1. Trend Micro Virtualization Security
Jerome Law
EMEA Solutions Architect

2. What is a Hypervisor?
Hypervisors are a “meta” operating system in a virtualized environment. They have access to all physical devices in a server, including all disk and memory. Hypervisors both schedule access to these devices, and help to protect clients from each other. A server first starts to execute the hypervisor, which then loads each of the virtual machine client operating systems, allocating the appropriate amount of memory, CPU usage, network bandwidth and disk space for each of the VMs.
VMs make requests to the hypervisor through several different methods, usually involving a specific API call. These APIs are prime targets for malicious code, so substantial effort is made by all hypervisors to ensure that the API’s are secure, and that only authentic (authenticated, and authorized) requests are made from the VMs. This is a critical path function.  It should be noted, however, that speed is a significant requirement in all hypervisors, to ensure that the overall performance is not impacted
08/25/09

3. What the Bad Guys are Doing
They hijack computers and misuse them for commercial purposes
Downloader
Infection
Downloading
Components
Interaction
With Server
Trigger
$$$$
WEB
Confidential
4/21/2017

4. Underground Virtualization
Operating System
Virtualization
Hypervisor
Classification
4/21/2017

5. Underground economy Asset Going-rate
Pay-out for each unique adware installation
30 cents in the United States, 20 cents in Canada, 10 cents in the UK, 2 cents elsewhere
Malware package, basic version
$1,000 – $2,000
Malware package with add-on services
Varying prices starting at $20
Exploit kit rental – 1 hour
$0.99 to $1
Exploit kit rental – 2.5 hours
$1.60 to $2
Exploit kit rental – 5 hours
$4, may vary
Undetected copy of a certain information-stealing Trojan
$80, may vary
Distributed Denial of Service attack
$100 per day
10,000 compromised PCs
1,000 $
Stolen bank account credentials
Varying prices starting at $50
1 million freshly-harvested s (unverified)
$8 up, depending on quality
Sample data from research on the underground digital economy in 2007
04/04/08 5
Copyright Trend Micro Inc.

6. Problem Every 2 seconds a new malware threat is created
79% of websites hosting malicious code are legitimate – thus compromised by hackers
59% view their organization’s Web gateway security solutions as only somewhat effective, not very effective or not at all effective in protecting against web-borne threats
23% of the average user’s day at work is spent doing something on the Web
45% of the 100 most popular websites support user generated content – Web2.0
60% infected with malware
42% are prepared to deal with the risks of Web2.0 in order to capitalize on its business benefits (i.e. allow access to social networking sites etc)
<Slide 03>
While URL filtering is a useful adjunct to a primary system designed to protect against Web threats, the inability of URL filtering to protect against new and zero-hour threats is seemingly underestimated by many corporate decision makers
TrendLabs:
Web threats are increasing exponentially
Osterman:
23%= over 2 hours of 9 hour day
Economist:
EU Survey on Technology Democracy and Web2.0

7. And who’s behind? Confidential 4/21/2017
compromised ISP subnets owned by --> ARUBA.IT (and Vortech)
IP Location: Italy
Revolve Host: *.in-addr.arpa.10799INPTRwebx90.aruba.it.
Blacklist Status: Clear
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
IFRAME redirector from compromised site --> HostFresh, HK
IP Location: Hong Kong, Hostfresh
Blacklist Status: Clear
Whois Record
person: Piu Lo
nic-hdl: PL466-AP
address: No. 500, Post Office, Tuen Mun, N.T., Hong Kong
phone:
fax-no:
country: HK
other downloaded malware from various sites
For example
is announced by Atrivo / Intercage, an infamous hosting company in the Bay Area. It is an APNIC IP address, but the physical location of servers using IP addresses in the range /23 is the Bay Area in a datacenter in San Francisco at Paul Avenue
control and monitoring server --> FasterServers, Chicago, IL
IP Location: United States, Chicago, Fastservers Inc
Revolve Host: <snip> TRUMAN.DNSPATHING.COM.
Blacklist Status: Clear
Whois Record
OrgName: FastServers, Inc.
OrgID: FASTS-1
Address: W. Jackson Blvd
Address: Suite 1770
City: Chicago
StateProv: IL
PostalCode: 60604
Country: US
Confidential
4/21/2017

8. MPACK Details
Created by the same group, who created WebAttacker Toolkit
Current Version: 0.90
They gurantee that the released version is QA‘d against AV-Software
MPACK kit sells for 700 USD, if Dream Downloader is included, 1000 USD
New exploits integrated in MPACK cost between USD depending on the severity/spread of the vulnerability
DreamDownloader is an automatic file downloader triggered by MPACK
It bypasses several FW
Disables some Antivirus
Uses Anti-Debug techniques
Detects Virtual Machines
Uses several packers to avoid detection
Confidential
4/21/2017 8
Classification
4/21/2017 8

