Malware No Longer Avoids Virtual Machines

Virtual environments are a tool that security researchers and security software use to automatically analyze and detect malware. But according to Symantec research, virtual machines (VMs) are becoming more common in enterprise operational environments—so malware authors are learning to write their code to attack that infrastructure more effectively while avoiding detection.

The firm noted that virtualization in enterprises has been a growing trend for years, providing scaling, efficiency and flexibility. According to Forrester Research, more than 70% of organizations are planning to use server virtualization by the end of 2015. But virtual servers are open to the same risks as physical servers are, along with a few new issues.

However, “introducing virtualization technology to a business creates new attack vectors that need to be addressed, such as monitoring the virtual networks between virtual machines,” the firm noted in a report on virtualization and security. “We have seen malware specifically designed to compromise virtual machines and have observed attackers directly targeting hosting servers.”

Around 18% of malware detects virtual machines and stops executing if it arrives on one; however, four out of five malware samples will run on virtual machines, meaning that these systems need regular protection from malware as well.

New methods being adopted by malware include camouflage techniques, like waiting for multiple left mouse clicks to occur before they decrypt themselves and start their payload.

“This can make it difficult or impossible for an automated system to come to an accurate conclusion about the malware in a short timeframe,” Symantec explained. “The groups behind targeted attacks are well aware of this and create sophisticated threats that will evade automated detection systems.”

Among the extra security challenges that come into play are things like the need to maintain up-to-date snapshots.

“Companies can create snapshots of their virtual machines at a certain point in time, which can be accessed again at a later date,” Symantec noted. “Often, the installed software in these snapshots is not kept up-to-date. This means that when an older image is provisioned, such as during a disaster recovery, the image is outdated. This could allow attackers to exploit old vulnerabilities until the next patch cycle detects and upgrades this virtual machine.”

As another example, the firm explained that multiple virtual machines may be connected over a virtual switch in order to provide a virtual network. “This can mean that any traditional network security service, such as an intrusion detection system (IDS) or data loss prevention (DLP) agent, will not detect if one virtual machine attacks another on the same physical server, as the traffic never passes through the physical network,” it said.

Essentially, virtual environments need security solutions that go beyond traditional protections in order to cover the different requirements of its dynamic and application-centric approach. Some of the best practice guidelines that should be considered when securing virtual environments are: adjusting policies and whitelisting to only allow trusted system applications to run; implementing advanced malware protection with proactive components that go beyond classical static antivirus scanners; proper access control management to virtual machine hosting servers in order to ensure that only eligible users can perform changes; strong login processes, like two-factor authentication; and integration into the disaster recovery and business continuity plan.

Administrators should also ensure that network security tools like IPS/IDS have access to traffic in the virtual network between multiple virtual machines on the same host server, and that snapshots and images of virtual machines need to be included in the patch and upgrade cycle, as well as the security logging and SIEM visualization systems.

“Most companies have already implemented virtualization or have it on their roadmap for the future,” Symantec concluded. “In the past, we have observed attackers targeting virtual machine host servers as well as malware specifically designed to compromise virtual machines. Attackers are able to infect guest virtual machines starting from the host server. There are also vulnerabilities that can allow malware to escape from the virtual machine and compromise the host server.”

It added, “The use of virtualized systems in a corporate environment can provide a lot of benefits, but these systems need some special attention paid to security.”

What’s Hot on Infosecurity Magazine?