Using Virtualization to Protect from Internet Malware: Part II

Written by rob on April 1, 2007 – 1:54 pm -

The following screenshots were taken under Vista with the new beta version of VMware. The guest system, however, is still Windows XP. This shows one strength of virtualization: it doesn’t matter what version of Windows you have… you can still install any other version virtually.

The first step, after acquiring VMware in one way or another, is to create a new virtual machine. After opening VMware, you do this by File -> New -> Virtual Machine, or simply by pressing CTRL+N. Press Next, and then Next again. Now ensure that Microsoft Windows is selected in the Guest Operating System combo box. Under the Version drop-down box, select the version of Windows you intend to install (I chose Windows XP Professional).

Press Next. For the Virtual Machine name, call it “Internet Browser”. The name doesn’t matter, but it will make things more clear later on if you keep to the same naming scheme as me. The location will default to the My Virtual Machines folder under My Documents (or the Virtual Machines folder under Documents in Vista). I left the default. Press Next. Then press Next again to accept Bridged Networking.

This next screen allows you to choose the size of the virtual system’s hard drive. This value isn’t as important as it looks because you can change it later. Also, the virtual hard drive file on your host computer is only going to be the size of the used disk space. Therefore, if you simply install Windows and Firefox, yet have a 100GB virtual hard drive, the virtual hard drive file will still only be 1.5GB or so because that is all that is taken up on the drive. I’ll just stick with the default 8.0GB, but if you plan on putting a variety of applications on the virtual machine to facilitate your browsing experience, then you could increase it. Remember, you can always change this later on if you need to. Just make sure you don’t have the “allocate all disk space now” box checked, as it will needlessly waste space on your host system. Press Finish when you’re done. (You may receive a hint after pressing Finish. Just press OK to get out of it.)

You will notice that the virtual machine you just created has been added to the Favorite list on the side of VMware’s window. It is also currently selected and ready to use.

The last thing we want to do before starting the virtual machine is edit the RAM that the virtual machine has access to. You can do this by pressing the “Edit Virtual Machine Settings” button. The entire right side of the window that comes up is dedicated to controlling the RAM. Right now the RAM is probably set somewhere near the Green arrow, which is the recommended value. I personally prefer to set it higher; remember that more RAM will make the virtual machine work faster (not unlike with a real computer). If you have 512MB of RAM or less, you probably only want to use the recommended. But if you have over 512MB, then you should give it more. As a general rule of thumb, set the RAM to 50% of your host system’s RAM. That said, I wouldn’t give it over 640MB because XP really doesn’t ever need that much unless you do serious gaming (which you cannot do under VMware). I have 2GB, so I set my virtual system’s RAM to 640MB and it moves as speedy as I need it to. If for whatever reason what you set here is causing problems for you, you can come back and change it later. You can also edit the hard drive space in this same dialog box. Finally, if you have a dual-core processor, you can allow the guest system to use two processors here. Close out of that dialog box and then we are ready to begin the fun part.

Now you can insert your Windows installation disk into your CD drive. The virtual machine uses the same CD drive as the main system. Now press “Start this Virtual Machine” (or you can use the green Play button on the toolbar). As soon as you see the VMware logo, click inside the virtual machine’s area so the keyboard and mouse are captured. Then press ESC. After the system briefly loads, you will be shown the Boot Menu. Use the arrow keys to move to CD-ROM drive and press Enter. Your install CD will then begin to boot (if it is Windows XP or Vista, you may need to press any key to start the disc, as prompted). From here, you should be right at home, as it will look the same as any Windows installation.

If you have not installed Windows before and are unsure of what to do, click here to get to a pretty good (off-site) guide to installing Windows XP. In that guide, you can skip to step 2 of the step-by-step instructions, as we already covered everything else. If you want it to look exactly like what you are used to, press the Full Screen button. Remember that in order to release your mouse/keyboard and to exit full screen mode you need to press CTRL+ALT. One scary part is when you have to format a partition for Windows to install on. Remember that the virtual hard drive is in NO WAY connected to your real hard drive, and reformatting it will NOT delete any of your host computer’s files.