9. ZLOB Infection Business model
How it works
1. You send surfers to videoscash's sites/galleries/videos in any possible way.
2. Surfers trying to view free videos, but "seems like" they have no appropriate video codec installed. And they are offered to download it.
3. Once they download and install the video codec you get $ $0.26 (depends of the surfer's country).
4. Twice a month You get paid via Epassporte, Wire transfer, Fethard or Webmoney with no hold!
Source: Underground Webpage
Confidential
4/21/2017 9
Classification
4/21/2017 9 9

10. Changing Threat Environment
More profitable
$100 billion: Estimated profits from global cybercrime
-- Chicago Tribune, 2008
More sophisticated, malicious & stealthy
“95% of 285 million records stolen in 2008, were the
result of highly skillful attacks”
“Breaches go undiscovered and uncontained for
weeks or months in 75% of cases.”
-- Verizon Breach Report, 2009
More frequent
We receive attacks per hour on a typical morning -- Cleveland Clinic Health HIMSS 2006
More targeted
"Harvard and Harvard Medical School are attacked
every 7 seconds, 24 hours a day, 7 days a week.”
-- John Halamka, CIO 10 10

11. Layered and coordinated protection
PCI DSS
Layered and coordinated protection
Closes security gaps in virtual environments
Layer of isolation and immunity for the protection engine from target malware
Baseline protection provided for VM sprawl
Lower management complexity
Provides cloud security 11 11

12. Irrelevant Architectures
Source: Spamhaus Blocklist (SBL) database. Data is compiled automatically every 24 hours from the SBL database and sorted by the number of currently listed SBL records for each network (ISP/NSP). The source data, including record information on each spam issue listed can be viewed by clicking on the Issues hyperlinks above.
Source: Spamhaus Blocklist (SBL) database. Data is compiled automatically every 24 hours from the SBL database and sorted by the number of currently listed SBL records for each network (ISP/NSP). The source data, including record information on each spam issue listed can be viewed by clicking on the Issues hyperlinks above.
What NOT to worry about
Hypervisor Attacks
Examples: Blue Pill, SubVirt, etc.
These are ALL theoretical, highly complex attacks
Widely recognized by security community as being only of academic interest
Irrelevant Architectures
Example: numerous reports claiming guest escape
Apply only to hosted architecture (e.g. Workstation), not bare-metal (i.e. ESX)
Hosted architecture generally suitable only when you can trust the guest VM
Contrived Scenarios
Example: VMotion intercept
Involved exploits where
Best practices around hardening, lockdown, design, for virtualization etc, not followed, or
Poor general IT infrastructure security is assumed 12

13. Irrelevant Architectures
Source: Spamhaus Blocklist (SBL) database. Data is compiled automatically every 24 hours from the SBL database and sorted by the number of currently listed SBL records for each network (ISP/NSP). The source data, including record information on each spam issue listed can be viewed by clicking on the Issues hyperlinks above.
Source: Spamhaus Blocklist (SBL) database. Data is compiled automatically every 24 hours from the SBL database and sorted by the number of currently listed SBL records for each network (ISP/NSP). The source data, including record information on each spam issue listed can be viewed by clicking on the Issues hyperlinks above.
What NOT to worry about
Hypervisor Attacks
Examples: Blue Pill, SubVirt, etc.
These are ALL theoretical, highly complex attacks
Widely recognized by security community as being only of academic interest
Irrelevant Architectures
Example: numerous reports claiming guest escape
Apply only to hosted architecture (e.g. Workstation), not bare-metal (i.e. ESX)
Hosted architecture generally suitable only when you can trust the guest VM
Contrived Scenarios
Example: VMotion intercept
Involved exploits where
Best practices around hardening, lockdown, design, for virtualization etc, not followed, or
Poor general IT infrastructure security is assumed 13

14. Some malware that uses anti-VMware tactics:
TROJ_CONYCSPA.M
This Trojan may be downloaded from the Internet. It may also be dropped by another malware.
contains anti-debugging technique to check if the system runs on the virtual platform, VMWARE. It does the said routine by checking for a file related to VMWare. If it is running in the said virtual platform, it does not proceed with its malicious routines.
It exports functions that enables it to send spammed messages using its own Simple Mail Transfer Protocol (SMTP) engine.
08/25/09

