Post on 11-Jan-2016
Trend Micro Virtualization Security
Jerome Law
EMEA Solutions Architect
08/25/092
What is a Hypervisor?
Hypervisors are a “meta” operating system in a virtualized environment. They have access to all physical devices in a server, including all disk and memory. Hypervisors both schedule access to these devices, and help to protect clients from each other. A server first starts to execute the hypervisor, which then loads each of the virtual machine client operating systems, allocating the appropriate amount of memory, CPU usage, network bandwidth and disk space for each of the VMs.
VMs make requests to the hypervisor through several different methods, usually involving a specific API call. These APIs are prime targets for malicious code, so substantial effort is made by all hypervisors to ensure that the API’s are secure, and that only authentic (authenticated, and authorized) requests are made from the VMs. This is a critical path function. It should be noted, however, that speed is a significant requirement in all hypervisors, to ensure that the overall performance is not impacted
04/21/233Confidential
They hijack computers and misuse them for commercial purposes
TriggerDownloader
Infection
Downloading
Components
Interaction
With Server
WEB
$$$$
What the Bad Guys are Doing
04/21/234Classification
Underground Virtualization
Operating System
Hypervisor
Virtualization
5 Copyright 2008 - Trend Micro Inc.04/04/08
Asset Going-rate
Pay-out for each unique adware installation
30 cents in the United States, 20 cents in Canada, 10 cents in the UK, 2 cents elsewhere
Malware package, basic version $1,000 – $2,000
Malware package with add-on services Varying prices starting at $20
Exploit kit rental – 1 hour $0.99 to $1
Exploit kit rental – 2.5 hours $1.60 to $2
Exploit kit rental – 5 hours $4, may vary
Undetected copy of a certain information-stealing Trojan
$80, may vary
Distributed Denial of Service attack $100 per day
10,000 compromised PCs 1,000 $
Stolen bank account credentials Varying prices starting at $50
1 million freshly-harvested emails (unverified)
$8 up, depending on quality
Underground economy
Sample data from research on the underground digital economy in 2007
6
Problem
• Every 2 seconds a new malware threat is created
• 79% of websites hosting malicious code are legitimate – thus compromised by hackers
• 59% view their organization’s Web gateway security solutions as only somewhat effective, not very effective or not at all effective in protecting against web-borne threats
• 23% of the average user’s day at work is spent doing something on the Web
• 45% of the 100 most popular websites support user generated content – Web2.0– 60% infected with malware
• 42% are prepared to deal with the risks of Web2.0 in order to capitalize on its business benefits (i.e. allow access to social networking sites etc)
04/21/237Confidential
And who’s behind?
compromised ISP subnets owned by --> ARUBA.IT (and Vortech)
IP Location: Italy
Revolve Host: *.in-addr.arpa.10799INPTRwebx90.aruba.it.
Blacklist Status: Clear
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
IFRAME redirector from compromised site --> HostFresh, HK
IP Location: Hong Kong, Hostfresh
Blacklist Status: Clear
Whois Record
person: Piu Lo
nic-hdl: PL466-AP
e-mail: ipadmin@hostfresh.com
address: No. 500, Post Office, Tuen Mun, N.T., Hong Kong
phone: +852-35979788
fax-no: +852-24522539
country: HK
other downloaded malware from various sites
For example. 58.65.239.180
is announced by Atrivo / Intercage, an infamous
hosting company in the Bay Area. It is an APNIC IP
address, but the physical location of servers using IP
addresses in the range 58.65.238.0/23 is the Bay
Area in a datacenter in San Francisco at Paul Avenue
control and monitoring server --> FasterServers, Chicago, IL
IP Location: United States, Chicago, Fastservers Inc
Revolve Host: <snip> TRUMAN.DNSPATHING.COM.
Blacklist Status: Clear
Whois Record
OrgName: FastServers, Inc.
