How to open suspicious e-mails

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

chilipepperz

Active Member
Mar 17, 2016
212
64
28
54
I just wanted to follow-up on this thread: OMG. Have I just spammed myself???

How are people opening suspicious e-mails? Let's say you have an e-mail you can't tell if it's legit so you want to open. I have AV installed but I'd like to give spammers credit and think they have some new exploit that the AV companies haven't tagged. So what to do?

I have a KVM virtualization host I use just for fun and I use virtualbox on my main PC. I could make a VM but I'd be worried that whatever virus that'd infect the VM would infect the whole virtulization host. It's not too hard to add one line of code to see it's a KVM machine and then to deploy code against the hypervisor.

Any best practice? Or do people here think most are just looking for Windows / OSX users to infect and aren't going to be sophisticated enough to attack hypervisors? I have backups but if someone cryptolocked my PC or even the junk KVM host it'd be a bad day or two.
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
It's not trivial for somebody to write a virus/malware the is good at infecting hosts and getting past protections and then at the same time have the smarts to go looking for exploits in the virtulisation platform.

Answer is for anything dangerous I use a VM that's not mapping network shares etc.
 

whitey

Moderator
Jun 30, 2014
2,766
868
113
41
It's not too hard to add one line of code to see it's a KVM machine and then to deploy code against the hypervisor.
With regards to this comment, there has YET to be a valid/in the wild exploit of a break-out scenario or compromise of a type-0 hypervisor, R&D and academia have been at it for a while now w/ no luck so far to my knowledge so I believe you are fairly safe.

Now that's not saying if you have that KVM VM on the same network segment as your home/lab/other sensitive network segments that they could not traverse parallel from there or perform MITM/etc. attacks so YMMV/protect/instill paranoia accordingly!

2cents

~whitey
 
  • Like
Reactions: chilipepperz

Rhinox

Member
May 27, 2013
144
26
18
With regards to this comment, there has YET to be a valid/in the wild exploit of a break-out scenario or compromise of a type-0 hypervisor, R&D and academia have been at it for a while now w/ no luck so far to my knowledge so I believe you are fairly safe...
Never heard of "type-0" hypervisor. And when we are talking about it, KVM is rather type-2, that is hypervisor on top of full OS with all security implications...
 

whitey

Moderator
Jun 30, 2014
2,766
868
113
41
My bad, meant type-1, typo, and IMHO KVM is near type-1 and should not be considered type-2 hypervisor but this could be debatable.
 

zer0sum

Well-Known Member
Mar 8, 2013
849
473
63
Disclaimer - I work at Comodo

I just open stuff with reckless abandon because I use Comodo Advanced Endpoint protection and it is impossible to get infected as it has a feature called containment that ensures any "unknown" files are run within a virtualized container that has a shadow file system, registry, dlls, etc. If the file is malware all it can do is infect the container itself. Malware problem solved :)

Our architecture is designed as a default-deny solution and we make the important assumption that you will never be able to classify all files as good/bad and that there will always be files that will run and could possibly turn out to be malicious. You can think of containment a bit like a linux chroot jail, but a lot more secure :)

Everyone else in the industry runs with a default-allow design where their solutions are all designed to allow files to run if they can't detect something as "bad". It doesn't matter how good (or ineffective) your signatures, heuristics, machine learning (math!), behavioral analysis, etc. etc. is...when your techniques finally fail to detect anything, the latest unique strain of malware runs and has a chance to infect you.

Essentially what we do is classify all windows PE files as follows:
  • good > allowed to run
  • bad > blocked
  • unknown > contained
At the same time the file is contained we send it to our accelerated file verdict sandbox platform called Valkyrie (Advanced File Analysis System | Valkyrie) where the malware gets analyzed. You can get an automated verdict back within 45 seconds as to whether the file is good or bad, and in the event that it can't be given a verdict using our static and dynamic analysis it actually gets inspected by one of our security team. We get a verdict on 100% of files sent to our sandbox, and that is unique to the industry. The 2nd time the file is run it does not get contained as we have a verdict and can either block or allow.

