Trend Micro Virtualization Security

seedgemsbokStorage

Dec 10, 2013 (3 years and 8 months ago)

373 views

Trend Micro Virtualization Security



Jerome Law

EMEA Solutions Architect



08/25/09

2

What is a Hypervisor?







Hypervisors are a “meta” operating system in a virtualized
environment. They have access to all physical devices in a server,
including all disk and memory. Hypervisors both schedule access to
these devices, and help to protect clients from each other. A server
first starts to execute the hypervisor, which then loads each of the
virtual machine client operating systems, allocating the appropriate
amount of memory, CPU usage, network bandwidth and disk space
for each of the VMs.

VMs make requests to the hypervisor through several different
methods, usually involving a specific API call. These APIs are prime
targets for malicious code, so substantial effort is made by all
hypervisors to ensure that the API’s are secure, and that only
authentic (authenticated, and authorized) requests are made from
the VMs. This is a critical path function.


It should be noted,
however, that speed is a significant requirement in all hypervisors,
to ensure that the overall performance is not impacted

12/10/201
3

3

Confidential

They hijack computers and misuse them for commercial purposes

Trigger

Downloader

Infection

Downloading

Components

Interaction

With Server

WEB

$$$$

What the Bad Guys are Doing

12/10/201
3

4

Classification

Underground Virtualization

Operating System

Hypervisor

Virtualization

5

Copyright 2008
-

Trend Micro Inc.

04/04/08

Asset

Going
-
rate

Pay
-
out for each unique adware
installation

30 cents in the United States, 20
cents in Canada, 10 cents in the UK,
2 cents elsewhere

Malware package, basic version

$1,000


$2,000

Malware package with add
-
on services

Varying prices starting at $20

Exploit kit rental


1 hour

$0.99 to $1

Exploit kit rental


2.5 hours

$1.60 to $2

Exploit kit rental


5 hours

$4, may vary

Undetected copy of a certain

information
-
stealing Trojan

$80, may vary

Distributed Denial of Service attack

$100 per day

10,000 compromised PCs

1,000 $

Stolen bank account credentials

Varying prices starting at $50

1 million freshly
-
harvested emails
(unverified)

$8 up, depending on quality

Underground economy

Sample data from research on the underground digital economy in 2007

6

Problem


Every 2 seconds

a new
malware threat is created



79%

of websites hosting
malicious code are legitimate


thus compromised by
hackers





59%

view their organization’s
Web gateway security
solutions as only somewhat
effective, not very effective or
not at all effective in
protecting against web
-
borne
threats


23%

of the average user’s day
at work is spent doing
something on the Web



45%

of the 100 most popular
websites support user
generated content


Web2.0


60%

infected with malware




42%

are prepared to deal with
the risks of Web2.0 in order to
capitalize on its business
benefits
(i.e. allow access to social
networking sites etc)



12/10/201
3

7

Confidential

And who’s behind?

compromised ISP subnets owned by
--
>
ARUBA.IT (and Vortech)

IP Location:

Italy

Revolve Host:

*.in
-
addr.arpa.10799INPTRwebx90.aruba.it.

Blacklist Status:

Clear


OrgName: RIPE Network Coordination
Centre


OrgID: RIPE


Address: P.O. Box 10096


City: Amsterdam


StateProv:


PostalCode: 1001EB


Country: NL



IFRAME redirector from compromised
site
--
> HostFresh, HK


IP Location:

Hong Kong, Hostfresh

Blacklist Status:

Clear

Whois Record


person: Piu Lo

nic
-
hdl: PL466
-
AP

e
-
mail: ipadmin@hostfresh.com

address: No. 500, Post Office, Tuen
Mun, N.T., Hong Kong

phone: +852
-
35979788

fax
-
no: +852
-
24522539

country: HK


other downloaded malware
from various sites

For example.
58.65.239.180

is announced by Atrivo /
Intercage, an infamous
hosting company in the Bay
Area. It is an APNIC IP
address, but the physical
location of servers using IP
addresses in the range
58.65.238.0/23 is the Bay
Area in a datacenter in San
Francisco at Paul Avenue

control and monitoring server
-
-
> FasterServers, Chicago, IL


IP Location:

United
States, Chicago, Fastservers Inc

Revolve Host:

<snip>
TRUMAN.DNSPATHING.COM.

