Server-oriented malware is actually more likely to infect a virtual system than a physical one in many organizations. Now what? This expert e-guide provides the real story of how malware is adapting to virtual environments, so you can ensure protection going forward.<\/p>\n
<\/p>\n
Enterprises are increasingly adopting virtualization technology, according to researchers, who estimate that 70% or more of organizations in 2015 will have implemented virtual servers and other services. Virtual servers and desktops must be protected from malware like other systems, but attackers are coming up with new ways to avoid detection and analysis. Security researchers have long used virtual machines (VMs) to isolate and analyze malware. This has led to the misconception that malware disappears once it detects a VM. The use of sandbox and virtualization technology is also becoming more prevalent in security tools. What\u2019s the real story of how malware is adapting to virtual environments? While it didn\u2019t get much mainstream attention, the W32.Crisis malware Symantec described in 2012 paints a terrifying picture of things to come, as malware authors start using new tactics to infect virtual machines in our environments. The Crisis malware, in addition to a number of other malicious actions, can actively seek out VMware virtual machine files stored on systems it has compromised. Once VMware virtual machine disk files have been discovered, Crisis mounts the disk and then uses a native VMware facility to insert itself into the disk file, thus creating a newly infected VM. This is likely the first time we\u2019ve seen malware authors leverage a virtualization technology\u2019s native file formats to infect systems, but the approach makes a lot of sense: Virtual machines are, after all, just files; and when malware authors realize that file infection can apply to an entire system, it\u2019s only a matter of time before this technique becomes widespread. DETECTION ROUTINES Well-known malware in the last five to 10 years has included virtualization detection capabilities. The Conficker worm, prevalent in 2007 and 2008, has virtualization detection capabilities, as does the Storm worm that surfaced in 2008 and 2009. Many other worm and bot variants since then sport various types of VM detection routines. What is the motivation for malware to detect virtualization in the first place? Virtualization was less common a decade ago than today. Back then, malware that detected virtualization was focused entirely on detection of sandbox environments (specialized or simply virtualized desktops) used by reverse engineers. Malware would often shut down or self-destruct to avoid being pulled apart by security analysts. Today, however, the opposite is true: Server-oriented malware is actually more likely to infect a virtual system than a physical one in many organizations, and self-destruction would be self-defeating. If the malware detects a VM, it may wait for a short time or certain number of clicks before beginning malicious activities. These behaviors can be harder to catch and patch in automated VM environments. There\u2019s debate in the reverse engineering and incident response communities as to the motivations of attackers looking to detect virtualization technologies in use, as well as how prevalent the practice of including \u201canti-VM,\u201d or VM detection, routines in malware really is today. Most security researchers will acknowledge that malware \u201cchecks out\u201d the environment it runs in, and may determine that a desktop OS that\u2019s virtualized could be a sandbox. And malware packing tools, such as the Tejon Crypter, feature anti-VM options for VMware, VirtualBox and more.<\/p>\n","protected":false},"excerpt":{"rendered":"
Server-oriented malware is actually more likely to infect a virtual system than a physical one in many organizations. Now what? This expert e-guide provides the real story of how malware is adapting to virtual environments, so you can ensure protection going forward. Enterprises are increasingly adopting virtualization technology, according<\/p>\n","protected":false},"author":3,"featured_media":790,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[5],"tags":[],"class_list":["post-789","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-knowledgebase"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/12\/mobile-malware_126852062-thumb-380xauto-2252.jpg?fit=380%2C304&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p7ISfL-cJ","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":792,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/stopping-malware-propagation\/","url_meta":{"origin":789,"position":0},"title":"Stopping malware propagation","author":"Daniel Draga","date":"December 8, 2016","format":false,"excerpt":"The use of mobile devices in our everyday lives has become widespread. In recent years, the number of smartphones sold globally has surpassed the number of desktop computers sold. Malware authors have followed this and developed sophisticated malware addressed both at the mobile device platforms as well as desktop platforms.