Our solution is totally unique in the industry and totally changes the approach to protection
 

PigLover

Moderator
Jan 26, 2011
3,184
1,545
113
Thank you @zer0sum for the disclaimer before sharing that. Full disclosure is a good thing.

Your approach sounds interesting - and reasonably likely to stop most malware.

But at the end of the day I agree with @TuxDude. Nothing is impossible - and those who claim something is usually end up having to eat their words. I'm not so sure about being 'inherently insecure, but Microsoft's Windows leak - badly. The baddies have lots of holes to play play with, only a small fraction of which have been exploited yet.
 

zer0sum

Well-Known Member
Mar 8, 2013
849
473
63
Nothing is impossible.

Also, anything running on top of Windows is inherently insecure.
Ok, let me say it a different way :)

The only theoretical way to be compromised right now is through a very low level exploit in the container
 

PigLover

Moderator
Jan 26, 2011
3,184
1,545
113
Ok, let me say it a different way :)

The only theoretical way to be compromised right now is through a very low level exploit in the container
Fair play to that. Of course container exploits exist. LOTS of them. Google "container exploit" for some amusing reading (to be fair, most of what you will get on that list refers to Docker containers - which happen to leak like a sieve - but you get the idea).
 

zer0sum

Well-Known Member
Mar 8, 2013
849
473
63
Fair play to that. Of course container exploits exist. LOTS of them. Google "container exploit" for some amusing reading (to be fair, most of what you will get on that list refers to Docker containers - which happen to leak like a sieve - but you get the idea).
Totally agree and luckily our container is only a single piece of our protection stack :)

Our containment is extremely important as that is what gives us a default-deny posture when you try to execute an unknown file, but it is definitely not the only piece of the puzzle. We've been developing it over years and years and have battle tested it in the real world extensively and there has never been a piece of malware that can infect the host machine.

Docker is a fairly decent example of the architecture we design around, but we are far more security focused and everything is obviously proprietary and an exploit needs to be targeted directly at our technology or at some of the windows components we rely on. Even then, a single patch can remediate any insecurity found, and you are back to default-deny and far better off than default-allow
 

PigLover

Moderator
Jan 26, 2011
3,184
1,545
113
I think the underlying point of contention are the overconfident, absolute statements like "impossible to get infected" and "malware problem solved".

I do think you have a unique approach to the problem and that it is likely better (perhaps much better) than other approaches. I think it likely deals with most known types of Malware fairly effectively. In fact, its an automated approach similar to what people here have proposed for a long time (single-use VM images).

However - I think when you couch it as unbreakable, "impossible to get infected" or as the ultimate "solution" all you do is paint a target on yourself to be mocked (TuxDude and I have been fairly tame...).

Tone it down a bit and you may get more people paying attention.
 

zer0sum

Well-Known Member
Mar 8, 2013
849
473
63
I appreciate the advice to tone it down and 100% respect that nothing is invincible...Malware problem solved is followed by a smile :)

Our approach is probably breakable at some point, and it's theoretically possible to get infected.
Rather than mock me (which you definitely aren't) let's just get into a technical discussion about malware detection/prevention strategies :)

I'm making some bold statements because I' want to challenge people to think a bit differently about malware protection.
 
Last edited:

brendantay

Member
Aug 12, 2015
128
18
18
Australia
So, if I go and get myself a copy of Comodo Advanced Endpoint protection, and I manage to get an infection (without disabling anything) - what do I win?
 

zer0sum

Well-Known Member
Mar 8, 2013
849
473
63
The configuration out of the box is obviously going to be a little less secure as it's designed for usability and not locked down all that much.
If you spend 2 minutes and enable HIPS, VirusScope and Auto-Sandbox and then get infected I'd be really really impressed :)

But let's make it a real incentive, it's not much but I've got a spare Supermicro X9SCL I'll send you

I've run probably a thousand pieces of new malware from Malwr - Malware Analysis by Cuckoo Sandbox and other sources and haven't managed to get infected yet.