OrgID: FASTS-1
Address: 175 W. Jackson Blvd
Address: Suite 1770
City: Chicago
StateProv: IL
PostalCode: 60604
Country: US
04/21/238Classification
04/21/23 8Confidential
MPACK Details
•Created by the same group, who created WebAttacker Toolkit
•Current Version: 0.90
•They gurantee that the released version is QA‘d against AV-Software
•MPACK kit sells for 700 USD, if Dream Downloader is included, 1000 USD
•New exploits integrated in MPACK cost between 50-150USD depending on the severity/spread of the vulnerability
•DreamDownloader is an automatic file downloader triggered by MPACK
•It bypasses several FW
•Disables some Antivirus
•Uses Anti-Debug techniques
•Detects Virtual Machines
•Uses several packers to avoid detection
04/21/239Classification
04/21/23 9Confidential
ZLOB Infection Business model
How it works
1. You send surfers to videoscash's sites/galleries/videos in any possible way.
2. Surfers trying to view free videos, but "seems like" they have no appropriate video codec installed. And they are offered to download it.
3. Once they download and install the video codec you get $0.02 - $0.26 (depends of the surfer's country).
4. Twice a month You get paid via Epassporte, Wire transfer, Fethard or Webmoney with no hold!
Source: Underground Webpage
Changing Threat Environment
More profitable $100 billion: Estimated profits from global cybercrime -- Chicago Tribune, 2008
More sophisticated, malicious & stealthy “95% of 285 million records stolen in 2008, were the result of highly skillful attacks” “Breaches go undiscovered and uncontained for weeks or months in 75% of cases.” -- Verizon Breach Report, 2009
More frequent We receive 40000 attacks per hour on a typical morning
-- Cleveland Clinic Health System @ HIMSS 2006
More targeted "Harvard and Harvard Medical School are attacked every 7 seconds, 24 hours a day, 7 days a week.” -- John Halamka, CIO
10
11
PCI DSS
• Layered and coordinated protection
• Closes security gaps in virtual environments
• Layer of isolation and immunity for the protection engine from target malware
• Baseline protection provided for VM sprawl
• Lower management complexity
• Provides cloud security
What NOT to worry aboutSource: Spamhaus Blocklist (SBL) database. Data is compiled automatically every 24 hours from the SBL database and sorted by the number of currently listed SBL records for each network (ISP/NSP). The source data, including record information on each spam issue listed can be viewed by clicking on the Issues hyperlinks above.Source: Spamhaus Blocklist (SBL) database. Data is compiled automatically every 24 hours from the SBL database and sorted by the number of currently listed SBL records for each network (ISP/NSP). The source data, including record information on each spam issue listed can be viewed by clicking on the Issues hyperlinks above.
What NOT to worry aboutSource: Spamhaus Blocklist (SBL) database. Data is compiled automatically every 24 hours from the SBL database and sorted by the number of currently listed SBL records for each network (ISP/NSP). The source data, including record information on each spam issue listed can be viewed by clicking on the Issues hyperlinks above.Source: Spamhaus Blocklist (SBL) database. Data is compiled automatically every 24 hours from the SBL database and sorted by the number of currently listed SBL records for each network (ISP/NSP). The source data, including record information on each spam issue listed can be viewed by clicking on the Issues hyperlinks above.
08/25/0914
Some malware that uses anti-VMware tactics:
TROJ_CONYCSPA.M
» This Trojan may be downloaded from the Internet. It may also be dropped by another malware.
» contains anti-debugging technique to check if the system runs on the virtual platform, VMWARE. It does the said routine by checking for a file related to VMWare. If it is running in the said virtual platform, it does not proceed with its malicious routines.
» It exports functions that enables it to send spammed email messages using its own Simple Mail Transfer Protocol (SMTP) engine.
08/25/0915
Some malware that uses anti-VMware tactics:
• This file infector checks if the infected system is running on VMWare or on a virtual machine environment. It does its checking by comparing the reply on port. If the reply returns "VMXh", it adjusts its privileges so that it shuts down the affected system.
• Propagates via network shares and removable drives• Downloads TROJ_ALMANAHE.V• Upon execution, it decrypts the embedded rootkit file
NVMINI.SYS and CDRALW.SYS, detected by Trend Micro as TROJ_AGENT.THK.
PE_CORELINK.C-O
08/25/0916
Some malware that uses anti-VMware tactics:
• gathers the contact list from the Windows Messenger and Windows Address Book (WAB), as well as the contents of certain.TXT files located in the Winny installation folder.