Blacklist Status:

Clear

Whois Record



OrgName: FastServers, Inc.


OrgID: FASTS
-
1


Address: 175 W. Jackson
Blvd


Address: Suite 1770


City: Chicago


StateProv: IL


PostalCode: 60604


Country: US

12/10/201
3

8

Classification

12/10/2013

8

Confidential

MPACK Details


Created by the same group, who created
WebAttacker Toolkit



Current Version: 0.90



They gurantee that the released version is
QA‘d against AV
-
Software



MPACK kit sells for 700 USD, if Dream
Downloader is included, 1000 USD



New exploits integrated in MPACK cost
between 50
-
150USD depending on the
severity/spread of the vulnerability






DreamDownloader is an
automatic file downloader
triggered by MPACK



It bypasses several FW


Disables some Antivirus


Uses Anti
-
Debug
techniques


Detects Virtual Machines


Uses several packers to
avoid detection

12/10/201
3

9

Classification

12/10/2013

9

Confidential

ZLOB Infection Business model


How it works


1. You send surfers to videoscash's sites/galleries/videos in any
possible way.

2. Surfers trying to view free videos, but "seems like" they have no
appropriate video codec installed. And they are offered to download
it.

3. Once they download and install the video codec you get
$0.02
-

$0.26

(depends of the surfer's country).

4. Twice a month You get paid via Epassporte, Wire transfer, Fethard
or Webmoney with no hold!







Source: Underground Webpage




Changing Threat Environment

More profitable


$100 billion: Estimated profits from global cybercrime


--

Chicago Tribune, 2008


More sophisticated, malicious & stealthy


“95% of 285 million records stolen in 2008, were the


result of highly skillful attacks”


“Breaches go undiscovered and uncontained for


weeks or months in 75% of cases.”


--

Verizon Breach Report, 2009


More frequent


We receive 40000 attacks per hour on a typical morning


--

Cleveland Clinic Health System @ HIMSS 2006


More targeted

"Harvard and Harvard Medical School are attacked


every 7 seconds, 24 hours a day, 7 days a week.”


--

John Halamka, CIO


10

11

PCI DSS


Layered and coordinated protection


Closes security gaps in virtual
environments


Layer of isolation and immunity for
the protection engine from target
malware


Baseline protection provided for VM
sprawl


Lower management complexity


Provides cloud security

What
NOT

to worry about

Hypervisor Attacks


Examples: Blue
Pill,
SubVirt
, etc.


These are ALL
theoretical, highly
complex attacks


Widely recognized
by security
community as
being only of
academic interest

Irrelevant
Architectures


Example:
numerous reports
claiming guest
escape


Apply only to
hosted architecture
(e.g. Workstation),
not bare
-
metal (i.e.
ESX)


Hosted
architecture
generally
suitable
only when you can
trust the guest VM

Contrived Scenarios


Example: VMotion
intercept


Involved exploits
where


Best practices
around
hardening,
lockdown,
design, for
virtualization etc,
not followed, or


Poor general IT
infrastructure
security is
assumed



Source: Spamhaus Blocklist (SBL) database. Data is compiled automatically every 24 hours from the SBL database and sorted by
the

number of currently listed SBL records for each network (ISP/NSP). The source data, including record information on each spam

i
ssue listed can be viewed by clicking on the Issues hyperlinks above.




Source: Spamhaus Blocklist (SBL) database. Data is compiled automatically every 24 hours from the SBL database and sorted by
the

number of currently listed SBL records for each network (ISP/NSP). The source data, including record information on each spam

i
ssue listed can be viewed by clicking on the Issues hyperlinks above.


What
NOT

to worry about

Hypervisor Attacks


Examples: Blue
Pill,
SubVirt
, etc.


