Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Will a virus get into a virtual PC even if it is virtually disconnected?


  • Please log in to reply
44 replies to this topic

#1 signofzeta

signofzeta

  • Members
  • 420 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 14 October 2014 - 02:41 AM

I run windows 8 as host, and xp in virtualbox.

 

In the virtual machine, no antivirus and no firewall.  Host machine does have antivirus and firewall.

 

The host machine is connected to the internet.  The virtual pc is not connected to the internet, at least it isn't virtually.

 

The host pc and virtual pc has a shared folder.

 

How secure is it to virtually unplug the network cable in the virtual machine?

 

If the virtual network cable is unplugged, will a virus infect the virtual xp machine without going through the host machine first?

 

Has anyone made a virus where it infects the host by going through the host, into the virtual machine to modify itself so it can infect the host better, then back into the host?


Edited by hamluis, 14 October 2014 - 10:22 AM.
Moved from XP to Gen Security - Hamluis.


BC AdBot (Login to Remove)

 


m

#2 technonymous

technonymous

  • Members
  • 2,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 AM

Posted 16 October 2014 - 11:48 PM

Yes a virus from the host can infect the VM. A infected VM can infect the network back again. When you run the VM in bridged mode it acts like any other pc connected on the local network. So the Vm needs a firewall and virus scanner like any other pc would. I don't bridge VM's to just file share. I keep them in NAT and use drive integration set to manual. I turn it on temporarily to drop a file on the VM then turn it back off again. If you turn the network settings off completely then no communication to host or internet. The VM is sitting in it's own little world. Host cannot infect it either and visa versa. Oracle virtualbox has a lot more features like drag and drop. Host to guest, guest to host, bidirectional. In the virtual world you may be installing some shady stuff that may be laced with viruses so Host to Guest drag and drop is best.


Edited by technonymous, 17 October 2014 - 12:11 AM.


#3 Xirw

Xirw

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 17 October 2014 - 12:45 AM

Keeping the shared folder enabled is more dangerous than the network.

#4 signofzeta

signofzeta
  • Topic Starter

  • Members
  • 420 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 17 October 2014 - 01:02 AM

Does having the virtual cable unplugged from the virtual machine prevent any outside viruses from coming into the virtual machine without passing through the host first?

 

So pretty much you are saying that the host pretty much has to be infected for the guest OS to be infected, am I correct?

 

So I have the host OS connected to the internet.  The guest OS is set to virtually have the network cable unplugged.  The guest and host OS have a shared folder.  Is there a way for a virus from the internet to directly get into the guest OS without touching the host OS?  I am asking if virtually unplugging the guest OS from the internet is like physically unplugging the network cable from the host OS, thus preventing viruses from getting in.

 

I also use windows xp on virtual machine to play older games, but I don't want to move the game folders around, so I decided to put it in a shared folder.  I also do not own a windows xp disc, considering how I used to own a PC running XP for many years, and saw no reason to buy the retail copy of windows xp, but that machine has died, so all I could really do is use the 30 day trial of XP on virtual box, and reinstall it once every 30 days, which means everything is gone after those 30 days, which is why I want the games in a shared folder so when I run it on xp using virtual machine, I don't lose any saved progress.

 

So what I am really asking is, will the virtual network cable being unplugged in virtualbox be enough to stop viruses from getting into the guest OS, and that the only way for the guest OS to be infected is if there was a virus in the host OS, am I correct?

 

Just take this scenario.  The host OS has layers and layers of security, so much that no virus will squeak through, and the host OS is connected to the internet.  The guest OS has no security, but is virtually not connected to the internet.  The guest OS and host OS has a shared folder.  Will a virus be able to infect the guest OS, host OS, or both?  If this is the case, do you agree that no virus can get into the guest OS unless it passed through the tight security from the host OS, am I right?

 

Let's take scenario 2.  There are no shared folders.  Both the host OS and the guest OS have to security.  The host OS is connected to the internet, but the guest OS is set so that the virtual network cable is unplugged.  Will a virus directly infect the host OS, guest OS, or both?