• It sends the stolen information to the 2CH.NET Bulletin Boards by posting a message to the said boards.
• terminates itself if VMWARE is installed. It does the said routine by
checking the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
TROJ_KAKKEYS.S
08/25/0917
Other related VE entries:
Grayware (5)
• CRCK_VMWARE.B• CRCK_VMWARE.C• TSPY_GOLDUN.CD• TSPY_KAKKEYS.AE• TSPY_KAKKEYS.AK
08/25/0918
Other related VE entries
Malware (30)
• BKDR_HAXDOOR.DE• BKDR_HAXDOOR.FR• BKDR_HAXDOOR.IV• BKDR_HAXDOOR.JH• BKDR_SDBOT.LP• JS_RESETTABLE.A• PE_CORELINK.C-O• TROJ_AGENT.BRS• TROJ_CONYCSPA.M• TROJ_DLOADER.CPI• TROJ_KAKKEYS.P
» TROJ_KAKKEYS.S» TROJ_KAKKEYS.V» TROJ_LDPINCH.DX» TROJ_VMKILLER.B» TROJ_VMWARE.A» WORM_AGOBOT.CW» WORM_ARIVER.A» WORM_IRCBOT.AW» WORM_IXBOT.A» WORM_NUWAR.AOP» WORM_RBOT.ENZ» WORM_SDBOT.CDL» WORM_SDBOT.CKI» WORM_SDBOT.CMH
08/25/0919
WTC Stats
• The infection count on VMWare malware family increased from last year’s 1234 to 1304.
Figure 4. Infection count on VMWARE Malware Family
What NOT to worry about
Are there any Hypervisor Attack Vectors?
Concern: Virtualizing the DMZ / Mixing Trust Zones
Three Primary Configurations:
• Physical Separation of Trust Zones• Virtual Separation of Trust Zone with Physical
Security Devices• Fully collapsing all servers and security
devices into a VI3 infrastructure
Also Applies to PCI Requirements 2.2.1, 1.1.x, 6.3.2, and 6.3.3
04/21/2323Classification
• “How do you secure a virtualized environment” • “How do you virtualize all of the security infrastructure in
an organization” • “What do you call something that inspects memory
inside of VM and inspects traffic and correlates the results? We don’t really have a definition for that today, because it was impossible, so we never considered it.”
Questions?
How do we secure our Virtual Infrastructure?
Use the Principles of Information Security– Hardening and Lockdown– Defense in Depth– Authorization, Authentication, and Accounting– Separation of Duties and Least Privileges– Administrative Controls
Securing Virtual Machines
•Host– Anti-Virus
– Patch Management
•Network– Intrusion
Detection/Prevention (IDS/IPS)
– Firewalls
25
Provide Same Protection as for Physical Servers
Secure Design for Virtualization Layer
26
Fundamental Design Principles
• Isolate all management networks
• Disable all unneeded services
• Tightly regulate all administrative access
Enforce Strong Access Controls
Security Principle
Implementation in VI
Least Privileges
Roles with only required privileges
Separation of Duties
Roles applied only to required objects
27
Administrator
Operator
User
Anne
Harry
Joe
Maintain Tight Administrative Controls
Requirement Example Products
Configuration management, monitoring, auditing
Tripwire Enterprise for VMware ESXNetIQ Secure Configuration ManagerConfiguresoft ECM for Virtualization
Track and Manage VM VMware Lifecycle ManagerVMware Stage Manager
Updating of offline VMs VMware Update ManagerTrend Micro Big Fix (ESP)
Virtual network security Third Brigade – Trend Micro
28
Diverse and growing ecosystem of products to help provide secure VMware Infrastructure
Overview – Trend Micro Solution
• Datacenter trends• Securing VMs
– Traditional approach– Problems
• VMsafe• The Trend Micro approach
– Architecture– Trend Micro Deep Security– Trend Micro Core Protection
for VMs
5/28/2009 29
30
Trends in the Datacenter
30
Physical
Virtualized
Cloud
Servers under pressure
Servers virtual and in motion
Servers in the open
Securing Virtual Servers the Traditional Way
31
App
OS
NetworkIDS / IPS ESX Server
App
OS
App
OS
AppAV AppAV AppAV
• Anti-virus: Local, agent-based protection
in the VM
• IDS / IPS : Network-based device or
software solution
VMs Need Specialized Protection
Same threats in virtualized servers as physical.
