Malware threatens virtual machines, according to report
Malware waits for virtual machines to restart, or for a certain number of mouse clicks, to evade automated analysis systems.
Malware for virtual machines is a threat – one that uses advanced techniques to evade automated analysis and has the potential to infect the physical host, Liam O'Murchu, a researcher with Symantec Security Response, told SCMagazine.com on Wednesday.
The conclusion is based on the “Threats to virtual environments” report released by Symantec on Tuesday, which is timely because Forrester Research is sourced as stating that more than 70 percent of organizations are planning to use server virtualization by the end of 2015.
Virtual machines simulate computer systems and are popular with researchers because malware can be executed and analyzed without needing to reinstall production systems, O'Murchu said. Nowadays, enterprises are increasingly using virtual machines in production environments with real customer data, he added.
“While enterprises may not think virtual machines are a security risk, from our analysis,  percent of the malware we tracked was able to run on virtual machines,” O'Murchu said. “In some rare cases, we also saw malware breakout of guest systems and infect the physical host.”
For a recent example, O'Murchu pointed to CVE-2014-0983; a “guest-to-host” breakout exploit for Vupen's VirtualBox. He explained that by escaping the added layer or protection provided by virtual environments, malware gains longevity and can gain access to the network.
Another security threat – Crisis, for example – involves the opposite, a “host-to-guest” threat where malware, possibly spread through social engineering, lands on a host server and makes its way into a virtual environment or creates and launches its own “malicious virtual machine,” according to the report.
“Malware used in targeted attacks increasingly evades automated analysis on virtual machines,” O'Murchu said.
The malware does this in a number of ways, such as by waiting for the virtual machine to restart or by awaiting a certain number of mouse clicks before executing, according to the report, which adds that the analysis system will likely consider the file harmless if it does not act maliciously within five to ten minutes.
It is noteworthy that 18 percent of threats – researchers chose 200,000 random pieces of malware that customers submitted since 2012 – detect virtual environments and abort their payload execution, O'Murchu said, explaining, “Malware can check its runtime environment for specific files, registry keys, MAC addresses and other artifacts to verify if it is running on a virtual system.”
Proper access control management, disaster recovery, virtual network protection, updated snapshots of virtual machines and logging are some best practices, O'Murchu said, emphasizing that enterprises need to include virtual machines as a part of security strategy.
“The host server, as well as any virtual machine running on it, needs to be protected against malware,” O'Murchu said. “To achieve this, advanced malware protection with proactive components that go beyond the classical static antivirus scanner needs to be in place. This can be agentless on the hypervisor or in the guest image themselves.”