Malware is threatening virtual machines

Malware is the primary threats for enterprise virtual machines according to report a recent report issued by Symantec

Symantec recently issued the “Threats to virtual environments” report to analyze principal menace for virtualized environments. The report is very actually and considers the rapid diffusion of the virtualization paradigm within enterprises.

According to Forrester Research more than 70 percent of organizations are planning to use server virtualization by the end of 2015, but we cannot ignore that malware author are targeting also these environments that anyway manage real users’ data.

“However, virtual machines and their hosting servers are not immune to attack. Introducing virtualization technology to a business creates new attack vectors that need to be addressed, such as monitoring the virtual networks between virtual machines. We have seen malware specifically designed to compromise virtual machines and have observed attackers directly targeting hosting servers.” states the report.

According to Symantec one of the greatest errors of enterprises is to ignore the cyber threats to virtual machines, let’s consider, for example, the threat of some malware detected by the company that were specifically designed to compromise virtual machines.

One of the worrying scenarios is if a malicious code from a virtual machine breaks out and infects the host machine, in these cases, malware escapes the layer or protection offered by a virtual environment and can gain access to the host network with serious consequences.

“While enterprises may not think virtual machines are a security risk, from our analysis, [82] percent of the malware we tracked was able to run on virtual machines,” “In some rare cases, we also saw malware breakout of guest systems and infect the physical host.” Said Liam O’Murchu, a researcher with Symantec Security Response.

The expert O’Murchu provided as an example the CVE-2014-0983; a “guest-to-host” breakout exploit for Vupen’s VirtualBox.

But there is another scenario feared by IT administrators, when a malware once infected a host server is able to compromise any virtual environment running on it or creates and launches its own “malicious virtual machine,”. This is the case, for example observed with the discovery the Crisis malware that was able to compromise virtual machines.

Another factor to consider is that virtual environments are often used for malware analysis, but nearly 18 percent of threats examined within 200,000 random strains of malware chosen by experts at Symantec, were able to detect virtual environments and abort their payload execution, “Malware can check its runtime environment for specific files, registry keys, MAC addresses and other artifacts to verify if it is running on a virtual system.” said O’Murchu.

The host server and the virtual environments running on it have to be properly protected in the same way, especially against malware.

The principal countermeasures to prevent incidents to virtual environments are the implementation of an efficient access control management, disaster recovery and the adoption of a virtual network protection system. Of course, maintaining updated snapshots of virtual machines and logging could help enterprises to secure their systems.

Pierluigi Paganini

(Security Affairs – Virtual machines, malware)