These are ALL
theoretical, highly
complex attacks


Widely recognized
by security
community as
being only of
academic interest

Irrelevant
Architectures


Example:
numerous reports
claiming guest
escape


Apply only to
hosted architecture
(e.g. Workstation),
not bare
-
metal (i.e.
ESX)


Hosted
architecture
generally
suitable
only when you can
trust the guest VM

Contrived Scenarios


Example: VMotion
intercept


Involved exploits
where


Best practices
around
hardening,
lockdown,
design, for
virtualization etc,
not followed, or


Poor general IT
infrastructure
security is
assumed



Source: Spamhaus Blocklist (SBL) database. Data is compiled automatically every 24 hours from the SBL database and sorted by
the

number of currently listed SBL records for each network (ISP/NSP). The source data, including record information on each spam

i
ssue listed can be viewed by clicking on the Issues hyperlinks above.




Source: Spamhaus Blocklist (SBL) database. Data is compiled automatically every 24 hours from the SBL database and sorted by
the

number of currently listed SBL records for each network (ISP/NSP). The source data, including record information on each spam

i
ssue listed can be viewed by clicking on the Issues hyperlinks above.


08/25/09

14

Some malware that uses anti
-
VMware tactics:


TROJ_CONYCSPA.M






»
This Trojan may be downloaded from the Internet. It may
also be dropped by another malware.

»
contains anti
-
debugging technique to check if the system
runs on the virtual platform,
VMWARE
. It does the said
routine by checking for a file related to
VMWare
. If it is
running in the said virtual platform, it does not proceed with
its malicious routines.

»
It exports functions that enables it to send spammed email
messages using its own Simple Mail Transfer Protocol
(SMTP) engine.

08/25/09

15

Some malware that uses anti
-
VMware tactics:


This file infector checks if the infected system is running
on VMWare or on a virtual machine environment. It does
its checking by comparing the reply on port. If the reply
returns "VMXh", it adjusts its privileges so that it shuts
down the affected system.


Propagates via network shares and removable drives


Downloads
TROJ_ALMANAHE.V


Upon execution, it decrypts the embedded rootkit file
NVMINI.SYS

and
CDRALW.SYS
, detected by Trend Micro
as
TROJ_AGENT.THK
.

PE_CORELINK.C
-
O


08/25/09

16

Some malware that uses anti
-
VMware tactics:


gathers the contact list from the
Windows Messenger and Windows
Address Book
(WAB), as well as the contents of certain.TXT files
located in the
Winny

installation folder.



It sends the stolen information to the
2CH.NET

Bulletin Boards by
posting a message to the said boards.




terminates itself if
VMWARE

is installed. It does the said routine by
checking the following registry subkey:



HKEY_LOCAL_MACHINE
\
SOFTWARE
\
VMware, Inc.
\
VMware
Tools


TROJ_KAKKEYS.S

08/25/09

17

Other related VE entries:


Grayware (5)



CRCK_VMWARE.B


CRCK_VMWARE.C


TSPY_GOLDUN.CD


TSPY_KAKKEYS.AE


TSPY_KAKKEYS.AK

08/25/09

18

Other related VE entries



Malware (30)



BKDR_HAXDOOR.DE


BKDR_HAXDOOR.FR


BKDR_HAXDOOR.IV


BKDR_HAXDOOR.JH


BKDR_SDBOT.LP


JS_RESETTABLE.A


PE_CORELINK.C
-
O


TROJ_AGENT.BRS


TROJ_CONYCSPA.M


TROJ_DLOADER.CPI


TROJ_KAKKEYS.P



»
TROJ_KAKKEYS.S

»
TROJ_KAKKEYS.V

»
TROJ_LDPINCH.DX

»
TROJ_VMKILLER.B

»
TROJ_VMWARE.A

»
WORM_AGOBOT.CW

»
WORM_ARIVER.A

»
WORM_IRCBOT.AW

»
WORM_IXBOT.A

»
WORM_NUWAR.AOP

»
WORM_RBOT.ENZ

»
WORM_SDBOT.CDL

»
WORM_SDBOT.CKI

»
WORM_SDBOT.CMH

08/25/09

19

WTC Stats


The infection count on VMWare malware family
increased from last year’s 1234 to 1304.

Figure 4.

Infection count on VMWARE Malware Family

What
NOT

to worry about

Hypervisor Attacks


Examples: Blue
Pill,
SubVirt
, etc.