New challenges:1. Dormant VMs
2. Resource contention
3. VM Sprawl
4. Inter-VM traffic
5. vMotion
32
+
Problem 1: Dormant VMs are unprotected
33
Dormant VMs includes VM templates and backups:
• Cannot run scan agents yet still can get infected
• Stale AV signatures
App
OS
ESX Server
App
OS
App
OS
AppAV AppAV AppAVApp
OS
App
OS
AppAV AppAV
Dormant VMs Active VMs
Problem 2:Full System Scans
34
ESX Server
OS
AppAVTypical AV
Console
3:00am Scan
Resource Contention with Full System Scans
• Existing AV solutions are not VM aware
• Simultaneous full AV scans on same host
causes severe performance degradation
• No isolation between malware and anti-malware
Problem 3:VM Sprawl
35
ESX Server
Managing VM Sprawl • Security weaknesses replicate quickly• Security provisioning creates bottlenecks• Lack of visibility into, or integration with, virtualization
console increases management complexity
App
OS
AppAV
Dormant Active New
Problem 4:Inter-VM Traffic
36
Inter-VM traffic• NIDS / NIPS blind to intra-VM traffic• First-generation security VMs require intrusive vSwitch
changes
OS
AppAV
OS
AppAV
OS
AppAV
OS
AppAV
NetworkIDS / IPS
vSwitch vSwitch
Dormant Active
Problem 5:VM Mobility
37
vMotion & vCloud:• Reconfiguration required: cumbersome• VMs of different sensitivities on same server• VMs in public clouds (IaaS) are unprotected
OS
AppAV
OS
AppAV
NetworkIDS / IPS
vSwitch vSwitch
Dormant
OS
AppAV
Active
Introducing VMsafe
38
App
OS
ESX Server
App
OS
App
OS
VMsafe APIs
Security VM Firewall IDS / IPS Anti-Virus Integrity Monitoring
– Protect the VM by inspection of virtual components– Unprecedented security for the app & data inside the VM– Complete integration with, and awareness of, vMotion,
Storage VMotion, HA, etc.
VMsafe™ APIs
39
CPU/Memory Inspection• Inspection of specific memory pages • Knowledge of the CPU state• Policy enforcement through resource allocation
Networking• View all IO traffic on the host• Intercept, view, modify and replicate IO traffic• Provide inline or passive protection
Storage• Mount and read virtual disks (VMDK)• Inspect IO read/writes to the storage devices• Transparent to device & inline with ESX Storage stack
- Firewall- IDS / IPS- Anti-Malware- Integrity Monitoring- Log Inspection
The Trend Micro Approach
40
ESX Server
Security VMDormant
Comprehensive, coordinated protection for all VMs
• Local, agent-based protection in the VM
• Security VM that secures VMs from the outside
• Multiple protection capabilities
• Integrates with VMware vCenter and VMsafe
VMsafe APIs
IntrusionDefense
IntrusionDefense
1: Intrusion Defense VM - TM Deep Security
41
VMsafe APIs
IntrusionDefense
• Intrusion Defense provides IDS/IPS & firewall protection• Integrates VMsafe-NET APIs (firewall & IDS/IPS)• Enforces security policy• Newly emerging VMs are automatically protected
VMsafe APIsVMsafe APIs
2: Anti-Malware Scanning VM - TM Core Protection for VMs
42
VMsafe APIs
• Anti-malware scanning for target VMs from outside• Integrates VMsafe VDDK APIs to mount VM disk files• Full scans of dormant & active VMs from scanning VM• Immunizes the protection agent from disruptive activities
ScanningVMs
VMsafe APIsVMsafe APIs
How It Works: Stopping Conficker
43
ESX Server
Security VM- Firewall- IDS / IPS- Anti-Malware- Integrity Monitoring- Log Inspection
Dormant
• Firewall: Limits VMs accessing a VM with vulnerable service
• IDS/IPS: Prevent MS008-067 exploits
• Anti-Malware: Detects and cleans Conficker
• Integrity Monitoring: Registry changes & service modific’ns
• Log Inspection: Brute force password attempts
VMsafe APIs
InfectedActive
44
Benefits of Coordinated approach
• Layered and coordinated protection
• Closes security gaps in virtual environments
• Layer of isolation and immunity for the protection engine from target malware
• Baseline protection provided for VM sprawl
• Lower management complexity
• Provides cloud security
Available from Trend
Trend Micro Core Protection for VMs
Trend Micro Deep Security 6
Trend Micro Deep Security 7
45
– Anti-malware protection for VMware virtual environments
– Firewall, IDS/IPS, Integrity Monitoring & Log Inspection
– Runs in VMs with vCenter integration
– Virtual Appliance complements agent-based protection
TODAY
OCT2009
Trend Micro Deep Security Modules
Deep Packet Inspection
Log InspectionIntegrity Monitoring
Firewall
04/21/2346Internal Training
• Centralized management of server firewall policy• Pre-defined templates for common enterprise server types• Fine-grained filtering: IP & MAC addresses, Ports• Coverage of all IP-based protocols: TCP, UDP, ICMP, IGMP …
Enables IDS / IPS, Web App Protection, Application Control, Virtual Patching
Examines incoming & outgoing traffic for:• Protocol deviations• Content that signals an attack• Policy violations.
