WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: Innovative TC usage, qemu windows malware  (Read 319 times)

Offline curaga

  • Administrator
  • Hero Member
  • *****
  • Posts: 11044
Innovative TC usage, qemu windows malware
« on: November 05, 2024, 02:12:43 AM »
https://www.bleepingcomputer.com/news/security/windows-infected-with-backdoored-linux-vms-in-new-phishing-attacks/

Even malware authors realize how nice TC is ;)
qemu.exe happens to be signed, they run TC inside qemu on windows and then connect back. The article shows they mastered the use of bootlocal and filetool.sh.
The only barriers that can stop you are the ones you create yourself.

Offline gadget42

  • Hero Member
  • *****
  • Posts: 785
Re: Innovative TC usage, qemu windows malware
« Reply #1 on: November 05, 2024, 03:42:18 AM »
The fluctuation theorem has long been known for a sudden switch of the Hamiltonian of a classical system Z54 . For a quantum system with a Hamiltonian changing from... https://forum.tinycorelinux.net/index.php/topic,25972.msg166580.html#msg166580

Offline nick65go

  • Hero Member
  • *****
  • Posts: 838
Re: Innovative TC usage, qemu windows malware
« Reply #2 on: November 08, 2024, 04:46:08 AM »
Innovative? yes; [very] easy to defend against it? YES!

The solutions are provided in the article already:
"To detect and block these attacks, consider placing monitors for processes like 'qemu.exe' executed from user-accessible folders, put QEMU and other virtualization suites in a blocklist, and disable or block virtualization in general on critical devices from the system BIOS"

The [main] problem is to suspect  /monitor that some process is eating the CPU energy. And to restrict common user rights [which is implicit in big corporations with proper qualified IT services].

PS: for my taste the kernel is still a little big for such an attack goal. I mean a KolibriOS with a kernel + OS of [100-320] KB could have more chance on private machines.
However on W11 the latest WSL2 (Windows Subsystem for Linux) has configuration parameters for global/individual VM (virtual machines) regarding firewall rules. Of course using WLS2; not qemu (which is mono-CPU). Why use qemu when WSL2 is "free" even for W10.
« Last Edit: November 08, 2024, 04:51:22 AM by nick65go »