 

What I am trying to say is, does this virtual unplugging of the network cable really block viruses from directly getting into the guest OS just as well as a physical cable being unplugged to prevent viruses from getting into the host OS?


Edited by signofzeta, 17 October 2014 - 02:11 AM.


#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 PM

Posted 19 October 2014 - 05:00 AM

 
Let's take scenario 2.  There are no shared folders.  Both the host OS and the guest OS have to security.  The host OS is connected to the internet, but the guest OS is set so that the virtual network cable is unplugged.  Will a virus directly infect the host OS, guest OS, or both?

 

There is malware and proof-of-concept (PoC) code that does this.

 

One way is to open the file on the host that contains the virtual disk, and then infect some of the files in the virtual disk.

And there is PoC for VMware that exploits vulnerabilities to break the boundary between host and guest.

 

So yes, it is possible.

But why are you asking? Just out of interest, or do you have a (potential) issue with such malware?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 signofzeta

signofzeta
  • Topic Starter

  • Members
  • 420 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 19 October 2014 - 09:19 PM

 

 
Let's take scenario 2.  There are no shared folders.  Both the host OS and the guest OS have to security.  The host OS is connected to the internet, but the guest OS is set so that the virtual network cable is unplugged.  Will a virus directly infect the host OS, guest OS, or both?

 

There is malware and proof-of-concept (PoC) code that does this.

 

One way is to open the file on the host that contains the virtual disk, and then infect some of the files in the virtual disk.

And there is PoC for VMware that exploits vulnerabilities to break the boundary between host and guest.

 

So yes, it is possible.

But why are you asking? Just out of interest, or do you have a (potential) issue with such malware?

 

 

So either way, if I set virtualbox to have the virtual cable disconnected, the only way a virus can get into the virtual machine is through my host machine right?

 

I am asking this because I frequently play this game that runs perfectly only on XP or older.  This game has sound problems when run on Vista, 7, or 8.  I also recently lost the only computer I had that runs windows xp.  Motherboard capacitors blew.  It is also difficult to find a retail copy of windows xp with a valid license code, but I found people online who got windows xp to work on windows 8.  The problem is that for it to work, you need a liscense code so I have to make due with the 30 day trial, and reinstalling windows xp on virtual machine once every 30 days, thus wiping everything out.  Since I do not want to lose the save data for this game, I set it so that I have a shared folder between the host and  guest, with the game files saved in this shared folder.  That way I do not lose any save progress when I have to reinstall windows xp on virtualbox.  Even if I bought windows 7 professional with xp mode, and windows xp is bundled free, I can't really transfer that windows xp license and use it on virtualbox in windows 8.

 

Currently, I have it set up so that the host machine is connected to the internet, and that I can access the internet with the host machine.  The host and virtual machines have a shared folder.  The virtual machine is set so that the virtual network cable is disconnected.  When I try to access the internet on my virtual machine, it is as if the network cable was really unplugged.  I want to know if a virus can directly get into the virtual machine from the internet without even touching the host machine first?

 

People say that disconnecting the PC from the internet should keep it safe from viruses.  I just want to know if the option in virtualbox to virtually disconnect the virtual machine from the internet, while the host machine is connected to the internet, achieves the same effect as disconnecting a host machine from the internet.


Edited by signofzeta, 19 October 2014 - 09:32 PM.


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 PM

Posted 24 October 2014 - 02:43 PM

 

I just want to know if the option in virtualbox to virtually disconnect the virtual machine from the internet, while the host machine is connected to the internet, achieves the same effect as disconnecting a host machine from the internet.

 

Yes, it does.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 signofzeta

signofzeta
  • Topic Starter

  • Members
  • 420 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 24 October 2014 - 10:36 PM

 

 

I just want to know if the option in virtualbox to virtually disconnect the virtual machine from the internet, while the host machine is connected to the internet, achieves the same effect as disconnecting a host machine from the internet.

 

Yes, it does.

 

 

 

So if I have no shared folders between host and guest, virtualbox is virtually disconnected from the internet, no access to external drives and USB keys, no antivirus, and no firewall, it is guaranteed that the virtual machine running XP will get no viruses?



