Virus from Guest to Host

[sfdemo]

Hi, i would like to ask how does the virus which infected on the guest goes to infect the host system.

I've heard that they are the shared folders and networking etc. Are there anything more to it?


Lastly, how should i apply the fix to prevent the virus from the guest os to infect the host system and at the same time the guest would be able to use the internet too.

I would like to clarify that this is not due to any cracking or stuff. This russian software i'm using is detected as a threat by other antivirus. The author itself said to either run it on a dedicated server or on your computer locally without any antivirus software on. I'm afraid to comprise my computer and thus would like to run it on a virtualbox.

Main reason is the software would visit sites and some malicious sites itself would infect your computer with trojan etc. Therefore, i would like to know the fix to prevent the host from being affected by the guest and i can delete the guest anytime.

[Perryg]

I would like to clarify that this is not due to any cracking or stuff. This russian software i'm using is detected as a threat by other antivirus. The author itself said to either run it on a dedicated server or on your computer locally without any antivirus software on. I'm afraid to comprise my computer and thus would like to run it on a virtualbox.

Do you trust this author? I mean really trust them? They are telling you to use this software without the virus software running. Ever wonder why?

Virus software on the host fully updated, no shared folders and use NAT. Best you can do. Still might not be good enough.

[sfdemo]

Yes the author is trustable, its just that having antivirus would impede the software from running properly

[Richard_S]

For the record, the individual who attacked the original poster and then locked the original thread needs to apologize, as NOTHING in the original post had even the tiniest hint that he was talking about testing so called 'cracked' software.

Just to set things straight - ALL software from the web is suspect until proven otherwise.

Even the 'holy of holies' open source software repositories have been compromised in the past on at least a half dozen occasions, and there is at least one case on record were even the main Mozilla Firefox Addon repository was found to be handing out infected pluggins.

So someone needs to climb down off their high horse and recognize that 'sandbox' testing of code, for both stability and security, is an important and perfectly valid purposes of VM technology.

Ok, nuf said, so let me get down off my soapbox and try to address the original poster's question . . .

As I see it, there are at least two issues here that need to be considered.

1. What is the potential for the Guest to try to use the internal network connection to infect the Host?

2. What is the likelihood that malware on the guest can break out of the VM and execute arbitrary binary code in the host OS?

The networking security issue is dependent on VirtualBox's network setup.

Some networking settings do not allow the host to communicate with the guest at all, but in the case that communication is allowed, the most critical issue is whether or not the configuration used by VirtualBox to link to the Host OS network will allow the Host's firewall to operate properly so that incoming connection requests to critical ports from the VirtualBox Guest can be blocked or allowed just like connections from the outside world.

If VirtualBox can be configured to bypass the hosts firewall, then that should be understood so that that configuration can be avoided where security is a concern.

The answer to number 2. is much tougher to assess, because it is dependent on just how intrinsically secure VirtualBox's virtual machine architecture is.

In theory, a perfect virtual machine will be perfectly secure (even in the absence of hardware virtualization support) but since when has ANY piece of software ANYWHERE been 'perfect'?

The main thing is to recognize is that securing the virtual machine against attempts by malware to break out and gain host OS privileges IS IMPORTANT, and to make this a priority for the developers.

Foolish comments to the effect that "only someone using 'crackware' would care if the VirtualBox VM is properly secured" are EXACTLY WHAT WE DON'T NEED, if security is going to be given the priority it deserves in the development process.

[Sasquatch]

For the record, the individual who attacked the original poster and then locked the original thread needs to apologize, as NOTHING in the original post had even the tiniest hint that he was talking about testing so called 'cracked' software.

I don't need to do anything. There were enough blanks in his post that could lead to illegal actions, so unless he stated otherwise, as he did here, I have all the reasons to lock it to prevent any discussion of illegal activities. You don't know what went on through PMs between the user and me, so just hush and drop it.
So for the record, just keep your mouth shut, ok?

[TerryE]

@Richard_S, your post seemed fine to me. Sasquatch may have reasons for for any comments as a result of PM exchange, but it seems harsh to me to criticise another poster for trying help in ignorance of this.

[sfdemo]

Another couple of questions for the precautions for any virus transmissions

1) Prevent clipboard sharing
2) Disable shared folder [ Is this disabled by default or how do i go about disabling it]
3) Use NAT
4) Host's antivirus to firewall against it
5) Do i have to install the guest additions?

Am i right about the steps above to take actions too

Sorry for not explaining in detail and thus leading to arguments

[TerryE]

Do i have to install the guest additions?

This depends how paranoid you are. Without GA, the user-experience for Windows is very reduced. AFAIK (excepting shared folders) using it doesn't introduce any known vulnerabilities.

Disable shared folder

Installing GA enables the client-side components of shared folders, but to use this you still need to enable the shared folders server-side, so don't.

3) Use NAT / Host's antivirus to firewall against it

This is actually an interesting one. Having an untrusted VM on your network presents the same vulnerabilities as having an untrusted physical PC. The best approach is isolation -- that is to have no network enabled and to use USB for file transfer.

• I would challenge the wisdom of NAT. The disadvantage is that this gives the guest pretty uncontrolled outbound access to the network and due to the nature of address translation, this traffic would be indistinguishable from that of the host, thus giving the VM a perfect cloak. Not a good idea.
• Host networking will limit the machine's access to the host, but then open the host to attack
• Internal networking to a second VM which is a trusted firewall which then itself has a second bridged network is in my mind the best solution if the VM needs internet access.
• If you don't want to set this up, but still need to allow the VM access to the internet, then I would suggest that at least a simple bridged solution enables you to identify your VM and set up your host / other PC firewall filters accordingly.

[sfdemo]

Is there a difference if i use Host Only Adaptor or Bridged?

[Sasquatch]

Bridged allows the VM to go on the physical network, Host-Only prevents that access and allows Host <=> Guest communication only. It's in the manual .

[MarkCranness]

3) Use NAT / Host's antivirus to firewall against it

To add to TerryE's excellent comments: If you allow the VM to use NAT, it may be difficult or impossible to firewall the VM from the host.
If the VM were to find out or guess the host's IP address (for example 10.0.0.3) and connect to it, then when using NAT, the host sees a connection coming from the VirtualBox program FROM the host's IP (10.0.0.3) connected back to the host's IP (10.0.0.3). Likely firewall software will not attempt to block that connection, and then malware running in the VM might attempt TCP based exploits against the host.

[norminul]

Hi,

I hope this isn't bumping too old of a thread, but I am really confused.

Which one should I use? NAT or Bridged? Which one will allow my computer to access the internet, but will prevent it from seeing the other computers on my network?

And lastly, is there a program that I can use in my Windows XP VM to test to see if it can connect to the host?

[mpack]

I hope this isn't bumping too old of a thread, but I am really confused.

It is too old a thread, and not very relevant to your question either, so I'm about to lock this.

Which one should I use? NAT or Bridged? Which one will allow my computer to access the internet, but will prevent it from seeing the other computers on my network?

NAT. A more a detailed description of available network modes can be found in the user manual, chapter 6.

And lastly, is there a program that I can use in my Windows XP VM to test to see if it can connect to the host?

Internet Explorer can be used to connect to the internet, though the native IE6 is now woefully obsolete. Use IE6 to download a recent Firefox etc. There is no connection to the host, the host is just a gateway.