Once you have Windows installed, you should be at the desktop of the user you setup during installation. You may now remove the Windows installation CD from your CD drive. We need to take care of something right away called VMware Tools. Installing this allows you to drag and drop files between virtual machine and your regular computer. This will be a must, as you may need to transfer e-mail attachments to your main system or something like that. Installing the tools is simple. While the virtual system is running, press CTRL+ALT to release the mouse, and then go to the VM menu in VMware, and choose “Install VMware Tools”. Press Install in the box that comes up. After a few seconds, the installer will start inside your virtual machine. Click inside it to capture the mouse and then go through the install wizard. You may get a few unsafe driver prompts (one such window is pictured below); just press “Continue Anyway”. After it is done, the installer will automatically restart the system.

After the system reboots, VMware Tools has been successfully installed. The reason we installed this is because it enables you to drag and drop files between your host computer and your guest computer (and vice versa). Try it! Simply create a new file in Notepad or something from inside the guest machine. Then drag it toward the outside of the guest window… it will let you continue dragging onto your desktop or into a folder of your host computer. You can also drag files from your host computer to the guest using the reverse approach. This obviously won’t work if the gust computer is in full screen or guest mode, but it allows you to very easily copy files between your systems.

This can be useful if you need an e-mail attachment or something from the Internet to be transferred to your host system. An even better example is music files downloaded from Limewire; once they are finished downloading in the safe environment of the virtual system, copy them into a folder on your host system and put them into iTunes.

It is, however, important to note that this dragging and dropping of files between the virtual and host system is the single security risk involved with this approach. It is for this reason that I HIGHLY recommend that you do not copy any executable files from your guest to your host, until you test them out on the guest computer for a few days. The wonder of virtualization is that you now have a place to test programs for spyware without risk; make sure you use the guest computer to its full potential, and never copy any untrusted files between systems. Doing so will compromise the very idea of using the virtual machine for Internet use.

You now have everything setup that you need for the basic functionality of the virtual system. From here, I installed Firefox and also the Macromedia Flash plug-in for Firefox. I also installed Microsoft Office, as I often use Word to prepare blog entries and other online posts before posting them online. You can install whatever you want at this point, though I highly recommend installing Firefox, if only to preserve the life of your virtual machine. Also to preserve its life, I installed Avast Anti-Virus (a free anti-virus program that works just as well if not better than Norton and others).

Only install what you will need to use the Internet (unless you want to test an untrusted program before copying it to your host machine) or to perform other temporary services. After all, you will only use this virtual machine for the Internet, and nothing more. Installing too many things won’t necessarily be a problem, but it will tend to make you use the virtual machine for more than Internet. We don’t want that. The whole point of this project is that you want to have a virtual machine to use for Internet access, and that’s all. Due to the fact that you may have to completely restore the virtual machine if you get infected with spyware, you don’t want anything important on the virtual system.

Once you have all of your programs installed, it is time to make the snapshot. A snapshot remembers all of the files, settings, etc. that were on the virtual machine at a particular time. Right now, we know the system doesn’t have spyware, and we want to create a snapshot so that we can come back to this point in the future if necessary. This is the part of the tutorial that will differ majorly from those using Virtual PC — you will have to find some other way to restore your system if it gets infested.

Even though you don’t have to be, I recommend you shut down the guest computer. When it is turned off, you will be returned to the main screen of VMware. Go to VM->Snapshot->Snapshot Manager. “You are here” will be selected; press the “Take Snapshot…” button. I called this particular snapshot BASE so I would not confuse it with further snapshots, and gave it a good description (I recommend you give all your future snapshots good descriptions so you know what each one includes).

Press OK when done naming it, and then press Close in the Snapshot Manager window. That’s all there is to taking a snapshot. We will now test it by having fun and destroying the virtual system.

Start up the virtual machine. When it is completely booted, disable any anti-virus or anti-spyware programs. Now you can trash your computer in any way you wish. Either download obvious virus files from Limewire, or simply delete random files from C:/Windows/system. Another choice may be to download and install obvious spyware like Bonzi Buddy, Kazaa or Gator. You should be in pop-up hell in no time. If you are unsure of what to do and simply want to test the effects of the snapshot restoral without killing the virtual machine, just make a new file on the desktop. When we restore the snapshot, that file should be nonexistent. I used the command prompt to delete everything from the C: drive, which removed everything except certain system files and running programs.

