Frank Beuth writes:
> On Fri, Oct 18, 2019 at 11:54:18AM +0100, cho...@jtan.com wrote:
> >Virtualisation is not a panacea. I have managed to achieve data loss through 
> >destructi
> ve actions taken within a "safe" virtualised sandbox.
>
> How did you manage that feat?

Basically assuming "safe" then taking actions to subvert that, namely mounting 
an SMB share within the VM. rm(1) does not discriminate. My own fault obviously 
but it's notable that the "virtual environment == safe" assumption was 
shattered so effectively, so easily, and by actions which in most circumstances 
would be benign.

That's not to even start on the fact that it's little more than process 
switching and virtual memory on steroids, so the extra seperation on top of 
what the OS already provides is little more than smoke and mirrors.

> In the world of malware analysis, running code blindly (in a virtual
> machine) in order to figure out what it does (by comparing "before" and
> "after" snapshots) is standard operating procedure.
>
> (standard operating procedure doesn't necessarily make it a good idea,
> but it is what it is)

There's something to be said for it if your constraints are sound. I doubt a 
half-decent malware analyst isn't both extremely paranoid about their testing 
gig and still won't run code without at least a cursory glance at the 
disassembly.

Consider that without access to the source code the game changes considerably.

Matthew

Reply via email to