apr 2009 sergio_at_infosegura.net wrote:

    > The attacker has root access, and can craft the trojan any form s/he
    > wants. I don’t see how the AV would detect this type of custom-made
    > trojan.

    You do not need "root access" or a virtual machine to craft a…

    URL: http://seclists.org/fulldisclosure/2009/Apr/0203.html

  7. "Full Disclosure (fulldisclosure) Mailing List" says:

    Re: Virtual Machine Trojans: a new type of threat?

    Posted by Eduardo_Godinho_at_trendmicro.com on Apr 19

    Hi there,
            A very important point is, according the VMware recommendation, to get a better performance we should insert the vmware files on the exception of AV, on the other hand, we (Trend Micro) are developing a new AV to work direct on the…

    URL: http://seclists.org/fulldisclosure/2009/Apr/0204.html

Leave a Reply

Your email address will not be published. Required fields are marked *