Blindly Installing VMs and Using Live CDs

Tues 4th Jul 09

This post was inspired by a forum post on Hak5 where someone posted that he had created a new VM full of fun vulnerable applications and had released it for people to download and try out their hacking skills against. My first thought when reading the post was how easy it would be to embed something nasty in that VM and have it hack the user who had just installed it and ran it up. I'm not talking breaking out of the VM but having the VM run up attack tools once started and have it attack any other machines it can see on the network. As the attacker builds the VM they can employ whatever rootkit technology they want to hide those tools from the user so while they are testing their tools the VM is silently using its tools to cause damage, steal information or maybe just run as a bot in a botnet. This wouldn't be your normal trojan bit of code, this could be the equivalent of allowing a hacker to post you a laptop and you plugging it into your network for them.

Now I know that you can define what type of network access your guest machine has, but with a VM that is designed to be attacked, you are going to at least have network access between host and guest and if you have a dedicated VM server then you will be giving the guest normal network access so you can attack it from your attack machine. If the VM has full network access then it can obviously attack internally and also call and attack externally. If it only has host to guest access and it can get into the host then it has a pivot point which it can then go through to attack the rest of the network. Even though people know that you should have internal defences so you don't have the "crunchy outer, soft inner" style network, how many people honestly employ that setup?

So, how can you defend against this and is it really enough of a threat to warrant worrying about and defending against? As an attacker can create their own custom attack tools and has time to hide them in whatever way he wants to avoid detection I can't see any way of pre-scanning the VM to ensure 100% that it is clean before booting it. After booting the machine any tools you installed on it, or scanned it with, would be rendered useless by the custom rootkit technology employed, the machine would be so pre-owned that you wouldn't stand a chance. The last approach is to monitor all traffic coming from the VM and analyse it for malicious activity, i.e. IDS or IPS. How many people run IDS on their internal networks?

Probably the best method of protection here is to run a completely air-gaped network for running any new VMs in. You would have to make sure that the attacking machine was fully patched and possibly roll everything back to a known state at the end of each session.

But what if this VM isn't a security testing machine that you would naturally be wary about? What if it was a VM that the accounts team had found that offered new software they needed. Would you still run that up in an air-gaped network, drop a few honeypot machines on the network then sit back with your monitoring tools and IDS for a while to see what happened, see if the VM did misbehave. Or, would you install VMWare on a spare server, throw the VM on it and tell accounts the IP and hostname?

What about at home? Most security professionals use VMs at home to hone their skills. These are sometimes flat networks, possibly with a VM server tucked in a corner of the office and the users machine a nice desktop connected to it across the same network as all the rest of the traffic. Own the home machine then jump on the VPN back to the office, that would give a nice platform for attackers out there.

Live CDs could also be used for this style of attack, do you disconnect your network cable before booting an untrusted live CD? If not then there is nothing to stop it from grabbing a DHCP address and becoming a part of its victims network. This is possibly better than the VM attack as the attacking machine is a legitimate machine on the victims network so may have extra privileges that a VM wouldn't have. The Live CD would also have access to all the disks in the machine. Full disk encryption would prevent any harm but without it the CD could pillage the drive for whatever data it wanted.

The answer to the second part of my earlier question, is it enough of a threat to warrant worrying about and defending against, is probably not. I've not heard about anyone going to this much trouble to to get their trojans onto people machines but with targeted malware becoming more prevalent this does become an option for attackers. The machine only needs to fire up a reverse shell back to their lair and it is game over.

Taking that last thought you could flip this scenario and as security professionals you could try this technique in your pen-tests. Maybe leave some live boot CDs lying around with a label on telling people to put them in their machines before powering them on. This is basically taking the U3 flash drive in the carpark a step further. You could even leave a CD lying around with the VM on it and a label saying how to use the VM. Make the machine sound nice and juicy and the instructions easy enough and I'm sure you'd get some sys-admin firing it up just to be nosey!

So, conclusions, beware what VMs you download and start up and be careful of what live CDs you boot from. You never know what is hiding under the surface.

Finally, I want to stress that I'm not implying that the guy who wrote the post and released the VM had done this or even would do it. This is my mind wandering to the "what if" scenarios.