These are ALL
theoretical, highly
complex attacks


Widely recognized
by security
community as
being only of
academic interest

Irrelevant
Architectures


Example:
numerous reports
claiming guest
escape


Apply only to
hosted architecture
(e.g. Workstation),
not bare
-
metal (i.e.
ESX)


Hosted
architecture
generally
suitable
only when you can
trust the guest VM

Contrived Scenarios


Example: VMotion
intercept


Involved exploits
where


Best practices
around
hardening,
lockdown,
design, for
virtualization etc,
not followed, or


Poor general IT
infrastructure
security is
assumed

Are there any Hypervisor Attack Vectors?

There are currently no known hypervisor attack vectors to date that have
lead to “VM Escape”


Architectural Vulnerability


Designed specifically with Isolation in Mind


Software Vulnerability
-

Possible like with any code written by humans


Mitigating Circumstances:


Small Code Footprint of Hypervisor (~32MB) is Easier to Audit


If a software vulnerability is found, exploit difficulty will be very
high


Purpose Built for Virtualization Only


Non
-
interactive environment


Less Code for Hackers to Leverage


Ultimately Depends on VMware Security Response and Patching

Concern: Virtualizing the DMZ / Mixing Trust
Zones



Three Primary Configurations:


Physical Separation of Trust Zones


Virtual Separation of Trust Zone with Physical
Security Devices


Fully collapsing all servers and security
devices into a VI3 infrastructure



Also Applies to PCI Requirements 2.2.1,
1.1.x, 6.3.2, and 6.3.3


12/10/201
3

23

Classification


“How do you secure a virtualized environment”


“How do you virtualize all of the security infrastructure in
an organization”


“What do you call something that inspects memory
inside of VM and inspects traffic and correlates the
results? We don’t really have a definition for that today,
because it was impossible, so we never considered it.”

Questions?

How do we secure our Virtual
Infrastructure?

Use the Principles of Information Security


Hardening and Lockdown


Defense in Depth


Authorization, Authentication, and Accounting


Separation of Duties and Least Privileges


Administrative Controls


Securing Virtual Machines


Host


Anti
-
Virus


Patch Management


Network


Intrusion
Detection/Prevention
(IDS/IPS)


Firewalls

25

Provide Same Protection
as for Physical Servers

Secure Design for Virtualization Layer

26

Fundamental Design Principles


Isolate all management
networks


Disable all unneeded services


Tightly regulate all
administrative access

Enforce Strong Access Controls

Security
Principle

Implementation in
VI

Least
Privileges

Roles with only
required privileges

Separation of
Duties

Roles applied only to
required objects

27

Administrator

Operator

User

Anne

Harry

Joe

Maintain Tight Administrative Controls

Requirement

Example Products

Configuration management,
monitoring, auditing

Tripwire Enterprise for VMware ESX

NetIQ Secure Configuration Manager

Configuresoft

ECM for Virtualization

Track and Manage VM

VMware Lifecycle Manager

VMware Stage Manager

Updating of offline VMs

VMware Update Manager

Trend Micro Big Fix (ESP)

Virtual network security

Third Brigade


Trend Micro

28

Diverse and growing ecosystem of products

to help provide secure VMware Infrastructure

Overview


Trend Micro Solution


Datacenter trends


Securing VMs


Traditional approach


Problems


VMsafe


The Trend Micro approach


Architecture


Trend Micro Deep Security


Trend Micro Core
Protection for VMs



5/28/2009

29

30

Trends in the Datacenter

30

Physical


Virtualized


Cloud


Servers under pressure


Servers virtual and in motion

Servers in the open

Securing Virtual Servers the
Traditional Way


31

App

OS

Network

IDS / IPS

ESX Server

App

OS

App

OS

App

AV

App

AV

App

AV


Anti
-
virus:
Local, agent
-
based protection





in the VM



IDS / IPS

:
Network
-
based device or





software solution

VMs Need Specialized Protection

Same threats in virtualized servers

as physical.


