It seems Microsoft is desperate to show it is not alone in selling products prone to security problems. This time it has co-authored a report showing that virtual machines can be used to host malware, even on Linux systems.
Of course, if a virtual machine hosts malware it is all but impossible for current security software to detect it. But in the words of Dad’s Army’s Corporal Jones, “Don’t panic,” because, as always, the devil is in the detail.
The idea behind the report is that an attacker could install virtual machines (VMs) onto a victim’s computer. These VMs, the report warns, could be used to host malware such as keystroke loggers or Trojan software to enable eavesdropping on the host operating system.
But the attacker would need to modify the original kernel, because kernels and virtualisation software are not designed to let data flow between the various operating systems that may be running on them. More than this, it is actually the hacked operating system kernel that first sees the keystroke data, for example, and then passes it on to a hacker’s virtual machine for further processing or reporting.
But hacking an operating system kernel would not be easy, or at least, it should not be easy. Installing any software onto a Windows or Linux system requires the install software to be run with system administration rights, and these are not normally available to processes launched by users.
Of course, security vulnerabilities, for which Windows is famous, could be exploited to patch a kernel, but this seems to be a somewhat circular argument – you could hack a kernel and thus install a virtual keylogger onto any system, provided it was already vulnerable.
Somewhere near the top of page four, the report admits that to install malware, the authors first needed to modify the host operating system’s kernel, and to modify the Windows-based virtual machine monitor software. As you know, a Virtual Memory Manager (VMM) is a piece of software that shares a computer’s resources, such as its disk, RAM and keyboard, with various virtual machines running on it. The authors did not need to modify the Linux-based VMM, but they didn’t give details about why this step could be missed out when working with a Linux system.
The report also seems to overlook the fact that we are about to enter a brave new world of hardware-assisted virtualisation, where extra hardware in Intel and AMD processors could be used to identify and list the various virtual machines running on the hardware. So this particular window of opportunity for hackers should be fairly small.
Nonetheless, the report makes interesting reading. It draws attention to some benign, profitable applications of VM technology to debug software and to host intrusion detection systems.
And anything that makes IT managers more aware of how hackers can access sensitive data is probably a good thing.
