15

Sometimes I have to fix an infected WordPress website. I always check the infected website from a virtual machine (Oracle VM VirtualBox). I'm also running Norton 360 DeluXe on the host machine.

In the 2 most recent projects, for both, I received a notice from Norton that 'an intrusion attempt was detected and blocked', on the HOST machine. So apparently the malware can 'breakout' a VM? (Despite having read this article, that it should be totally isolated.)

As how can Norton otherwise detect this as the page was opened in the VM?

Also Norton says: No action required, is that really true? Could the host be infected with stuff Norton did not detect?

enter image description here

It does not feel safe anymore to use a VM to visit infected website. Should i be worried? Did i do anything wrong? What are the alternatives?

Peps
  • 153
  • 1
  • 4
  • Could you be using the virtualbox NAT network? In this mode, the virtualbox program handles the traffic from the client, and the traffic passes though the hosts network space, though filters such as your anti virus. It is the safest option to use – Ferrybig Feb 09 '21 at 10:08
  • there has occasionally been bugs in both VMWare and VirtualBox that has allowed VMs to break into the host, but that's exceedingly rare, especially if you have an up-to-date version; i remember reading about one CTF contest where one of the flags required breaking out of a virtualbox VM using a real virtualbox exploit :D – user1067003 Feb 09 '21 at 16:33

1 Answers1

37

You are assuming that the intrusion is coming from the VM to the hypervisor. A VM "breakout" is when the VM accesses the host directly.

An infected VM that has access to the network can attack the host's network. That's not a "breakout".

But the alert in your image is indicating that it saw traffic to a domain on a watchlist. That's not an intrusion or an attack on the host. Norton is inspecting traffic from the machine, which includes traffic from all VMs, and flagged the suspicous traffic. This is not a surprise, since you stated that the site was infected.

There is nothing in the info you provided to support your claim that there was an intrusion from the VM to the host...

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 1
    Thanks for your answer @schroeder. So if i understand you correctly, it remains safe to use a VM to visit infected websites? And the Norton alert is to be expected as it monitors all traffic passing the host, including that of the VM? So having this suspicious traffic passing the host machine cannot damage it? – Peps Feb 08 '21 at 12:34
  • The traffic passing through it is not a problem. – schroeder Feb 08 '21 at 19:46
  • 3
    @Peps As the question you linked to already mentions, a VM isn't perfect. I had a friend in the past who was an aspiring ethical hacker and he had configured the VM network in such a way that from the perspective of the host it was just another PC on the network. Next he intentionally installed a bunch of Bad Stuff™ and was completely shocked that one of those was a computer worm which ended up infecting the host. At the same time traffic passing through like the thing Norton noticed will not harm the host system in any way. Practically a VM is just another sandbox in addition to (cont.) – David Mulder Feb 08 '21 at 19:49
  • 2
    your browser. Either *should* be enough, although it all depends on what you do (=run) and your threat models (=how big a chance of infection is too big). – David Mulder Feb 08 '21 at 19:49
  • 2
    @DavidMulder, thanks for your comment too. Are you saying the Chrome browser for example is already a sandbox? (I did not know!) How far does its protection reach? Would you visit infected websites without a VM, just with your browser? – Peps Feb 08 '21 at 20:11
  • 7
    @Peps "infected website" is a pretty vague term in the first place which can range from "it shows ads/runs a js-bitcoin miner whose income goes to the account of the attacker" to "it installs software on your pc using an exploit in your out of date browser/software" (pretty rare nowadays) to "it installs software on your pc using a zero day exploit" (very rare). The latter is only relevant if you are a high value target and the second is about your own diligence (=never turn off auto update!). Most [citation needed] computer infections nowadays happen through user error/soc. eng. anyway afaik. – David Mulder Feb 08 '21 at 21:40
  • 4
    @Peps As for directly answering your question, Chrome more or less consists of an architecture that results in two layers of 'sandboxing' . In other words, typically you need two exploits to be able to escape the sandbox (=have a website get access to your pc without permission). At the same time exploits that allow escaping VMs are even rarer, as the 'audience' is far smaller, so running a (shady) website inside a browser inside a VM is still very very safe (unless you're the POTUS or something). – David Mulder Feb 08 '21 at 21:50
  • @DavidMulder There are valid reasons to disable automatic updates (for example automated systems where browser updates require driver updates that don't happen automatically and may not even be available immediately). That said, if you have disabled automatic updates, you should not then be using that browser to connect to the open Internet. – Andrew Ray Feb 09 '21 at 16:06
  • @DavidMulder thanks for your replies! Much appreciated. I have confidence in my VM again :) – Peps Feb 09 '21 at 20:38