virtualbox.org

My question is this: can a keylogger on the host capture keystrokes on the guest?

I've done a search, and the question seems to be unresolved. This is a little surprising, because it is an important issue. It is a lot more convenient to run Linux as a VM instead of having to re-boot.

A similar question could be posed for screen capture utilities.

A keylogger running on the host can potentially capture all keys pressed, regardless of which host applications are running. VirtualBox is just another host application, it has no special relevance to your question. The same logic applies to your other question. The only difference is that the keylogger would know nothing about which guest applications were running at the time - it would only "see" VirtualBox.

mpack wrote:A keylogger running on the host can potentially capture all keys pressed, regardless of which host applications are running. VirtualBox is just another host application, it has no special relevance to your question. The same logic applies to your other question. The only difference is that the keylogger would know nothing about which guest applications were running at the time - it would only "see" VirtualBox.

Please excuse me for failing to put the question clearly, or for failing to understand the answer. Let's say that I am running VirtualBox under, say, Windows 7, with an Ubuntu VM. You say that the keystrokes of the guest can be captured. That implies, does it not, that the VM would be less secure than Ubuntu run as a 'physical' machine? Your answer seems to suggest (and I am not attempting to dispute it, merely seeking clarification) that the keystrokes would be of no use to the (presumed) malware.

It seems that I asked a more general question on the same theme some months ago. Sorry if this is a duplication.

I must admit I can't see what you are asking either. What exactly do you mean by "keystrokes on the guest"?

As mpack said, all keystrokes for the guest must first be pressed on the host keyboard, so a keylogger on the host will certainly see all keystrokes which are later transferred to the guest as well as the ones that are not. However the keylogger on the host would have no way of telling which were which. Only a keylogger in the guest OS would see only the guest's keystrokes.

BillG wrote:I must admit I can't see what you are asking either. What exactly do you mean by "keystrokes on the guest"?

As mpack said, all keystrokes for the guest must first be pressed on the host keyboard, so a keylogger on the host will certainly see all keystrokes which are later transferred to the guest as well as the ones that are not. However the keylogger on the host would have no way of telling which were which. Only a keylogger in the guest OS would see only the guest's keystrokes.

So, the keylogger on the host 'sees' the keystrokes on the guest. Understandable, given that VBox is just another application (although the User Manual refers to the guest as 'capturing' the keyboard, so that it is no longer available to the host). The question then arises: is an application running on the guest as vulnerable to a keylogger (collecting keystrokes and thereby determining bank details and passwords, for example) as is an application running on the host?

Maybe the answer is obvious to other forum members, but it is not to me.

There are a number of keyloggers available for Windows 7. Some are free, a few have a free trial. If you are concerned whether something you type on a guest will show up in a host's keylogger you could just install one for the host and check.

Locked wrote:The question then arises: is an application running on the guest as vulnerable to a keylogger (collecting keystrokes and thereby determining bank details and passwords, for example) as is an application running on the host?

I would say not. Keypresses, as has been discussed, can always be collected on the host. However, our hypothetical keylogging virus would collect vast amounts of data that way and the processing stages (people or bots) would need some reason to believe that this key sequence was worth additional work: for example you had an Internet Explorer browser window recently opened and focused at the time, and the url was "mybank.com/login". When a VM is running the keylogger would have to be incredibly clever to work out what was going on inside the VM, especially when it might be running an entirely different OS.

Locked wrote:So, the keylogger on the host 'sees' the keystrokes on the guest. Understandable, given that VBox is just another application (although the User Manual refers to the guest as 'capturing' the keyboard, so that it is no longer available to the host).

I believe that is just loose language, an analogy intended to make something clear. In fact all Windows applications in a sense "capture" the keyboard when they are given the keyboard focus. As far as I know VirtualBox (at least on Windows hosts) does nothing unusual with the keyboard. It would be possible for a host app to determine that particular keys were pressed while a VirtualBox VM window had the focus. I don't think there's much real danger that it could dig any deeper than that.

for what it's worth. I just installed a keylogger for my Mac. I opened one of my Linux guests,(Lubuntu). I launched Firefox, typed into the google search page and got this...

edit: I don't know if a virus, trojan etc. is clever enough to do the same thing seeing this is an application designed to capture everything.

As I said above, it's easy to tell that these keys were pressed while a VBox VM was running. It's harder for software on the host to tell what the VM was doing at the time.

mpack wrote:As I said above, it's easy to tell that these keys were pressed while a VBox VM was running. It's harder for software on the host to tell what the VM was doing at the time.

True. It certainly wouldn't know you were on your banking site typing in your banking info. So using a guest might be the way to go if one is concerned about online security.

Locked wrote:

BillG wrote:I must admit I can't see what you are asking either. What exactly do you mean by "keystrokes on the guest"?

As mpack said, all keystrokes for the guest must first be pressed on the host keyboard, so a keylogger on the host will certainly see all keystrokes which are later transferred to the guest as well as the ones that are not. However the keylogger on the host would have no way of telling which were which. Only a keylogger in the guest OS would see only the guest's keystrokes.

So, the keylogger on the host 'sees' the keystrokes on the guest. Understandable, given that VBox is just another application (although the User Manual refers to the guest as 'capturing' the keyboard, so that it is no longer available to the host). The question then arises: is an application running on the guest as vulnerable to a keylogger (collecting keystrokes and thereby determining bank details and passwords, for example) as is an application running on the host?

Maybe the answer is obvious to other forum members, but it is not to me.

"Capturing" the keyboard only means that the keystroke is passed through to the vm, not to the host OS. Any decent keylogger on the host should still see it. And the capture only applies which the vm has focus.

I still am not sure what your concern is with keyloggers and virtual machines. What point are you trying to make? What system do you feel is less secure and why?

BillG:

I'm concerned mainly with online security in banking. My assumption is that Linux is more secure than Windows. I have used Puppy Linux and Ubuntu. However, there is the need to re-boot (admittedly not too much of a chore, although with UEFI it means interrupting the boot process, even though secure boot is disabled to run Windows 7). Ideally, I would like to use Linux within a VM. The idea was that this might give the added security of Linux, with greater convenience.

From what has been said above, my tentative conclusion is that running Linux in native mode (is that the right term?) is the safest option, followed by running Linux in a VM. The least safe option is Windows.

Locked wrote: From what has been said above, my tentative conclusion is that running Linux in native mode (is that the right term?) is the safest option, followed by running Linux in a VM. The least safe option is Windows.

running Linux in a VM should be as safe as running it natively. more so actually.
the safest option is to not use online banking at all. in this day and age any organization can be hacked, including banks.