The result when I restarted my computer:

When you are content that the system was destroyed or otherwise changed from the snapshot, shut it down (if you kill it bad enough and it can’t shut down, use the red square stop button in the toolbar to force a power off). Now it is time to restore a snapshot. Go to VM->Snapshot->Snapshot Manager. This time, you will see the BASE snapshot but it won’t be selected. Go ahead and select it. At the bottom of the window, near the Close button, is a button called Go To. It will ask you to confirm. Press “Yes”. In only a second, the virtual machine will be restored to the snapshot we made earlier.

Boot up the system to confirm the restoration. My system was no longer destroyed! You should now realize how powerful virtual machines are. By creating a snapshot every time you make a major change to your system, you allow yourself to revert back to that at any time.

Now that you understand how to create the virtual machine and utilize snapshots, I want to give a general overview of how a general day would go by utilizing the virtual machine in conjunction with the host. You will obviously develop your own formula eventually, but this should get you started. The biggest thing is to make sure that you NEVER run the Internet on the host machine; this will prevent it from being infected by spyware and other nasty malware.

Let’s say you just came home from school or work. You would turn on your real computer. Maybe you have a report to type. You would open Microsoft Word as normal, and start typing away. Now let’s say that you need to research something on the Internet. In order to prevent yourself from accidentally using the internet on the host machine, I recommend uninstalling Firefox and removing any icons to Internet Explorer or other browsers. It is now time to start up your virtual machine, so open VMware and start your virtual machine. Once it boots, you can start Firefox and start researching. You can switch back and forth between the virtual machine and your host computer, typing the various things in Word that you researched.

Now what if you need to include a picture from the internet? It’s very simple. You can just drag it from the Firefox window in the guest machine to the Word window, just as we did with files earlier. Try it! What if you need to cite the URL for the picture? Simply copy the URL in the guest machine and paste it in the host machine. The wonder of VMware tools is that it lets you drag and drop files between systems, and also lets you copy and paste between them.

Now you are done researching on the internet. There is no sense in keeping the virtual machine running, as it will take up a lot of RAM (half of it if you listened to my recommendation when delegating RAM to the machine). You don’t, however, have to shut it down. If you constantly had to start up and shut down the system, it would rid you of productivity. Instead, you can Suspend the system. What this does is save all of the things you were doing and places it in a temporary snapshot. The next time you start the system, you will be right back where you left it. Press the yellow pause button on the toolbar to test it (or press CTRL+Z). It takes only a second or two to save the state, and only about 30 seconds to restore the state (likely less on a faster computer). Therefore, you can suspend the system any time you aren’t using it to save RAM. Given today’s Internet-focused society, I expect most of you will keep the system up at all times. Remember, though, that suspending it works even if you turn off your host computer.

You use the above method for a week or two. Then, while browsing the Internet, you want to make a new avatar for yourself on a forum, but you forgot to install Photoshop. You can install Photoshop, but then what if we need to restore a snapshot? Photoshop will be gone. The answer is to create another snapshot after you install Photoshop. I recommend that you call it “With Photoshop (maybe unsafe)”, and in the description make sure you state that it may be unsafe. However, after using your virtual system for another week or so without any spyware problems, you may go back and change the name and description to “Known to be Safe”. Then, if you do in fact get any spyware, you may revert to the “With Photoshop” snapshot instead of the BASE snapshot. By following the renaming policy, you will ensure you always know if a snapshot is safe or not. Either way, you always know that the BASE snapshot is spyware-free, if worse comes to worse.

The above procedures give you an idea of how to include virtualization in your computer life. It will vastly improve the security of your host computer, making it physically impossible to get infected with spyware ever again (as long as you follow the rules of only using the Internet on the virtual system).

