Virtual machines and viruses

[MichaelD]

As the title says, I'm curious if a virus contacted by a VM can be spread to the real host box.

The virus would most likely be contracted via the Ethernet port, which it shares with the real/hardware host. While the VM may have a different IP, the MAC is the same...I'm just opining here...

I'm guessing the answer is yes. Most virii (viruses?) are looking to "call home" or "go somewhere" these days...it's probably not too difficult for it to figure out it's living on another box.

Any links/facts/education you provide is appreciated. Thanks.

 

[masteryoda34]

Most likely the virus would be contained on the virtual machine unless it spreads over the network.

 

[MichaelD]

Originally posted by: masteryoda34
Most likely the virus would be contained on the virtual machine unless it spreads over the network.

That's what I'd like to think, but here's me thinking as a virus:

"OK, here I am. Infect the root. Check. Disable AV software. Check. Now call home/outside world. MAC=XYZ..." and somehow it figures out it's not a real box.

Call me paranoid, but in our biz, that's a good thing.

 

[oog]

it would also depend on if you have some kind of shared folder support between the VM and host. for the most part, i think it's mostly a matter of network vulnerability though.

 

[ViRGE]

There have been some exploits found in VM software before which allowed software to break out. I can recall a couple of security advisories with VMWare in particular where they released patches to fix such things. I'm not immediately aware of anyone actually writing malware to take advantage of it though.

 

[MichaelD]

Thanks, oog and ViRGE; that's good info.

We've got a test/lab environment at work; currently it's all separate physical boxes but we're thinking about virtualizing most of it to save space/electricity. We do a fair amount of "let's throw this on there and see what happens". If one VM did manage to contract something, we wouldn't want it spreading everywhere else.

Thanks for your input.

 

[Cogman]

Possible, yes, likely, no. It requires the virus writer to have some intimate knowledge of the VM software in general. It would be very specific to the setup. (VM running linux would have to have a fairly different virus exploit compared to VM running windows).

Not to mention the fact that VMs go across platforms so it would also have to be able to predict which platform the VM is running on. So, yeah, be safe with your setup, but don't loose any sleep over the possibility of it happen. (it is fairly unlikely, regular viruses alone are really a rare event.).

 

[bsobel]

Originally posted by: MichaelD
As the title says, I'm curious if a virus contacted by a VM can be spread to the real host box.

The virus would most likely be contracted via the Ethernet port, which it shares with the real/hardware host. While the VM may have a different IP, the MAC is the same...I'm just opining here...

I'm guessing the answer is yes. Most virii (viruses?) are looking to "call home" or "go somewhere" these days...it's probably not too difficult for it to figure out it's living on another box.

Any links/facts/education you provide is appreciated. Thanks.

You don't 'contract' a virus, its simply running code. There have been guest to host exploits which would allow attacker in a vm to attack the host. That said, they have been rare (so far) and fixed fairly quickly. In theory, a guest can not infect a properly setup host without such exploits.

 

[RebateMonger]

I haven't heard of any real-life exploits, although there've been some proof-of-concept stuff over the past couple of years. Seems like a lot of work when there's so many easy-pickin's with folks running XP as Local Administrators.

 

[degibson]

As others have already said, the primary risk comes from having an infected machine on the same network (whether that machine is virtual or not doesn't matter), and possibly though sharing of files. It is definitely possible for malicious code in the VM to affect the host -- but a virus writer would have to do something rather special for that case and it would be a small payout for much effort.

 

[MadRat]

Unless it's an inside job like 80% of the hackers.

 

[Nothinman]

Unless it's an inside job like 80% of the hackers.

And those usually have nothing to do with viruses. They're almost always stolen passwords, leaked documents, etc.