15. Some malware that uses anti-VMware tactics:
PE_CORELINK.C-O
This file infector checks if the infected system is running on VMWare or on a virtual machine environment. It does its checking by comparing the reply on port. If the reply returns "VMXh", it adjusts its privileges so that it shuts down the affected system.
Propagates via network shares and removable drives
Downloads TROJ_ALMANAHE.V
Upon execution, it decrypts the embedded rootkit file NVMINI.SYS and CDRALW.SYS, detected by Trend Micro as TROJ_AGENT.THK.
08/25/09

16. Some malware that uses anti-VMware tactics:
TROJ_KAKKEYS.S
gathers the contact list from the Windows Messenger and Windows Address Book (WAB), as well as the contents of certain.TXT files located in the Winny installation folder.
It sends the stolen information to the 2CH.NET Bulletin Boards by posting a message to the said boards.
terminates itself if VMWARE is installed. It does the said routine by checking the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
08/25/09

17. Other related VE entries:
Grayware (5)
CRCK_VMWARE.B
CRCK_VMWARE.C
TSPY_GOLDUN.CD
TSPY_KAKKEYS.AE
TSPY_KAKKEYS.AK
08/25/09

18. Other related VE entries
TROJ_KAKKEYS.S
TROJ_KAKKEYS.V
TROJ_LDPINCH.DX
TROJ_VMKILLER.B
TROJ_VMWARE.A
WORM_AGOBOT.CW
WORM_ARIVER.A
WORM_IRCBOT.AW
WORM_IXBOT.A
WORM_NUWAR.AOP
WORM_RBOT.ENZ
WORM_SDBOT.CDL
WORM_SDBOT.CKI
WORM_SDBOT.CMH
Malware (30)
BKDR_HAXDOOR.DE
BKDR_HAXDOOR.FR
BKDR_HAXDOOR.IV
BKDR_HAXDOOR.JH
BKDR_SDBOT.LP
JS_RESETTABLE.A
PE_CORELINK.C-O
TROJ_AGENT.BRS
TROJ_CONYCSPA.M
TROJ_DLOADER.CPI
TROJ_KAKKEYS.P
08/25/09

19. Figure 4. Infection count on VMWARE Malware Family
WTC Stats
Figure 4. Infection count on VMWARE Malware Family
The infection count on VMWare malware family increased from last year’s 1234 to 1304.
08/25/09

20. Irrelevant Architectures
What NOT to worry about
Hypervisor Attacks
Examples: Blue Pill, SubVirt, etc.
These are ALL theoretical, highly complex attacks
Widely recognized by security community as being only of academic interest
Irrelevant Architectures
Example: numerous reports claiming guest escape
Apply only to hosted architecture (e.g. Workstation), not bare-metal (i.e. ESX)
Hosted architecture generally suitable only when you can trust the guest VM
Contrived Scenarios
Example: VMotion intercept
Involved exploits where
Best practices around hardening, lockdown, design, for virtualization etc, not followed, or
Poor general IT infrastructure security is assumed 20

21. Are there any Hypervisor Attack Vectors?
There are currently no known hypervisor attack vectors to date that have lead to “VM Escape”
Architectural Vulnerability
Designed specifically with Isolation in Mind
Software Vulnerability - Possible like with any code written by humans
Mitigating Circumstances:
Small Code Footprint of Hypervisor (~32MB) is Easier to Audit
If a software vulnerability is found, exploit difficulty will be very high
Purpose Built for Virtualization Only
Non-interactive environment
Less Code for Hackers to Leverage
Ultimately Depends on VMware Security Response and Patching

22. Concern: Virtualizing the DMZ / Mixing Trust Zones
Three Primary Configurations:
Physical Separation of Trust Zones
Virtual Separation of Trust Zone with Physical Security Devices
Fully collapsing all servers and security devices into a VI3 infrastructure
Also Applies to PCI Requirements 2.2.1, 1.1.x, 6.3.2, and 6.3.3

23. Questions? “How do you secure a virtualized environment”
“How do you virtualize all of the security infrastructure in an organization”
“What do you call something that inspects memory inside of VM and inspects traffic and correlates the results? We don’t really have a definition for that today, because it was impossible, so we never considered it.”
Classification
4/21/2017

24. How do we secure our Virtual Infrastructure?
Use the Principles of Information Security
Hardening and Lockdown
Defense in Depth
Authorization, Authentication, and Accounting
Separation of Duties and Least Privileges
Administrative Controls

25. Securing Virtual Machines
Provide Same Protection as for Physical Servers
Host
Anti-Virus
Patch Management
Network
Intrusion Detection/Prevention (IDS/IPS)
Firewalls 25 25