#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 PM

Posted 25 October 2014 - 04:37 AM

So if I have no shared folders between host and guest, virtualbox is virtually disconnected from the internet, no access to external drives and USB keys, no antivirus, and no firewall, it is guaranteed that the virtual machine running XP will get no viruses?

 

 

No, it's very unlikely, but there is no guarantee. Like I posted before, there are also exploits for vulnerabilities that break the host/guest isolation boundary. So keep your VM software patched.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 signofzeta

signofzeta
  • Topic Starter

  • Members
  • 420 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 26 October 2014 - 12:15 AM

 

So if I have no shared folders between host and guest, virtualbox is virtually disconnected from the internet, no access to external drives and USB keys, no antivirus, and no firewall, it is guaranteed that the virtual machine running XP will get no viruses?

 

 

No, it's very unlikely, but there is no guarantee. Like I posted before, there are also exploits for vulnerabilities that break the host/guest isolation boundary. So keep your VM software patched.

 

 

So what you are saying is as long as I do not have firewall, do not have antivirus in the guest machine, but set it so that the guest machine is virtually disconnected from the internet, all viruses and exploits come from the host machine, and not from any other source is that correct?

 

Since I am using the 30 day windows XP trial, and I am only using it to play games that only run well on XP and not on Vista, 7, and 8, I plan on re-installing the windows XP 30 day trial on virtual box, so every 30 days, it would be a clean install.  If the virus can only get into the virtual machine from my host, it doesn't matter to me, since my host is already infected, but what I want to know is if an outside source can infect the virtual machine without going through the host first?

 

My ultimate goal is to protect the host machine, and I was wondering if a virus can get into the guest machine without ever touching the host machine provided I set it so that the virtual network cable disconnected?

 

I have it set up so that the host OS has a firewall and antivirus.  The guest OS does not.  There is a shared folder between the host and the guest.  The host is connected to the internet wirelessly, but I set it so that the guest OS is virtually disconnected to the internet.

 

So tell me if these statements are true, with regards to the statement above.

 

ALL viruses that infected the host can infect the guest.

ALL viruses that did not infect the host cannot infect the guest.

 

I am not as worried about viruses coming from the internet infecting the host, then infecting the guest, but what I am worried about is viruses coming from the internet, infecting the guest, then infecting the host, which is also why I ask if in virtualbox, virtually disconnecting the network cable blocks all viruses from infecting the guest machine just as well as disconnecting a physical network cable blocks all virus from coming into a host machine from the internet?

 

So what I am really asking is as long as the virtual network cable is unplugged, but the host machine network cable is plugged in, a virus cannot directly get into the guest machine, am I right?

 

So what you are saying is that my host machine has to be infected first before the guest machine can be infected, and based on my settings, no virus can get into the guest machine without being from the infected host machine.


Edited by signofzeta, 26 October 2014 - 12:22 AM.


#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 PM

Posted 26 October 2014 - 06:05 AM

I'm sorry if I confused you, but you asked "is it guaranteed", I said no because of how virtualization works.

 

Yes, if you disconnect the "virtual network cable", no network activity is possible, it is the same as disconnecting a physical network cable.

 

However, in virtualization, the virtual network cable is not the only possible channel. You identified yourself other channels, like shared folders.

 

You think that the boundary between the host and the guest is impenetrable, and it is not, because of software bugs that are called vulnerabilities. This is another (potential) channel.

You can read more on Wikipedia:

http://en.wikipedia.org/wiki/Virtual_machine_escape

 

That is why I say there is no guarantee: because of potential vulnerabilities that can open a channel in the boundary between the host and the guest.

Here is a recent example for VirtualBox (very technical):

http://www.vupen.com/blog/20140725.Advanced_Exploitation_VirtualBox_VM_Escape.php

 

But in your case, don't worry about it, you won't have this issue with the viruses you are talking about.

 


So what I am really asking is as long as the virtual network cable is unplugged, but the host machine network cable is plugged in, a virus cannot directly get into the guest machine, am I right?

