Virtualization: Your Security Blanket
Taylor Buley, 03.04.10, 6:00 PM ET
Burlingame, Calif. -
Virtualization is one of those technologies that you hear a lot about but never see. It's the driving force behind "cloud" computing and many Web applications--but it's helping keep your desktop safe, too.
In the data center virtualization technology abstracts hardware from software so resources can be pooled across large groups of machines. But the technology came to the desktop first, where the same concept enabled operating systems to run like any other application on a Windows or Mac machine and still talk to the underlying hardware.
The convenience was not lost on security researchers, who saw hosted desktop virtualization as a way to speed up the once-cumbersome process of analyzing how viruses and other malicious software, called "malware," affect a computer's operating environment. The speed and efficacy of putting malware in a "sandbox" has become common practice at security companies worldwide.
"It's definitely helped us a lot," says Robert McArdle, a Trend Micro threat researcher based in Cork, Ireland. "You can click a button and the whole machine goes to the way it was before you installed the malware."
Virtual machines--VMs for short--can be picked up in the same state you left them, or you can throw away changes on these machines and roll them back to their initial state. This feature is helpful for security researchers, since they need to understand how a piece of malware has affected a computer.
Antivirus researchers look for what files were added or registries modified in order to use this information to write rules that allow their software to recognize and block threats. Intrusion defense companies look for network traffic, and Web filtering companies look for any URLs that a piece of malware tries to visit.
Easy, one-click restoration for researchers wasn't always the case. Since you can't trust a machine through which you've just run a piece of malware, before virtual machines existed researchers would have to wipe and reinstall the entire operating system for each thing they needed to analyze.
"That could take hours," says Paul Judge, chief research officer at Barracuda Network's threat research lab. "It only became practical in the last couple of years when virtualization technology became easy to manage."
Today, running virus samples through a virtual machine can be automated and require almost no human intervention. That's enabled Barracuda to analyze around 3,000 software samples a day, compared with a few dozen a day without using virtual machines, says Judge.
The only problem? McArdle of Trend Micro says that bad guys have caught on to the use of virtual machines for analysis. "Because the malware writers are pretty familiar with how we do our work, they realized that our security teams use virtual machines," he says.
Varying breeds of malicious software like the Storm Worm or Mebroot now attempt to detect if the software is running in a virtual machine, and act differently if that's the case. Some malware refuses to run; other malware function very differently in order to fool researchers.