26. Secure Design for Virtualization Layer
Fundamental Design Principles
Isolate all management networks
Disable all unneeded services
Tightly regulate all administrative access 26 26

27. Enforce Strong Access Controls
Anne
Security Principle
Implementation in VI
Least Privileges
Roles with only required privileges
Separation of Duties
Roles applied only to required objects
Harry
Joe
Administrator
Operator
User

28. Maintain Tight Administrative Controls
Requirement
Example Products
Configuration management, monitoring, auditing
Tripwire Enterprise for VMware ESX
NetIQ Secure Configuration Manager
Configuresoft ECM for Virtualization
Track and Manage VM
VMware Lifecycle Manager
VMware Stage Manager
Updating of offline VMs
VMware Update Manager
Trend Micro Big Fix (ESP)
Virtual network security
Third Brigade – Trend Micro
Diverse and growing ecosystem of products to help provide secure VMware Infrastructure

29. Overview – Trend Micro Solution
Datacenter trends
Securing VMs
Traditional approach
Problems
VMsafe
The Trend Micro approach
Architecture
Trend Micro Deep Security
Trend Micro Core Protection for VMs
5/28/2009 29 29

30. Trends in the Datacenter
Cloud
Virtualized
Servers in the open
Physical
Servers virtual and in motion
Servers under pressure 30 30 30 30

31. Securing Virtual Servers the Traditional Way
App AV
App
App
App AV
App
App AV OS OS OS
Network
IDS / IPS
ESX Server
Anti-virus: Local, agent-based protection
in the VM
IDS / IPS : Network-based device or
software solution 31 31

32. VMs Need Specialized Protection
Same threats in virtualized servers
as physical. + 
New challenges:
Dormant VMs
Resource contention
VM Sprawl
Inter-VM traffic
vMotion 32 32

33. Problem 1: Dormant VMs are unprotected
Active VMs
App
App AV
App
App AV
App AV
App
App AV
App
App AV
App OS OS OS OS OS
ESX Server
Dormant VMs includes VM templates and backups:
Cannot run scan agents yet still can get infected
Stale AV signatures 33 33

34. Problem 2: Full System Scans
3:00am Scan AV
App
Typical AV
Console OS
ESX Server
Resource Contention with Full System Scans
Existing AV solutions are not VM aware
Simultaneous full AV scans on same host
causes severe performance degradation
No isolation between malware and anti-malware 34 34

35. ESX Server Problem 3: VM Sprawl Dormant Active New Managing VM Sprawl
Security weaknesses replicate quickly
Security provisioning creates bottlenecks
Lack of visibility into, or integration with, virtualization console increases management complexity 35 35

36. Problem 4: Inter-VM Traffic
Dormant
Active AV
App
App AV
App AV
App AV OS OS OS OS
Network
IDS / IPS
vSwitch
vSwitch
Inter-VM traffic
NIDS / NIPS blind to intra-VM traffic
First-generation security VMs require intrusive vSwitch changes 36 36

37. Reconfiguration required: cumbersome
Problem 5: VM Mobility
Dormant OS
App AV
Active AV
App
App AV OS OS
Network
IDS / IPS
vSwitch
vSwitch
vMotion & vCloud:
Reconfiguration required: cumbersome
VMs of different sensitivities on same server
VMs in public clouds (IaaS) are unprotected 37 37

38. ESX Server Introducing VMsafe VMsafe APIs
Security VM
Firewall
IDS / IPS
Anti-Virus
Integrity
Monitoring
App
App
App OS OS OS
ESX Server
Protect the VM by inspection of virtual components
Unprecedented security for the app & data inside the VM
Complete integration with, and awareness of, vMotion, Storage VMotion, HA, etc. 38 38

39. VMsafe™ APIs CPU/Memory Inspection Networking Storage
Inspection of specific memory pages
Knowledge of the CPU state
Policy enforcement through resource allocation
Networking
View all IO traffic on the host
Intercept, view, modify and replicate IO traffic
Provide inline or passive protection
Storage
Mount and read virtual disks (VMDK)
Inspect IO read/writes to the storage devices
Transparent to device & inline with ESX Storage stack 39 39

40. The Trend Micro Approach
Firewall
IDS / IPS
- Anti-Malware
- Integrity
Monitoring
- Log Inspection
Dormant
Security VM
ESX Server
VMsafe APIs
Comprehensive, coordinated protection for all VMs
Local, agent-based protection in the VM
Security VM that secures VMs from the outside
Multiple protection capabilities
Integrates with VMware vCenter and VMsafe 40 40