 

So what you are saying is that my host machine has to be infected first before the guest machine can be infected, and based on my settings, no virus can get into the guest machine without being from the infected host machine.

 

 

Correct.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#12 signofzeta

signofzeta
  • Topic Starter

  • Members
  • 420 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 26 October 2014 - 05:32 PM

I'm sorry if I confused you, but you asked "is it guaranteed", I said no because of how virtualization works.

 

Yes, if you disconnect the "virtual network cable", no network activity is possible, it is the same as disconnecting a physical network cable.

 

However, in virtualization, the virtual network cable is not the only possible channel. You identified yourself other channels, like shared folders.

 

You think that the boundary between the host and the guest is impenetrable, and it is not, because of software bugs that are called vulnerabilities. This is another (potential) channel.

You can read more on Wikipedia:

http://en.wikipedia.org/wiki/Virtual_machine_escape

 

That is why I say there is no guarantee: because of potential vulnerabilities that can open a channel in the boundary between the host and the guest.

Here is a recent example for VirtualBox (very technical):

http://www.vupen.com/blog/20140725.Advanced_Exploitation_VirtualBox_VM_Escape.php

 

But in your case, don't worry about it, you won't have this issue with the viruses you are talking about.

 


So what I am really asking is as long as the virtual network cable is unplugged, but the host machine network cable is plugged in, a virus cannot directly get into the guest machine, am I right?

 

So what you are saying is that my host machine has to be infected first before the guest machine can be infected, and based on my settings, no virus can get into the guest machine without being from the infected host machine.

 

 

Correct.

 

That's good to know.  At least I know now that viruses won't get into my guest machine unless they are from the host, and that outside viruses won't infect the host via the guest and would infect the host directly, meaning that the guest machine didn't compromise the security of the host.  Even if a virus gets into the guest, I can easily just reinstall the OS on the guest.

 

As long as the guest machine does not compromise the security of the host machine, then it is all good for me.


Edited by signofzeta, 26 October 2014 - 05:33 PM.


#13 technonymous

technonymous

  • Members
  • 2,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 AM

Posted 26 October 2014 - 09:04 PM

I just use a differencing disk with undo disk enabled and do maintenance on them once in a while and compress them down.



#14 wizardfromoz

wizardfromoz

  • Banned
  • 2,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:11 AM

Posted 27 October 2014 - 05:11 PM

signofzeta, hi. Not seeking to stray off-topic, but with your old PC that had XP on it, that blew, did you:

  1. Keep the hard drive?
  2. Ever run Belarc Advisor on it?

Over at Antivirus for Linux, I said, in part:

 

 

When I was using Windows 7 on my puter before breaking the ties, I was playing around with the Windows version of Oracle's Virtual Box, and used it to install XP Media Center Edition (SP3) that was on another machine. It worked fine.

 

I didn't have the product key around any more, but one of the advantages of Belarc Advisor over Piriform Speccy is that Belarc's info includes the licence numbers of all software you own on the puter ...  but also any and all Product Keys.

 

I found this useful both with XP, but also with a lot of Ashampoo software I had accumulated since starting with them in '02.

 

and

 

 

A further note on Belarc Advisor verging on off-topic, but with a view to returning to same:

 

For those unfamiliar with Belarc Advisor, it stores the output of its findings within your puter, using a file with a .bci extension, and which, under my former Windows 7 environment, under c:\Program Files (x86)\Belarc\Advisor.

 

The file in that folder was, I think, the current results. Historical results got moved to a subfolder at the same level, called "Advisor Reports - Saved - html", containing not .html files, but .bci files. .bci is a proprietary format not opened nor converted, easily, by anything other than Belarc Advisor. If you double-click it from Windows Explorer, it will open in your browser. If you plan to venture off the beaten track as I have done, in leaving Windows behind, and you perceive a need for Belarc's reports later (eg within a VM framework running Windows), then best to save the output in another, perhaps textual, format.

 

This page says it all, read, nothing - here, at FileExtensions.org.

 

If you have the old hard drive and it works, you could put it in a caddy and fire it up.

