Server-oriented malware is actually more likely to infect a virtual system than a physical one in many organizations. Now what? This expert e-guide provides the real story of how malware is adapting to virtual environments, so you can ensure protection going forward.
Enterprises are increasingly adopting virtualization technology, according to researchers, who estimate that 70% or more of organizations in 2015 will have implemented virtual servers and other services. Virtual servers and desktops must be protected from malware like other systems, but attackers are coming up with new ways to avoid detection and analysis. Security researchers have long used virtual machines (VMs) to isolate and analyze malware. This has led to the misconception that malware disappears once it detects a VM. The use of sandbox and virtualization technology is also becoming more prevalent in security tools. What’s the real story of how malware is adapting to virtual environments? While it didn’t get much mainstream attention, the W32.Crisis malware Symantec described in 2012 paints a terrifying picture of things to come, as malware authors start using new tactics to infect virtual machines in our environments. The Crisis malware, in addition to a number of other malicious actions, can actively seek out VMware virtual machine files stored on systems it has compromised. Once VMware virtual machine disk files have been discovered, Crisis mounts the disk and then uses a native VMware facility to insert itself into the disk file, thus creating a newly infected VM. This is likely the first time we’ve seen malware authors leverage a virtualization technology’s native file formats to infect systems, but the approach makes a lot of sense: Virtual machines are, after all, just files; and when malware authors realize that file infection can apply to an entire system, it’s only a matter of time before this technique becomes widespread. DETECTION ROUTINES Well-known malware in the last five to 10 years has included virtualization detection capabilities. The Conficker worm, prevalent in 2007 and 2008, has virtualization detection capabilities, as does the Storm worm that surfaced in 2008 and 2009. Many other worm and bot variants since then sport various types of VM detection routines. What is the motivation for malware to detect virtualization in the first place? Virtualization was less common a decade ago than today. Back then, malware that detected virtualization was focused entirely on detection of sandbox environments (specialized or simply virtualized desktops) used by reverse engineers. Malware would often shut down or self-destruct to avoid being pulled apart by security analysts. Today, however, the opposite is true: Server-oriented malware is actually more likely to infect a virtual system than a physical one in many organizations, and self-destruction would be self-defeating. If the malware detects a VM, it may wait for a short time or certain number of clicks before beginning malicious activities. These behaviors can be harder to catch and patch in automated VM environments. There’s debate in the reverse engineering and incident response communities as to the motivations of attackers looking to detect virtualization technologies in use, as well as how prevalent the practice of including “anti-VM,” or VM detection, routines in malware really is today. Most security researchers will acknowledge that malware “checks out” the environment it runs in, and may determine that a desktop OS that’s virtualized could be a sandbox. And malware packing tools, such as the Tejon Crypter, feature anti-VM options for VMware, VirtualBox and more.
0 Comments