41. 1: Intrusion Defense VM - TM Deep Security
VMsafe APIs
VMsafe APIs
VMsafe APIs
Intrusion Defense provides IDS/IPS & firewall protection
Integrates VMsafe-NET APIs (firewall & IDS/IPS)
Enforces security policy
Newly emerging VMs are automatically protected 41 41

42. 2: Anti-Malware Scanning VM - TM Core Protection for VMs
VMsafe APIs
VMsafe APIs
VMsafe APIs
Anti-malware scanning for target VMs from outside
Integrates VMsafe VDDK APIs to mount VM disk files
Full scans of dormant & active VMs from scanning VM
Immunizes the protection agent from disruptive activities 42 42

43. How It Works: Stopping Conficker
Firewall
IDS / IPS
- Anti-Malware
- Integrity
Monitoring
- Log Inspection
Dormant
Active
Infected
Security VM
ESX Server
VMsafe APIs
Firewall: Limits VMs accessing a VM with vulnerable service
IDS/IPS: Prevent MS exploits
Anti-Malware: Detects and cleans Conficker
Integrity Monitoring: Registry changes & service modific’ns
Log Inspection: Brute force password attempts 43 43

44. Benefits of Coordinated approach
Layered and coordinated protection
Closes security gaps in virtual environments
Layer of isolation and immunity for the protection engine from target malware
Baseline protection provided for VM sprawl
Lower management complexity
Provides cloud security 44 44

45. Available from Trend Trend Micro TODAY Core Protection for VMs
Deep Security 6
Deep Security 7
Anti-malware protection for VMware virtual environments
Firewall, IDS/IPS, Integrity Monitoring & Log Inspection
Runs in VMs with vCenter integration
Virtual Appliance complements agent-based protection
OCT
2009 45

46. Trend Micro Deep Security Modules
Deep Packet Inspection
Firewall
Enables IDS / IPS, Web App Protection,
Application Control, Virtual Patching
Examines incoming & outgoing traffic for:
Protocol deviations
Content that signals an attack
Policy violations.
Centralized management of server
firewall policy
Pre-defined templates for common
enterprise server types
Fine-grained filtering: IP & MAC
addresses, Ports
Coverage of all IP-based protocols:
TCP, UDP, ICMP, IGMP …
Integrity Monitoring
Log Inspection
Monitors critical files, systems and registry for changes
Critical OS and application files (files,
directories, registry keys and values)
Flexible, practical monitoring through includes/excludes
Auditable reports
Collects & analyzes operating system
and application logs for security
events.
Rules optimize the identification of
important security events buried in
multiple log entries.
Internal Training
4/21/2017

47. Deep Security: Platforms protected
Windows 2000
Windows XP, 2003 (32 & 64 bit)
Vista (32 & 64 bit)
Windows Server 2008 (32 & 64 bit)
HyperV (Guest VM)
8, 9, 10 on SPARC
10 on x86 (64 bit)
Solaris 10 partitions
Red Hat 3
Red Hat 4, 5 (32 & 64 bit)
SuSE 9, 10
VMware ESX Server (Guest VM)
Virtual Center integration
XenServer Guest VM
HP-UX 11i v2
AIX 5.3
Integrity Monitoring
& Log Inspection
modules 47
Internal Training
4/21/2017 47

48. Trend Micro Core Protection for Virtual Machines
More Protection
First virtualization-aware anti-malware product in the market
Secures dormant and active VMs efficiently
New VMs auto-scanned on creation and auto-assigned to a scanning VM
Supports VI3 and vSphere 4 (needs vCenter)
Less Complexity
Flexible Management: Through standalone web console, as a plugin to Trend Micro OfficeScan or through VMware vCenter
Flexible Configuration: Can be configured with multiple scanning VMs on any ESX/ESXi (or physical) server
Flexible Deployment: CPVM can be setup to co-exist with OSCE or competitive products if necessary (not ideal*)

49. CPVM System Requirements

50. References
Security Design of the VMware Infrastructure 3 Architecture (
VMware Infrastructure 3 Security Hardening (
Managing VMware VirtualCenter Roles and Permissions (
DISA STIG and Checklist for VMware ESX ( (
CIS (Center for Internet Security) Benchmark (
Xtravirt Virtualization Security Risk Assessment (

51. Other Sources: TNL article on Virtualization:
Related blog entries:
08/25/09

52. It‘s not important how hard you work,
Always remember
It‘s not important how hard you work,
It is important, how smart you work!
Confidential
4/21/2017

53. Thank You jerome_law@trendmicro.co.uk +44 7979 993377