Virtual Machine Host Servers Should be Hardened and Protected to Defend Against Increasinlgy Complex Malware Threats
While some pieces of malware are designed to stop running when they detect the presence of virtual machines in an effort to avoid being detected, researchers from Symantec have determined that a large number of threats continue to run even in virtual environments.
Malware can use several techniques to detect if it’s running in a virtual environment. For instance, it can check MAC addresses, registry keys, the presence of tools like VMware, processes and service names, communication ports and behavior, and the location of system structures.
Automated VM analysis systems can be tricked into thinking that a malicious element is harmless because they need to make quick decisions. Malware writers can simply program their creations to activate the payload only after a certain number of clicks, or after a specified number of system reboots. In some cases, the malware samples start sending false data when detecting a VM, either to confuse researchers or to trick automated systems.
However, according to Symantec, many malware developers have come to realize that their creations become suspicious when they attempt to detect if they’re running in virtual machines. Moreover, they’ve also realized that by designing threats not to run on a VM, they’re limiting the number of devices they can compromise in a targeted network.
Symantec has analyzed 200,000 malware samples submitted by customers between January 2012 and February 2014. Researchers have noticed that during this period only one in five samples stopped running when detecting the presence of virtual machines, while the rest continued to function.
Virtual systems can be involved in two types of attacks: the malware targets the virtual machine from the host server, or it makes its way to the host server after infecting the virtual machine. One perfect example for the first scenario is the multi-platform malware dubbed Crisis, which infiltrates virtual machines stored on the local server. It does this not by exploiting vulnerabilities, but by taking advantage of the fact that the virtual system is actually a series of files stored on the disk.
The second scenario, in which the malware breaks out from the virtual machine and infects the host, is less common, but there are some known cases and such incidents can be highly dangerous, researchers warned.
“This guest-to-host infection or virtual machine breakout could lead to widespread malware infections across many computers,” Symantec said in a new research paper. “This would be bad for an environment where one hosting server runs many guest virtual machines, but could also impact security professionals who are using virtual machines to securely analyze malware. It is possible for malware to escape from a virtual machine system to the host server, depending on the presence of local vulnerabilities.”
This is the reason why the security company advises organizations to move past the misconception that virtual systems are immune to malware infections and ensure that they are properly protected. The list of recommendations includes hardening the host server, putting advanced malware protection mechanisms in place, including virtual machines in the patch and upgrade cycle, integration into SIEM visualization and logging systems, integration into disaster recovery and business continuity plans, and applying proper access control management.
Symantec is not the only company to warn organizations about such threats recently. Last week, at the Black Hat security conference in Las Vegas, Bromium researcher Rafal Wojtczuk pointed out that while hypervisors should normally reduce the attack surface, they can contain security vulnerabilities that put enterprises at risk.
The complete whitepaper, titled “Threats to Virtual Environments,” is available online.