• Collects & analyzes operating system and application logs for security events. • Rules optimize the identification of important security events buried in multiple log entries.
• Monitors critical files, systems and registry for changes
• Critical OS and application files (files,
directories, registry keys and values)• Flexible, practical monitoring
through includes/excludes
• Auditable reports
Deep Security: Platforms protected
47
• Windows 2000• Windows XP, 2003 (32 & 64 bit)• Vista (32 & 64 bit)• Windows Server 2008 (32 & 64 bit)• HyperV (Guest VM)
• 8, 9, 10 on SPARC• 10 on x86 (64 bit)• Solaris 10 partitions
• Red Hat 3• Red Hat 4, 5 (32 & 64 bit)• SuSE 9, 10
• VMware ESX Server (Guest VM)• Virtual Center integration
• XenServer Guest VM
• HP-UX 11i v2• AIX 5.3
Integrity Monitoring& Log Inspection
modules
04/21/2347Internal Training
Trend Micro Core Protection for Virtual Machines
More Protection• First virtualization-aware anti-malware product in the market
• Secures dormant and active VMs efficiently
• New VMs auto-scanned on creation and auto-assigned to a scanning VM
• Supports VI3 and vSphere 4 (needs vCenter)
Less Complexity• Flexible Management: Through standalone web console, as a plugin to
Trend Micro OfficeScan or through VMware vCenter• Flexible Configuration: Can be configured with multiple scanning VMs
on any ESX/ESXi (or physical) server • Flexible Deployment: CPVM can be setup to co-exist with OSCE or
competitive products if necessary (not ideal*)
CPVM System Requirements
References
– Security Design of the VMware Infrastructure 3 Architecture(http://www.vmware.com/resources/techresources/727)
– VMware Infrastructure 3 Security Hardening(http://www.vmware.com/vmtn/resources/726)
– Managing VMware VirtualCenter Roles and Permissions(http://www.vmware.com/resources/techresources/826)
– DISA STIG and Checklist for VMware ESX(http://iase.disa.mil/stigs/stig/esx_server_stig_v1r1_final.pdf)(http://iase.disa.mil/stigs/checklist/esx_server_checklist_v1r1_30_apr_2008.pdf)
– CIS (Center for Internet Security) Benchmark(http://www.cisecurity.org/bench_vm.html)
– Xtravirt Virtualization Security Risk Assessment (http://www.xtravirt.com/index.php?option=com_remository&Itemid=75&func=fileinfo&id=15)
08/25/0951
Other Sources:
TNL article on Virtualization:
http://tnl.trendmicro.com.ph/tnl_articles.php?id=242&action=view
Related blog entries:
http://blog.trendmicro.com/vmware-bug-provides-escape-hatch/
http://blog.trendmicro.com/rootkits-get-more-physical/
04/21/2352Confidential
Always remember
It‘s not important how hard you work,
It is important, how smart you work!
Thank You
jerome_law@trendmicro.co.uk+44 7979 993377