VIRTUAL MACHINE TROJANS: A NEW
TYPE OF THREAT?
(April 16th, 2009)
technology is such an efficient way of managing IT
resources that there’s no doubt that in a very short time it will
only way of doing it. But virtualization is still a new technology, and
logically the information security aspect will lag behind for some time
are four types of security risks related to virtualization:
normal, run-of-the-mill buffer overflow type any software package
may have; there’s no escaping that. Take CVE-2002-0814 as an example.
risk of the guest virtual machine taking control of the host
physical machine. It’s easy to forget that the virtual machine is
the same memory of the host. Therefore, the virtual machine could do a
overflow and take control of the underlying host machine. Such is the
case of CVE-2005-4459.
Blue Pill scenario, in which a virtual machine loads while the
host machine is booting, and then mimics the host machine, to the point
the user does not know he/she is inside a virtual machine. In this way,
attacker has full control of the host machine, and the user would have
hard time realizing he/she is not in control. (http://en.wikipedia.org/wiki/Blue_Pill_(malware)), (http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html)
Virtual machine trojans, in which a seemingly benign virtual machine
you download from the Internet contains a trojan.
objective of this article is to talk about #4, Virtual Machine
all know, trojans infect a machine masquerading as a useful
program or file, and the objective of the trojan is to remotely take
the machine for nefarious purposes: steal information, send spam,
fraud, stage denial of service attacks within a botnet, etc. Since
been around since ever, antivirus companies have become very adept at
and eliminating them, either detecting their particular signature, or
heuristics based on the behavior of the malware.
normal trojans are a known threat, and we know how to mitigate them.
But what about virtual machine trojans? A VMT comes embedded within a
machine. When a user downloads a virtual machine from the Internet, and
runs it on his/her computer, the antivirus installed in the host
does not have access to the virtual machine, so the virtual machine
get scanned. If you have in place an antivirus appliance, the trojan
get detected either while the virtual machine is being downloaded.
and running a virtual machine without any precaution is almost no
than finding a server box in the street, picking it up (“oh great, a
server!”) and plugging it straight into your LAN. You just don’t know
that server’s been.
types of attacks a VMT can execute are different than a normal
trojan. The VMT does not have access to the host machine; rather, it
to the local network. Therefore, a VMT can be programmed to do the
Sniff traffic in the local network
Actively scan the local network to detect machines, ports and services
3) Do a
vulnerability scan to detect exploitable machines in the local network
Execute exploits in the local network
Brute force attacks against services such as ftp and ssh
Launch DoS attacks within the local network, or against external hosts
of course, send spam and conduct click fraud
the virtual machine carrying the VMT is installed, the user will
either assign it a static IP, or allow it to access DHCP. The virtual
virtual network adapter will either come preconfigured as “bridged”,
that the virtual machine will have direct access to the LAN, or as
meaning that the virtual machine will use the host machine’s IP to
network. And of course, the VMT will be programmed to connect via
its control server, probably using port 80 outbound. Therefore, your
will very likely let the connection through. Once the VMT phones home
establishes a connection with the control server, the attacker has
control of a virtual machine inside your network, happily sending
receiving data through an http tunnel.
real is the threat? I do not know. And that’s exactly the scariest
type of threat. There are virtual appliance marketplaces out there, and
anybody can sign up as a virtual appliance provider. Plus there
are thousands of other sites from where your users can
download virtual appliances. There’s no way of knowing if they are
the technological point of view, creating a VMT is relatively
simple. Anybody with a moderate skill level in a scripting programming
can put a VMT together. I have developed a proof-of-concept VMT called
ViMtruder, programmed in Python, which can be downloaded from www.infosegura.net/vimtruder.html . It consists of a client, the VMT proper,
which is installed within a virtual machine, and a control server,
in a host on the Internet. The virtual machine, running Linux, is
automatically run the VMT client in the background upon boot up. The
periodically to contact the control server through the Internet using
outbound. Once the control server links with the VMT, you can send it
commands to scan the target LAN where the VMT is connected (Nmap is
pre-installed in the virtual machine). The control server displays and
Nmap scan results, revealing the open ports and services running in the
first version is only a proof-of-concept to show how easily it is
done; ViMtruder can be further weaponized, adding an open source
sniffer (Dsniff), vulnerability scanner (Nessus), password cracker (THC
and exploit platform (Metasploit), as well as DoS scripts.
can we do to mitigate the risk of VMTs? There are no antivirus
countermeasures yet. But even if they where, think about the difficulty
implementing an antivirus against a VMT. Antivirus software sits inside
in such a way that if malware gets downloaded into the memory of that
gets easily detected. But when a virtual machine gets downloaded, its
memory is off-limits to the host machine. The only other way would be
for an antivirus appliance to scan the virtual machine while it is
being downloaded, but this would also be very difficult to do, given
how hard it would be to establish recognizable trojan patterns inside
the virtual machine.
are the steps we can take to mitigate the risk of VMTs:
Establish a policy that prohibits the downloading and installation of
virtual machines without IT’s permission. If a user needs a virtual
should be downloaded and tested by the IT department first. Of course
this policy will be violated, so we need to implement further defenses.
not to use DHCP, and keep a strict IP inventory. This will
prevent a virtual machine from automatically grabbing an IP.
determined user will configure the virtual machine with NAT, and use
periodic vulnerability scans to detect the presence of virtual
machines. If the scanner can authenticate into the hosts, it will be
check the registry and report if a virtual machine server is installed.
also be able to detect the actual virtual machines that may be running
moment, based on the MAC address, but only within the same subnet and
if you are not using a proper switch, of
4) Use a deep packet
inspection and/or proxy firewall. Configure your firewall to check for
proper protocol sequences. This will reduce the risk of a simpler
trojan, but more sophisticated ones will be able to circumvent this
countermeasure. ViMtruder 1.0 uses port 80, but does not create an http
tunnel; it uses raw TCP. Therefore this type of firewall should be able
to detect that there's something strange with the connection. (Future
versions will have http tunnel and steganographic communication.)
5) Install an IPS not
only on your perimeter, but also in your local network. Yes, there are
companies that think that an IPS inside the local network is not
necessary, since they already have a firewall. Well, trojans, worms,
and insiders hack from within the local network.
the logs. Periodically check the IPs to which your internal
network is connecting to in the Internet. And take into consideration
VMT can connect to its control server through other innocent looking
for example) not only port 80.
to now there is no quick solution like an antivirus; you need to
implement your defense-in-depth strategy, and do the legwork of
new pathogen appears, there’s a low chance of getting infected,
but at the same time, if you do get infected, there is no cure. We
taking a good look at virtual machine security, to be able to determine
real this threat is.