\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/12\/browser-redirects-hijacking-malware-virus-1024x787.jpg?fit=1024%2C787&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/12\/browser-redirects-hijacking-malware-virus-1024x787.jpg?fit=1024%2C787&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/12\/browser-redirects-hijacking-malware-virus-1024x787.jpg?fit=1024%2C787&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/12\/browser-redirects-hijacking-malware-virus-1024x787.jpg?fit=1024%2C787&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":984,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/malware-detection-on-your-server\/","url_meta":{"origin":789,"position":1},"title":"Malware Detection On Your Server","author":"Daniel Draga","date":"June 26, 2017","format":false,"excerpt":"The term malware encompasses a large range of unwelcome software that is designed to damage a computer. A partial list of malware might, for example, include viruses, spyware, Trojan horses, and worms. The rapid proliferation of such software is enough to concern users of all levels, from novices to seasoned\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/06\/What-is-Malware.jpg?fit=600%2C300&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/06\/What-is-Malware.jpg?fit=600%2C300&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/06\/What-is-Malware.jpg?fit=600%2C300&ssl=1&resize=525%2C300 1.5x"},"classes":[]},{"id":97,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/what-is-the-difference-between-kvm-and-openvz-virtualization\/","url_meta":{"origin":789,"position":2},"title":"What is the difference between KVM and OpenVZ virtualization?","author":"Virtono","date":"July 18, 2016","format":false,"excerpt":"\u00a0 VS \u00a0What is the difference between KVM and OpenVZ? Usually this question arises when a person is looking for a Virtual Private Server, it\u2019s a dilemma, isn\u2019t it? Weighing the pros and cons but one thing that should be kept in mind is that out of these two, there\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/1-2.jpg?fit=1024%2C768&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/1-2.jpg?fit=1024%2C768&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/1-2.jpg?fit=1024%2C768&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/1-2.jpg?fit=1024%2C768&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":260,"url":"https:\/\/www.virtono.com\/community\/news-announcements\/introduction-to-virtualization\/","url_meta":{"origin":789,"position":3},"title":"Introduction To Virtualization","author":"Daniel Draga","date":"July 30, 2016","format":false,"excerpt":"At the beginning, before the dawn of time\u00a0 there was emulation.(overly exaggerated) \u00a0Emulation,\u00a0the virtual machine simulates the complete hardware in software. This allows an operating system for one computer architecture to be run on the architecture that the emulator is written for. Sine all operations are run in software, emulation\u2026","rel":"","context":"In "Announcements"","block_context":{"text":"Announcements","link":"https:\/\/www.virtono.com\/community\/category\/news-announcements\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/ic-2.jpg?fit=940%2C266&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/ic-2.jpg?fit=940%2C266&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/ic-2.jpg?fit=940%2C266&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/ic-2.jpg?fit=940%2C266&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":705,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/what-is-network-function-virtualisation-nfv\/","url_meta":{"origin":789,"position":4},"title":"WHAT IS NETWORK FUNCTION VIRTUALISATION (NFV)?","author":"Daniel Draga","date":"October 14, 2016","format":false,"excerpt":"Network Function Virtualisation (NFV) In computer science, network function virtualisation (NFV) is a network architecture concept which uses the technologies of IT virtualisation. It is used to virtualise entire classes of network node functions into building blocks that may connect, or chain together, to create communication services. 1. Fast standard\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/10\/123.png?fit=464%2C266&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":1302,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/monitor-virtualized-environments-with-nagios-and-icinga\/","url_meta":{"origin":789,"position":5},"title":"Monitor virtualized environments with Nagios and Icinga","author":"Daniel Draga","date":"January 9, 2018","format":false,"excerpt":"As easy as real servers today can be converted into virtual machines, as fast as the overview is lost.\u00a0With special monitoring adapted for virtual environments, you keep track of things. Virtualization is a technology that has been in the data center for many years and has its origins in host\u2026","rel":"","context":"In "IT News"","block_context":{"text":"IT News","link":"https:\/\/www.virtono.com\/community\/category\/internet-and-technology-news\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2018\/01\/Captura-de-pantalla-2012-11-12-a-las-18.20.51.png?fit=800%2C378&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2018\/01\/Captura-de-pantalla-2012-11-12-a-las-18.20.51.png?fit=800%2C378&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2018\/01\/Captura-de-pantalla-2012-11-12-a-las-18.20.51.png?fit=800%2C378&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2018\/01\/Captura-de-pantalla-2012-11-12-a-las-18.20.51.png?fit=800%2C378&ssl=1&resize=700%2C400 2x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/789","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/comments?post=789"}],"version-history":[{"count":1,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/789\/revisions"}],"predecessor-version":[{"id":791,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/789\/revisions\/791"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/media\/790"}],"wp:attachment":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/media?parent=789"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/categories?post=789"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/tags?post=789"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}