VirtualBox: Can the Host be infected through an infected Guest?

Hello Friends

Consider the following scenario

A PC/Laptop has installed VirtualBox. Therefore

Host -> Guest

Consider the following points:

• Is mandatory open a PDF file with sensitive data but exists the high risk it is infected by anything
• The Host is Linux
• The Guest is Windows with Adobe Reader installed
• The Guest has disabled the Internet access
• The Shared Clipboard feature is disabled

Finally:

• The PDF is opened (remember is highly probable it is infected)

Question

• Can be the Host be infected through the Guest if is infected?

To your answer if is a no:

Does it change if?:

• The Shared Clipboard feature is enabled
• The Shared Folders feature is enabled
• The Host is Windows

Thank You

I have read of virus that can detect they are in a virtual machine. Still not easy to escape.

Good point about shared clipboard.

If the document is stored on a drive windows can see then its posible to infect the windows portion

Simple answer would be if you suspect a file or source delete it or dont introduce it to your system. Better safe than sorry.

Go back to the original supplier, inform them of your suspicion and get them to retest and re submit

There is malware which is able to infect both Windows and Linux. It’s rare, though as most are developed to assume Windows. That being said, I wouldn’t take my chances and contact the supplier of the PDF to inform them you suspect it’s infected with malware.

You could also use clamav to check the PDF for infections.

I would never use Adobe Reader to open a PDF (because it’s bloatware and does some stuff I wouldn’t allow such software to do). Using something like SumatraPDF is preferable. It’s small, fast, and is focused on the features you actually need. Besides: it’s open source, so you can go and audit it, if you want.

Finally: on what basis do you think it’s infected with malware?

I don’t think it’s possible. As cameraman I visited a dozen times the Hacktivity in Budapest (I worked there, but meanwhile also attended silently ). This is a cyber security conference. I remember a (white hat) hacker in a presentation mentioned he uses virtual machines to do some testing with malwares, as it is a controlled and closed environment.

That changes the situation, as the malware running in the VM can reach data on the host (I think this is what @callpaul.eu also mentioned).
So it can write there, possibly infect other pdf files, but it cannot get outside of that shared folder.
I mean, you give the VM /home/jordan/sharedfolder with write permissions, the malware in VM could possibly infect any file that resides in that folder or its subfolders. But I don’t see a way the VM could infect anything in /home/jordan/documents for example.

Huge thanks to all for the replies

pdecker

I have read of virus that can detect they are in a virtual machine

ouch!

Good point about shared clipboard.

That is my main concern to do the backup

Paul

If the document is stored on a drive windows can see then its posible to infect the windows portion

• It is stored in a pendrive to be mounted in Linux as Host
• It must be shared to the Guest through Shared Folders
• The file is opened
• The content should be copy and paste (here enters the Shared Clipboard) to the host

Is not possible due security reasons to create a new file in the guest itself to be accessed later through the Shared Folder from the Host.

Simple answer would be if you suspect a file or source delete it or dont introduce it to your system. Better safe than sorry.

Agree but the file must be opened.

Go back to the original supplier, inform them of your suspicion and get them to retest and re submit

The scenario for a better understanding is as follows:

1. A student is the owner of a PDF file
2. The student must do his course by 2 hrs in the laboratory
3. The laboratory and any machine is accessed by more of 100 students from many grades
4. So the PC even if is “frozen” sometimes is formatted by virus. Of course the antivirus failed.
5. The PDF file arrives to the PC Desktop of the laboratory through either a pendrive or downloaded by email
6. The PDF file is opened to read and to be edited … finally saved …

Xander

There is malware which is able to infect both Windows and Linux. It’s rare, though as most are developed to assume Windows

Agree

That being said, I wouldn’t take my chances and contact the supplier of the PDF to inform them you suspect it’s infected with malware.

As the previous list

You could also use clamav to check the PDF for infections.

It is going to be done too

I would never use Adobe Reader to open a PDF (because it’s bloatware and does some stuff I wouldn’t allow such software to do).

Ok, but is need it:

• Read comments
• See the Paragraphs highlight in colors

It is the current content and structure of the PDF files

Using something like SumatraPDF is preferable. It’s small, fast, and is focused on the features you actually need. Besides: it’s open source, so you can go and audit it, if you want.

Thanks for the suggestion. Please let me know if is possible:

• Create/Edit/Read/Delete comments
• Put Paragraphs with highlight in colors (and remove too)

Finally: on what basis do you think it’s infected with malware?

Based on the list mentioned above

Laszlo

I don’t think it’s possible. As cameraman I visited a dozen times the Hacktivity in Budapest (I worked there, but meanwhile also attended silently ). This is a cyber security conference. I remember a (white hat) hacker in a presentation mentioned he uses virtual machines to do some testing with malwares, as it is a controlled and closed environment.

Interesting and valuable feedback but:

• Should we assume their VMs run in a Host that can be formatted and reinstalled anytime?

That changes the situation, as the malware running in the VM can reach data on the host (I think this is what @callpaul.eu also mentioned).

If he is correct then I must connect and mount the pendrive in the Guest. It to avoid the Shared Folders approach. But is mandatory first to put it in the host. Anyway the PDF file is not going to be opened in the host

So it can write there, possibly infect other pdf files, but it cannot get outside of that shared folder. I mean, you give the VM /home/jordan/sharedfolder with write permissions, the malware in VM could possibly infect any file that resides in that folder or its subfolders. But I don’t see a way the VM could infect anything in /home/jordan/documents for example.