New challenges:

1.
Dormant VMs

2.
Resource contention

3.
VM Sprawl

4.
Inter
-
VM traffic

5.
vMotion

32

+











Problem 1:

Dormant VMs are unprotected

33

Dormant VMs includes VM templates and backups:


Cannot run scan agents yet still can get infected


Stale AV signatures

App

OS

ESX Server

App

OS

App

OS

App

AV

App

AV

App

AV

App

OS

App

OS

App

AV

App

AV

Dormant VMs

Active VMs

Problem 2:

Full System Scans

34

ESX Server

OS

App

AV

Typical AV

Console

3:00am Scan

Resource Contention with Full System Scans


Existing AV solutions are not VM aware


Simultaneous full AV scans on same host


causes severe performance degradation


No isolation between malware and anti
-
malware

Problem 3:

VM Sprawl

35

ESX Server

Managing VM Sprawl


Security weaknesses replicate quickly


Security provisioning creates bottlenecks


Lack of visibility into, or integration with, virtualization
console increases management complexity

App
OS
App
AV
Dormant

Active

New

Problem 4:

Inter
-
VM Traffic

36

Inter
-
VM traffic


NIDS / NIPS blind to intra
-
VM traffic


First
-
generation security VMs require intrusive vSwitch
changes

OS

App

AV

OS

App

AV

OS

App

AV

OS

App

AV

Network

IDS / IPS

vSwitch

vSwitch

Dormant

Active

Problem 5:

VM Mobility

37

vMotion & vCloud:


Reconfiguration required: cumbersome


VMs of different sensitivities on same server


VMs in public clouds (IaaS) are unprotected

OS

App

AV

OS

App

AV

Network

IDS / IPS

vSwitch

vSwitch

Dormant

OS

App

AV

Active

Introducing VMsafe

38

App

OS

ESX Server

App

OS

App

OS

VMsafe APIs

Security VM


Firewall


IDS / IPS


Anti
-
Virus


Integrity


Monitoring


Protect the VM by inspection of virtual components


Unprecedented security for the app & data inside the VM


Complete integration with, and awareness of,
vMotion
,
Storage
VMotion
, HA, etc.


VMsafe™ APIs

39

CPU/Memory Inspection



Inspection of specific memory pages



Knowledge of the CPU state



Policy enforcement through resource allocation

Networking



View all IO traffic on the host



Intercept, view, modify and replicate IO traffic



Provide inline or passive protection

Storage



Mount and read virtual disks (VMDK)



Inspect IO read/writes to the storage devices



Transparent to device & inline with ESX Storage stack

-

Firewall

-

IDS / IPS

-

Anti
-
Malware

-

Integrity


Monitoring

-

Log Inspection


The Trend Micro Approach

40

ESX Server

Security VM

Dormant

Comprehensive, coordinated protection for
all

VMs


Local, agent
-
based protection in the VM


Security VM that secures VMs from the outside


Multiple protection capabilities


Integrates with VMware vCenter and VMsafe


VMsafe APIs

Intrusion

Defense

Intrusion

Defense

1: Intrusion Defense VM
-

TM Deep Security

41

VMsafe APIs

Intrusion

Defense


Intrusion Defense provides IDS/IPS & firewall protection


Integrates VMsafe
-
NET APIs (firewall & IDS/IPS)


Enforces security policy


Newly emerging VMs are automatically protected

VMsafe APIs

VMsafe APIs

2: Anti
-
Malware Scanning VM
-

TM Core Protection for VMs

42

VMsafe APIs


Anti
-
malware scanning for target VMs from outside


Integrates VMsafe VDDK APIs to mount VM disk files


Full scans of dormant & active VMs from scanning VM


Immunizes the protection agent from disruptive activities

Scanning

VMs

VMsafe APIs

VMsafe APIs

How It Works: Stopping Conficker

43

ESX Server

Security VM

-

Firewall

-

IDS / IPS

-

Anti
-
Malware

-

Integrity


Monitoring

-

Log Inspection


Dormant


Firewall
: Limits VMs accessing a VM with vulnerable service


IDS/IPS:

Prevent MS008
-
067 exploits


Anti
-
Malware:

Detects and cleans Conficker


Integrity Monitoring:
Registry changes & service modific’ns


Log Inspection:
Brute force password attempts


VMsafe APIs

Infected

Active

44

Benefits of Coordinated approach


Layered and coordinated protection


Closes security gaps in virtual
environments


Layer of isolation and immunity for
the protection engine from target
malware


Baseline protection provided for VM
sprawl


Lower management complexity


Provides cloud security

Available from Trend


Trend Micro


Core Protection


for VMs



Trend Micro


Deep Security 6





Trend Micro


Deep Security 7

45


Anti
-
malware protection for
VMware virtual
environments



Firewall, IDS/IPS, Integrity
Monitoring & Log Inspection


Runs in VMs with
vCenter

integration



Virtual Appliance
complements agent
-
based
protection

TODAY

OCT

2009

Trend Micro Deep Security Modules

Deep Packet Inspection

Log Inspection

Integrity Monitoring

Firewall

12/10/201
3

46

Internal Training



Centralized management of server


firewall policy



Pre
-
defined templates for common


enterprise server types



Fine
-
grained filtering: IP & MAC


addresses, Ports



Coverage of all IP
-
based protocols:


TCP, UDP, ICMP, IGMP …


Enables


IDS / IPS, Web App Protection,

Application Control, Virtual Patching


Examines incoming & outgoing traffic for:



Protocol deviations



Content that signals an attack



Policy violations.




Collects & analyzes operating system


and application logs for security


events.



Rules optimize the identification of


important security events buried in


multiple log entries.


Monitors critical files, systems and
registry for changes


Critical OS and application files (files,


directories, registry keys and values)


Flexible, practical monitoring
through includes/excludes


Auditable reports


Deep Security: Platforms protected

47


Windows 2000


Windows XP, 2003 (32 & 64 bit)


Vista (32 & 64 bit)


Windows Server 2008 (32 & 64 bit)


HyperV

(Guest VM)



8, 9, 10 on SPARC


10 on x86 (64 bit)


Solaris 10 partitions



Red Hat 3


Red Hat 4, 5 (32 & 64 bit)


SuSE 9, 10



VMware ESX Server (Guest VM)


Virtual Center integration



XenServer Guest VM



HP
-
UX 11i v2


AIX 5.3


Integrity Monitoring

& Log Inspection

modules

12/10/201
3

47

Internal Training

Trend Micro Core Protection for Virtual Machines

More Protection


First virtualization
-
aware anti
-
malware product in the market


Secures dormant and active VMs efficiently


New VMs auto
-
scanned on creation and auto
-
assigned to a
scanning VM


Supports VI3 and vSphere 4 (needs vCenter)


Less Complexity


Flexible Management: Through standalone web console, as a plugin to
Trend Micro OfficeScan or through VMware vCenter


Flexible Configuration: Can be configured with multiple scanning VMs
on any ESX/ESXi (or physical) server


Flexible Deployment: CPVM can be setup to co
-
exist with OSCE or
competitive products if necessary (not ideal*)

CPVM System Requirements

References


Security Design of the VMware Infrastructure 3 Architecture

(
http://www.vmware.com/resources/techresources/727
)


VMware Infrastructure 3 Security Hardening

(
http://www.vmware.com/vmtn/resources/726
)


Managing VMware VirtualCenter Roles and Permissions

(
http://www.vmware.com/resources/techresources/826
)


DISA STIG and Checklist for VMware ESX

(
http://iase.disa.mil/stigs/stig/esx_server_stig_v1r1_final.pdf
)

(
http://iase.disa.mil/stigs/checklist/esx_server_checklist_v1r1_3
0_apr_2008.pdf
)


CIS (Center for Internet Security) Benchmark

(
http://www.cisecurity.org/bench_vm.html
)


Xtravirt Virtualization Security Risk Assessment

(
http://www.xtravirt.com/index.php?option=com_remository&Ite
mid=75&func=fileinfo&id=15
)

08/25/09

51

Other Sources:

TNL article on Virtualization:

http://tnl.trendmicro.com.ph/tnl_articles.php?id=242&action=view


Related blog entries:

http://blog.trendmicro.com/vmware
-
bug
-
provides
-
escape
-
hatch/

http://blog.trendmicro.com/rootkits
-
get
-
more
-
physical/

12/10/201
3

52

Confidential

Always remember

It‘s not important how hard you work,






It is important, how smart you work!



Thank You


jerome_law@trendmicro.co.uk

+44 7979 993377