Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I generally do all of my web browsing in a VM. I have one \"safe\" VM running Ub

ID: 661627 • Letter: I

Question

I generally do all of my web browsing in a VM. I have one "safe" VM running Ubuntu that has guest services installed. I generally only go to sites I deem are trustworthy here.

I also have an "unsafe" VM with Ubuntu that does not have the guest services installed.

Tonight I was using the unsafe VM to browse some less than savory areas of the internet when one of the annoying FBI popups occured. No big deal...and then I see Norton from my host machine pop up with a blocked action on C:WindowsSysWOW64 mnat.exe. The alert name was "Web Attack: Ransomlock Website 7" and it came from the fake fbi website in the popup. This may not be important...but as an FYI I was using Chrome to surf.

I don't fully understand the VMware NAT system, but does this sound like malware could have leaked from the VM onto my host, or does Norton have insight into what vmnat.exe may have been calling and sending back to the VM.

I mainly just want to make sure my host is "safe", but I am also curious as to how this works.

Explanation / Answer

Let us first tackle the VM network. An external address, usually routable, is the "outside" of the NAT. The machines behind the NAT have an "inside" address that is usually non-routable.

Bridged mode acts just like the interface you're bridging with is now a switch and the VM is plugged into a port on it. Everything acts the same as if it were another regular machine attached to that network.

If you are in a bridged mode and a malware infects it then it can read your routing table and can identify your network range to pivot into other machines. Now coming to the infection. Ransomeware is a typical malware that locks your machine upon infection. The images you saw on your screen were all fake. If you had noticed it must be asking you to pay some fine to unlock your computer. This is a trick that ransomware applies to steal money. One of the ways ransomeware reached your machine was that the website you were browsing was hacked and an invisible iframe must be injected that redirects you to a browser exploit thus dropping and executing the malware onto your system. Its a good move that you have separate vm for different browsing activities. If you keep them in a NAT network mode then the infection will only stay inside the VM. You can imagine what would have happened if ransomeware have had locked your host os .

Related Questions

I found matched pairs t concepts/procedure quite challenging.If two observation
Question #3382376
I found mean, median, standard deviation, and coefficient of variation from this
Question #3159213
I found out part 2 but I\'m somehow getting part 1 wrong O hups 8.5 out of 10 12
Question #694230
I found several similar versions of this question on cheggs q&a. The way that th
Question #2305950
I found some functions that I want to get from WordPress source code and add wan
Question #660407
I found some questions in my notes regarding intrinsic value but I still don\'t
Question #2806961
I found that I can replace one of my instructions that takes 300 ns, with a diff
Question #3865486
I found that some of the code that Oracle uses is very useful so I don\'t have t
Question #652782

Navigate

Previous
I gave up on programming a little over a year ago when I kept hitting this wall.
Next
I generally try to optimize my car\'s fuel consumption when driving, using my ca

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.