Virtualization Technology News and Information
Article
Search:
RSS
Follow VMblog.com:
Improve end user experience in VDI, DaaS and physical endpoint environments
ViMTruder 1.0 Virtual Machine Trojan

Normal trojans are a known threat, and we know how to mitigate them. But what about virtual machine trojans? A VMT comes embedded within a virtual machine. When a user downloads a virtual machine from the Internet, and then runs it on his/her computer, the antivirus installed in the host machine simply does not have access to the virtual machine, so the virtual machine does not get scanned.

ViMtruder consists of a client which is installed within a virtual machine, and a control server, which sits in a host on the Internet. The virtual machine, running Linux, is configured to automatically run the VMT client in the background upon boot up. The VMT tries periodically to contact the control server through the Internet using port 80 outbound. Once the control server links with the VMT, you can send it Nmap commands to scan the target LAN where the VMT is connected.

This article introduces the concept of the virtual machine trojan:

There are four types of security risks related to virtualization:

1) The normal, run-of-the-mill buffer overflow type any software package may have; there’s no escaping that. Take CVE-2002-0814 as an example.

2) The risk of the guest virtual machine taking control of the host physical machine. It’s easy to forget that the virtual machine is running on the same memory of the host. Therefore, the virtual machine could do a buffer overflow and take control of the underlying host machine. Such is the case of CVE-2005-4459.

3) The Blue Pill scenario, in which a virtual machine loads while the host machine is booting, and then mimics the host machine, to the point where the user does not know he/she is inside a virtual machine. In this way, the attacker has full control of the host machine, and the user would have a very hard time realizing he/she is not in control. (http://en.wikipedia.org/wiki/Blue_Pill_(malware)), (http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html)

4) Virtual machine trojans, in which a seemingly benign virtual machine you download from the Internet contains a trojan.

The objective of this article is to talk about #4, Virtual Machine Trojans (VMTs).

As we all know, trojans infect a machine masquerading as a useful program or file, and the objective of the trojan is to remotely take control of the machine for nefarious purposes: steal information, send spam, conduct click fraud, stage denial of service attacks within a botnet, etc. Since trojans have been around since ever, antivirus companies have become very adept at detecting and eliminating them, either detecting their particular signature, or using heuristics based on the behavior of the malware.

So, normal trojans are a known threat, and we know how to mitigate them. But what about virtual machine trojans? A VMT comes embedded within a virtual machine. When a user downloads a virtual machine from the Internet, and then runs it on his/her computer, the antivirus installed in the host machine simply does not have access to the virtual machine, so the virtual machine does not get scanned. If you have in place an antivirus appliance, the trojan will not get detected either while the virtual machine is being downloaded. Downloading and running a virtual machine without any precaution is almost no different than finding a server box in the street, picking it up (“oh great, a free server!”) and plugging it straight into your LAN. You just don’t know where that server’s been.

The types of attacks a VMT can execute are different than a normal trojan. The VMT does not have access to the host machine; rather, it has access to the local network. Therefore, a VMT can be programmed to do the following:

1) Sniff traffic in the local network

2) Actively scan the local network to detect machines, ports and services

3) Do a vulnerability scan to detect exploitable machines in the local network

4) Execute exploits  in the local network

5) Brute force attacks against services such as ftp and ssh

6) Launch DoS attacks within the local network, or against external hosts

7) And of course, send spam and conduct click fraud

...

Read the rest of the article.


You can download ViMtruder at http://code.google.com/p/vimtruder/. - ViMtruder is written in Python, and consists of two separate pieces of software: vimtruder-client, and vimtruder-server.

Published Tuesday, April 21, 2009 5:50 AM by David Marshall
Filed under:
Get This Featured White Paper: High Availability Clusters in VMware vSphere without Sacrificing Features or Flexibility
You may also be interested in this white paper: Salem State University Teams with IGEL, Citrix and Nutanix to Deliver Digital Workspaces
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
DTX-Europe
devslam
connected-britain
total-telecom
ContainerDays2023
GISEC
vExpert
Calendar
<April 2009>
SuMoTuWeThFrSa
2930311234
567891011
12131415161718
19202122232425
262728293012
3456789