One last thing I would like to mention is using a virtual machine as your main system. This way, you could use Word, Photoshop, iTunes, etc. all on a virtual machine. The only things that wouldn’t work well are very graphically-intensive applications such as games; those would require the host machine. However, by creating a series of rolling snapshots you could effectively backup everything on your virtual system so that reverting to a snapshot in the case of spyware infection wouldn’t result in a major loss. What I mean by rolling snapshots is this. You would create one snapshot every week. When creating one for the current week, you would label the previous week’s snapshot as safe. At the end of a month, you could delete all of the safe snapshots except for the latest. This lets you save on hard drive space (because each snapshot takes up a decent amount of space, so you wouldn’t want over 20 of them), while still keeping a good amount of snapshots (at least 4) in reserve in case spyware is found later on. Once every three months, another BASE snapshot could be made. I recommend that you NEVER delete the original BASE, but you can use the rolling method to only keep one or two known-safe BASEs at any one time.

Whether or not you choose to convert your entire computer workflow into a virtual system is up to you. I highly recommend, however, that you at least give the Internet Browser concept a try. It will save you a lot of reformatting and almost completely remove the hassle of spyware. If you have any questions about virtualization in general, or if you have any problems implementing this method, don’t hesitate to ask in the comments.


Posted in Howto's, Tech | 4 Comments »

4 Comments to “Using Virtualization to Protect from Internet Malware: Part II”

  1. softwarecoder Says:

    I am one of the developers of WeatherBug. I want to know on what technical basis you consider Weatherbug as spyware.

    Symantec AntiSpyware, Microsoft Windows AntiSpyware, Lavasot-Adaware and Spybot SDE which are the most popular AntiSpyware programs do not flag Weatherbug as spyware or adware.

    I am very interested in a technical discussion.

    Thank you

    Ben

  2. rob Says:

    I by no means intended to demean the developers of WeatherBug. However, that program has been synonymous with spyware for quite some time, pretty much since the inception of the anti-spyware craze.

    After some research, though, I have found that apparently WeatherBug is moving away from its spyware-ridden days. This site (http://axe-s.com/weatherbug/) has a few updates to it stating just that. It seems that someone contacted the owner of that site with the same intent as you… to educate the site viewers that Weatherbug is indeed no longer spyware.

    I’m not one to believe just anyone, so I decided to test it myself. Speaking of virtualization, I tested the latest version of WeatherBug in my virtual machine. It seems that if you do the Typical Install, the program comes bundled with MyWebSearch. My Avast anti-virus scanner went nuts during the install, detecting the MyWebSearch folder being created and populated with programs. The MyWebSearch is classified by most virus programs as a “potentially unwanted program”, but poses little to no risk. In addition to that, the WeatherBug program itself does not seem to be creating any pop-ups or other symptom associated with spyware.

    That said, I only tested it for a few minutes. I will continue using the virtual system and post back if I notice any fishy things.

    For now, I will remove the WeatherBug reference from my post. I seem to agree with you that WeatherBug no longer contains any problematic pieces of code. I apologize for not checking up on the current status of the program and falsely accusing it of being spyware.

  3. softwarecoder Says:

    Thank you for your effort and updating your web site.

    We are more than the Weatherbug app. The company owns and operates 8,000 weather stations and 1,500 weather cameras in the US. Our primary business is selling real time weather data to energy, utilities, transportation and emergency management agencies.

    We released the app. in 2001 to let everyone have access to our network. The app. was never spyware or adware. I think the timing and lack of understanding of the app. led to the bad reputation you talk about. I never understood why anyone would think we endanger our network by engaging in unethical activities.

    MyWebSearch is Ask.com browser tool bar. The tool bar is like the one Gooogle, MSN or Yahoo distribute. I will be interested to know how your antispyware programs behave if you download any of these programs.

    I think the perception is changing and there is an understanding of the app. Weatherbug is currently the third largest downloaded vista gadget.

    Off-site Link: Weatherbug Vista Gadget

    for more info on the company, pleaser refer to http://www.weatherbug.com

    Thank you,

    Ben

  4. franck's blog Says:

    Microsoft is being squeezed from both ends…

    This week two things happened that don’t bode well for Microsoft’s software supremacy: the release of Google Gears and the upgrade of Parallels to version 3.0 ……