3

Let's say that VMWare or VirtualBox is running the newest version of Debian. I'm not sure if it's possible for any program in the guest to continue running, stealing data from the host, even after the guest system has shut down.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Mysterious Shadow
  • 87
  • 2
  • 7
    If the VM is down, it is down - like a computer switched off. In order for the malware to be run after the VM shutdown it had to propagate out of the VM into other places first. This is not impossible but there are other questions already dealing with the topic on how much separation VM really provide. – Steffen Ullrich Sep 09 '22 at 04:48
  • 1
    On the other hand, it is possible that malware in a VM resumes running when the VM is restarted. – Michael Karcher Sep 09 '22 at 12:16

3 Answers3

3

It is possible if your malware managed to escape the VM to run under the host operating system. It's colloquially called VM escape or Guest-to-Host Escape. Most if not all hypervisors had some bugs giving an attacker a way to do that in their history.

A few example, non exhaustive list (a longer list is available in the Wikipedia article linked earlier):

Staying on top of your hypervisor patching is thus critical if you allow arbitrary code to be run on your VMs (e.g. you are an IaaS provider), a tiny bit less so if an attacker need to compromise a VM first.

Bruno Rohée
  • 5,221
  • 28
  • 39
1

"Running" means being executed by the CPU (normally from RAM).

When you shut down a guest OS, it stops being executed, it gets unloaded from RAM, its RAM regions are freed and the guest OS becomes bits and bytes on your mass storage, thus it's no longer executed by the CPU, so the answer is "it's impossible".

Artem S. Tashkinov
  • 1,389
  • 5
  • 13
0

Only if the malware managed to propagate itself from the VM to the host, which is very unlikely.

luisschwab
  • 54
  • 6