‘VM-aware’ viruses on the rise
Viruses targeting virtual machines (VM) are growing in numbers and will soon be the dominant force in the world of cyber crime, says Kaspersky
Viruses targeting virtual machines (VM) are growing in numbers and will soon be the dominant force in the world of cyber crime.
Speaking at this week’s SNW Europe conference in Frankfurt, Joe Llewelyn, head of global sales training at Kaspersky Lab, warned of the increase and the trouble they could cause.
“A lot of the viruses we are now seeing are virtual machine aware, meaning they will work out if they are running on a VM,” he said. “But the objection of that could be a number of things.”
Llewelyn claimed this intelligence within a virus could hinder attempts to combat it.
“If someone finds a piece of malware and wants to examine it, as many people do, the first thing is to run it in a virtual machine to see what it does,” he said.
Cyber attacks in 2012
- HSBC back online after DDoS attack
- London Internet Exchange hit by suspected DDoS attack
- Hackers deploy new attack method targeting Android
- Cyber attacks launched at London 2012 Olympic Games every day
“Now the virus will detect if it is running in a virtual machine and stop doing the nasty things it should, preventing us from seeing the behavior of a virus.”
There is also the possibility that a virtual machine running an operating system instance could be attacked and the details be copied direct to the host, leaving companies open to even more risk.
“Even if you think you are safe with all your little virtual machines, there is a chance one of those could run a piece of code and jump out of itself,” added Llewelyn.
But, study after study has shown most breaches are caused by human error, be it leaving an unencrypted USB stick in a car park or an employee downloading malicious software. This latter issue will be even more of a threat with VM-aware viruses targeting virtual desktop deployments.
“When it comes to virtual desktops, this just adds yet another factor because it is your users clicking on and downloading things,” he said. “It is not just an administrator running an Exchange server or a SharePoint server; it is people using their desktops to run cloud environments.”
Even if you think you are safe with all your little virtual machines, there is a chance one of those could run a piece of code and jump out of itself
Joe Llewelyn, head of global sales training, Kaspersky Lab
“This brings up advanced persistent threats (APTs) as these are the ones that are pointed towards users.”
APTs often come in email form and appear to be legitimate messages from companies, or even colleagues, which ask you in the text to download the file attached. This causes issues on an isolated PC, but if this was attached to the entire virtual network and the virus was aware, the consequences could be much worse.
“One day you get a DHL message, the next day it could be something to do with the tax office,” said Llewelyn.
“This social engineering means these persistent threats keep coming at you. They are targeted at your users and your users are sat on your platform and your virtual environment. There is a possibility they could be clicking on something that will turn into an escalation attack.”
The only way to protect against such threats is to have the same attitude towards virtual machine security as companies have to the physical world.
“There isn’t a significant difference between the virtual world and the real world,” said Llewelyn. “If the box is in front of me it needs protection, but if the box is moved to the cloud or a virtual environment, it still needs protection and people are forgetting that when they jump from the real world to the virtual world.”
“All the attacks we are seeing at the moment are very VM-specific and, with even small companies are adopting virtual strategies for lower costs to move things into a much more accessible place, it is predictably going to be the next frontier.”
He concluded: “Everything will be pointed towards VMs, it will be where every malware virus is trying to go. It’s where the information will be and, more importantly, it is where the money will be for them as well.”