How well does virtualization technology defend against malware?

BROWSE BY TAG Application and Platform Security,   Virtualization Security Issues and Threats,   Emerging Information Security Threats,   Expert Archive: Information Security Threats,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Virtualization Security Issues and Threats Cloud computing data security starts with internal strategy, experts say PCI virtualization SIG closer to proposing changes to standard Security challenges with cloud computing services Secure virtual desktop software enables remote client security Security threats to virtual environments less theoretical, more practical At VMworld 2009, companies focus on virtual desktops for security Security fundamentals remain focus of virtualization deployments How to implement virtual firewalls in a complex network infrastructure How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Emerging Information Security Threats Hackers to sharpen malware, malicious software in 2010 Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets Rand study urges caution on cyberwarfare attacks Expert Archive: Information Security Threats The telltale signs of a network attack Will Google Chrome enhance overall browser security? Are there antivirus suites that pick up more than just run-of-the-mill viruses? What tools can a hacker use to crack a laptop password? Are social networking sites an easy target for malicious hackers? What are the dangers of cross-site request forgery attacks (CSRF)? Should social engineering tests be included in penetration testing? What kind of data is compromised during a Google hack? Best practices for using restriction policy whitelists Defining mobile device security concerns

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) pulsing zombie  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

They actually do a pretty good job when used properly. With current attack technology, an infected guest is unlikely to infect the underlying host operating system or other guests, as long as the host and guests are carefully patched and hardened.

So, for example, if you needed to investigate a given malware specimen or surf to a site that might be untrustworthy, you might want to use a guest machine. First, set a revert point (also known as a restore point) on your pristine guest operating system. Then, surf or run the malware to do your analysis. The likelihood of the underlying system getting infected here is very low. After you are done running the malware, you can hit the revert button in your virtualization product and have your pristine system back. To pull all of this off, you can even use VMware's free virtual browser appliance running in its free VMware Player product; the revert options in Player, however, are pretty limited. To get a pristine guest again, use VMware Player and just boot the guest appliance from its original image.

As a disclaimer, this method isn't foolproof. An increasing percentage of malware tries to detect if it is running inside a virtual machine. If savvy malware recognizes such a location, it may alter its functionality and hide or otherwise change some of its most interesting features. So, if malware analysis is your bag, you might want to confirm whether the malware is detecting a virtual machine. For more info on this topic, please check out the presentation that I wrote with my colleague Tom Liston (.pdf). In that paper, we present some mitigation techniques for preventing detection of VMware.

The second area of concern involves the possibility that malicious code could someday escape a virtual machine, jumping from one guest into another guest, or even into the underlying host itself. Such attacks are quite difficult to pull off, and as of this writing, there has been no publicly released code to do so. It's a vibrant area of research, but has to be put in the realm of the theoretical -- for now.

More information: