Stuck between a rock and a virtual place?
Wednesday September 12, 2007 at 2:06 pm CST
Posted by Joel Spurlock
There are two trends which seem to be heading for an inevitable conflict.
- increasing use of virtualization in the market place
- increasing detection of debuggers and virtual environments by malcode
Virtualization, while once relatively small is expanding in the market, driven by cost cutting measures, affordability, and disaster recovery to name just a few. Large players (VmWare, IBM, Microsoft, and others) are offering competing platforms to serve the customer need. Public information and general interest lead one to believe in a moderate rate of adoption.
On the other hand malware often times is encapsulated with Anti-VM technologies (e.g. Themida), or uses code to detect the virtual environment (e.g. Nuwar) and then exits the application. This has been a generally increasing in an attempt to irritate security researchers who find virtual machines a convenient way to analyse malware quickly.
VM technologies present their own security hurdles in the future, but in the short term these trends probably make Virtual machines more secure (at least from a malware perspective) than physical ones. These trends will eventually force malware authors to make a decision. Write code to make it harder for security researchers to analyse, or expand platform support to virtual environments.
September 13th, 2007 at 5:37 am
I whole-heartedly agree with this. I’ve given talks in the past and when I mention this, it is inevitable that someone in the audience asks, “Does this mean if I run my entire environment in VM I’ll be safe from malware?”
Of course the answer is no.