But the problem would be if is later from the host is accessed the /home/jordan/sharedfolder directory. I mean the Guest had created/infected any file from there and later is accessed by the Host

Complex situation.

If it was me, I would set up a seperate linux machine with a clean install of in my case mint but that does not matter.

Open the usb where the document is stored
Clamav the drive and document
If clear open the document
Select it all
Copy and paste it to a new document
Or
Print it to a new pdf file
Or print it to paper
Copy that to a new clean drive

Reinstall linux on computer from new
Clamav the new usb

Feel you have done all you could for protection

Paper form is perhaps the safe option, as long as you wash your hands, wear a face mask, not many virus issues transfer from paper … joking that part !

SumatraPDF supports annotations, including text. I don’t know if that’s what you’re looking for.

I’m not sure what you really mean.
Reformat (reinstall) the host, or reformat(reinstall) the guest?
But I think both can be done.
In my praxis I have an old Win10 installation in a VM, which I created “just in case” when I moved to Linux full-time. I installed that Win10 into a VM in Virtualbox, installed all my paid apps and activated them, then I have “cut the wire”, removed the virtual network card. So the VM cannot update, is unreachable from any network.
Very few times I experimented with something, but I created a clone of that VM, leaving the original unchanged. But I also could have created a snapshot, and restore it after the experiment, I think this is equal to reformat and reinstall.
I changed my host system from Debian 10 to Bullseye, then later changed to Bookworm, which is my current daily driver. The VM is still in its original state, I could boot it up anytime.
So the host can be reformatted/reinstalled.
Does this answer your question?

I think, if I’d suspect such a behavior in the guest, I’d create a backup of the content of the shared folder. Then fire up the VM, let it do the possible naughty things.
Then shut down the VM, and compare the contents in the sahred folder of its originals.
If they are the same, the VM did not change them.
If there’s a difference, inspect the differing files, check for malware, and such.

I loved its lightning fast performance, and always used it for reading pdfs when I was on Windows.

I would be trying to avoid bringing the pdf file into your computer.
I got the following from google ai

" Yes, it’s possible to process a PDF file at an internet location without downloading it to your computer, using various online tools and browser features. These tools allow you to view, edit, or convert PDFs directly within your browser, without needing to save the file locally.

Online PDF Processing Tools:

• Online PDF viewers:

Many websites offer online PDF viewers that allow you to open and view PDFs directly from the web, without downloading them.

• Online PDF editors:

Several online platforms offer PDF editing features, such as text editing, page manipulation, and adding annotations.

• Online PDF converters:

You can convert PDFs to other formats like Word, Excel, or images using online conversion tools.

• Cloud-based storage and sharing:

Services like Google Drive and Microsoft OneDrive allow you to view and potentially edit PDFs stored in the cloud, accessible through a web browser."

Thanks to all for the replies

Paul

If it was me, I would set up a seperate linux machine with a clean install of in my case mint but that does not matter.

Yes, Linux in real a host. it is my last scenario

Open the usb where the document is stored
Clamav the drive and document
If clear open the document
Select it all
Copy and paste it to a new document
Or

Yes agree … a lot to copy

Reinstall linux on computer from new
Clamav the new usb

Has sense… How common is in Linux that a virus infects a pendrive too?

Xander

SumatraPDF supports annotations, including text. I don’t know if that’s what you’re looking for.

It seems it should be a good candidate about PDF in Linux … I am going to create other post about this in this network for more suggestions … it just as alternatives. Huge thanks for the confirmation about that features.

Laszlo

I’m not sure what you really mean.
Reformat (reinstall) the host, or reformat(reinstall) the guest?
But I think both can be done.

I mean about the former, if the virus “escapes” from the guest to the host. Therefore the host must be formatted … of course the Guest disappears too

In my praxis I have an old Win10 installation in a VM, which I created “just in case” when I moved to Linux full-time.

Is wise always have some Windows instance in someway too

I installed that Win10 into a VM in Virtualbox, installed all my paid apps and activated them, then I have “cut the wire”, removed the virtual network card. So the VM cannot update, is unreachable from any network.

How did you cut the network access? If it is about VB itself. Pls let me know the details.

Very few times I experimented with something, but I created a clone of that VM, leaving the original unchanged. But I also could have created a snapshot, and restore it after the experiment, I think this is equal to reformat and reinstall.

Both approaches are viable and very useful, the “problem” with snapshot is the use of disk space in the host. Cost and benefit

I changed my host system from Debian 10 to Bullseye, then later changed to Bookworm, which is my current daily driver. The VM is still in its original state, I could boot it up anytime.
So the host can be reformatted/reinstalled.

Is very important have the .vdi file available

Does this answer your question?

In some way yes

I think, if I’d suspect such a behavior in the guest, I’d create a backup of the content of the shared folder. Then fire up the VM, let it do the possible naughty things.
Then shut down the VM, and compare the contents in the sahred folder of its originals.
If they are the same, the VM did not change them.
If there’s a difference, inspect the differing files, check for malware, and such.

Understood

Neville

The problem of the online options, is that the pdf file must go to the web