 

Belarc will report across all drives it can see, but if it is not on your current setup, you will need to install it, there should you discontinue using another source instance of it (because of the proprietary format that is .bci).

 

It's your topic, so if you wish to regard this as off-topic you could start a new topic over at eg XP.

 

I'll leave you to it, and don't forget to factor in Router security.

 

Cheers and

 

Keep Smilin' :wink:

 

:wizardball:  Wizard



#15 signofzeta

signofzeta
  • Topic Starter

  • Members
  • 420 posts
  • OFFLINE
  •  
  • Local time:10:11 AM

Posted 27 October 2014 - 10:23 PM

signofzeta, hi. Not seeking to stray off-topic, but with your old PC that had XP on it, that blew, did you:

  1. Keep the hard drive?
  2. Ever run Belarc Advisor on it?

Over at Antivirus for Linux, I said, in part:

 

 

When I was using Windows 7 on my puter before breaking the ties, I was playing around with the Windows version of Oracle's Virtual Box, and used it to install XP Media Center Edition (SP3) that was on another machine. It worked fine.

 

I didn't have the product key around any more, but one of the advantages of Belarc Advisor over Piriform Speccy is that Belarc's info includes the licence numbers of all software you own on the puter ...  but also any and all Product Keys.

 

I found this useful both with XP, but also with a lot of Ashampoo software I had accumulated since starting with them in '02.

 

and

 

 

A further note on Belarc Advisor verging on off-topic, but with a view to returning to same:

 

For those unfamiliar with Belarc Advisor, it stores the output of its findings within your puter, using a file with a .bci extension, and which, under my former Windows 7 environment, under c:\Program Files (x86)\Belarc\Advisor.

 

The file in that folder was, I think, the current results. Historical results got moved to a subfolder at the same level, called "Advisor Reports - Saved - html", containing not .html files, but .bci files. .bci is a proprietary format not opened nor converted, easily, by anything other than Belarc Advisor. If you double-click it from Windows Explorer, it will open in your browser. If you plan to venture off the beaten track as I have done, in leaving Windows behind, and you perceive a need for Belarc's reports later (eg within a VM framework running Windows), then best to save the output in another, perhaps textual, format.

 

This page says it all, read, nothing - here, at FileExtensions.org.

 

If you have the old hard drive and it works, you could put it in a caddy and fire it up.

 

Belarc will report across all drives it can see, but if it is not on your current setup, you will need to install it, there should you discontinue using another source instance of it (because of the proprietary format that is .bci).

 

It's your topic, so if you wish to regard this as off-topic you could start a new topic over at eg XP.

 

I'll leave you to it, and don't forget to factor in Router security.

 

Cheers and

 

Keep Smilin' :wink:

 

:wizardball:  Wizard

 

I have not run Belarc Advisor on this old XP computer, and I still have that certificate of authenticity sticker on my old PC, and reading your post, I don't think your method can salvage that windows XP license from that PC.

 

The 8 year old PC that has blown caps on the motherboard is a PC that has windows XP preinstalled, so I couldn't really use that windows XP license unless I use that exact motherboard, unless this Belarc Advisor bypasses this restriction, but from what you said, I assume that you are talking about the retail version of windows XP, you know, the boxed copy, not the ones that came preinstalled with new computers, which is why your method probably works for you, but not for me.

 

I think your method is more for people who have lost their product keys, so Belarc Advisor is used to find the product key hidden in the hard drive, but I fail to understand how this thing works.  Was your other PC already dead when you used Belarc Advisor to retrieve the product key?  Did you need the other PC to work?  I am confident that my hard drive is fine.  It is just that the motherboard is toast, and the PC won't power on.  The biggest question is, did you have a retail boxed license of Windows XP, or did you have an OEM liscense of windows XP that came with your computer when you bought it?  I have the latter, which is why I think Belarc Advisor isn't going to help.

 

I just don't see how I can re-use that window XP license on a virtual machine or a computer with a completely different motherboard.


Edited by signofzeta, 27 October 2014 - 10:48 PM.





2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users