Symantec Outlines Risks in VME Malware Analysis

Symantec has released a Security Response white paper this week titled Threats to virtual environments, which outlines the various risks associated with malware analysis in a virtual machine environment (VME). Symantec provides different attack scenarios, the methodology by which malware can infect host systems, and suggestions for best practices.

String of code
Photo: Giphy

This paper was written in response to a study by Forrester Research that concluded “over 70 percent of organizations are planning to use server virtualization by the end of 2015.” In addition, it addresses the security challenges present when using virtual machines, such as the risks associated with virtual networks, mixed data sets, and Input/Output (I/O) hits.

Tech Target defines a virtual machine as “a software implementation of a computing environment in which an operating system (OS) or program can be installed and run.” The external environment is called the “host” while the virtual machine is the “guest.” A hypervisor manages multiple virtual machines on a single system.

Popular examples of virtual machines include Virtual Box and Parallels, which allow host operating systems to run additional operating systems simultaneously. This is useful for creating environments with specific purposes (for instance, a Macbook user who would also like to run certain Windows applications can run a virtual implementation of Windows 8 using Parallels).

In security, analysts use virtual machines to emulate the specific circumstances of a situation. This method is helpful when troubleshooting a certain problem or tracing an attack. Security analysts may also use virtual machines as controlled environments for observing malware patterns and behavior.

The white paper illustrates several of the challenges these analysts face when using a VME for security analysis.

Symantec separates these challenges into two primary categories: malware that evades analysis and malware that specifically evades automated assessment systems. Some of today’s malware can now check to see whether it is running in a virtual machine. According to a Symantec analysis spanning from January 2012 to February 2014, approximately 18 percent of malware assessed in a virtual environment successfully detected that it was in a virtual machine.

Symantec’s paper lists several methods that have been used in the past to detect virtual machines. However, it is important to note that some of these methods are no longer effective as security professionals constantly update their procedures in response to malware behavior. Past detection methods include looking for “helper tools” (such as VMware tools), looking for virtualization-specific drivers, and checking for guest-to-host communications. Malware that “realizes” it is in a controlled environment will typically stop executing. Observers then risk mistaking the lack of malware activity as a sign that they are working with a benign application.

Automated assessment systems are open to specific types of abuse. More sophisticated malware can wait for favorable conditions to act, remaining dormant while running in the VME. Behavior-based execution relies on user behavior (such as a certain number of left clicks or mouse movements) before running, ensuring that only the end user will trigger the malicious behavior.

Malware may also attempt to “wait out” the virtual analysis. In the past, malicious code has waited for a certain number of system restarts. Additionally, an application may deliberately implement a script that is slow to respond in order to generate a timeout and potentially cause the system to misclassify the application as harmless.

A large concern for security analysts is that the virus under assessment might “escape” its controlled virtual environment and infect the host system. Such an infection would threaten all virtual machines using the host system as an environment:

This would be bad for an environment where one hosting server runs many guest virtual machines, but could also impact security professionals who are using virtual machines to securely analyze malware.

The white paper discusses the 2009 Cloudburst attack, whereby malicious code prompted the host to generate exceptions that the malware could then hijack. Additionally, worms can spread in environments that enable shared folders between the virtual and host system.

Symantec suggests a series of best practices for security professionals using VMEs. Organizations ought to enforce strict access control with strong login procedures (such as two-factor authentication). Snapshots and images of a virtual machine may contain outdated software and consequently should be included in all patch and upgrade cycles. Most importantly, Symantec strongly recommends “hardening” the host server to make it less vulnerable to internal attacks. When applicable, this includes whitelisting only trusted applications.