trend micro virtualization security jerome law emea solutions architect

Trend Micro Virtualization Security

Jerome Law

EMEA Solutions Architect

08/25/092

What is a Hypervisor?

Hypervisors are a “meta” operating system in a virtualized environment. They have access to all physical devices in a server, including all disk and memory. Hypervisors both schedule access to these devices, and help to protect clients from each other. A server first starts to execute the hypervisor, which then loads each of the virtual machine client operating systems, allocating the appropriate amount of memory, CPU usage, network bandwidth and disk space for each of the VMs.

VMs make requests to the hypervisor through several different methods, usually involving a specific API call. These APIs are prime targets for malicious code, so substantial effort is made by all hypervisors to ensure that the API’s are secure, and that only authentic (authenticated, and authorized) requests are made from the VMs. This is a critical path function. It should be noted, however, that speed is a significant requirement in all hypervisors, to ensure that the overall performance is not impacted

04/21/233Confidential

They hijack computers and misuse them for commercial purposes

TriggerDownloader

Infection

Downloading

Components

Interaction

With Server

WEB

$$$$

What the Bad Guys are Doing

04/21/234Classification

Underground Virtualization

Operating System

Hypervisor

Virtualization

5 Copyright 2008 - Trend Micro Inc.04/04/08

Asset Going-rate

Pay-out for each unique adware installation

30 cents in the United States, 20 cents in Canada, 10 cents in the UK, 2 cents elsewhere

Malware package, basic version $1,000 – $2,000

Malware package with add-on services Varying prices starting at $20

Exploit kit rental – 1 hour $0.99 to $1

Exploit kit rental – 2.5 hours $1.60 to $2

Exploit kit rental – 5 hours $4, may vary

Undetected copy of a certain information-stealing Trojan

$80, may vary

Distributed Denial of Service attack $100 per day

10,000 compromised PCs 1,000 $

Stolen bank account credentials Varying prices starting at $50

1 million freshly-harvested emails (unverified)

$8 up, depending on quality

Underground economy

Sample data from research on the underground digital economy in 2007

6

Problem

• Every 2 seconds a new malware threat is created

• 79% of websites hosting malicious code are legitimate – thus compromised by hackers

• 59% view their organization’s Web gateway security solutions as only somewhat effective, not very effective or not at all effective in protecting against web-borne threats

• 23% of the average user’s day at work is spent doing something on the Web

• 45% of the 100 most popular websites support user generated content – Web2.0– 60% infected with malware

• 42% are prepared to deal with the risks of Web2.0 in order to capitalize on its business benefits (i.e. allow access to social networking sites etc)


And who’s behind?

compromised ISP subnets owned by --> ARUBA.IT (and Vortech)

IP Location: Italy

Revolve Host: *.in-addr.arpa.10799INPTRwebx90.aruba.it.

Blacklist Status: Clear

OrgName: RIPE Network Coordination Centre

OrgID: RIPE

Address: P.O. Box 10096

City: Amsterdam

StateProv:

PostalCode: 1001EB

Country: NL

IFRAME redirector from compromised site --> HostFresh, HK

IP Location: Hong Kong, Hostfresh


Whois Record

person: Piu Lo

nic-hdl: PL466-AP

e-mail: [email protected]

address: No. 500, Post Office, Tuen Mun, N.T., Hong Kong

phone: +852-35979788

fax-no: +852-24522539

country: HK

other downloaded malware from various sites

For example. 58.65.239.180

is announced by Atrivo / Intercage, an infamous

hosting company in the Bay Area. It is an APNIC IP

address, but the physical location of servers using IP

addresses in the range 58.65.238.0/23 is the Bay

Area in a datacenter in San Francisco at Paul Avenue

control and monitoring server --> FasterServers, Chicago, IL

IP Location: United States, Chicago, Fastservers Inc

Revolve Host: <snip> TRUMAN.DNSPATHING.COM.


Whois Record

OrgName: FastServers, Inc.

OrgID: FASTS-1

Address: 175 W. Jackson Blvd

Address: Suite 1770

City: Chicago

StateProv: IL

PostalCode: 60604

Country: US


04/21/23 8Confidential

MPACK Details

•Created by the same group, who created WebAttacker Toolkit

•Current Version: 0.90

•They gurantee that the released version is QA‘d against AV-Software

•MPACK kit sells for 700 USD, if Dream Downloader is included, 1000 USD

•New exploits integrated in MPACK cost between 50-150USD depending on the severity/spread of the vulnerability

•DreamDownloader is an automatic file downloader triggered by MPACK

•It bypasses several FW

•Disables some Antivirus

•Uses Anti-Debug techniques

•Detects Virtual Machines

•Uses several packers to avoid detection


04/21/23 9Confidential

ZLOB Infection Business model

How it works

1. You send surfers to videoscash's sites/galleries/videos in any possible way.

2. Surfers trying to view free videos, but "seems like" they have no appropriate video codec installed. And they are offered to download it.

3. Once they download and install the video codec you get $0.02 - $0.26 (depends of the surfer's country).

4. Twice a month You get paid via Epassporte, Wire transfer, Fethard or Webmoney with no hold!

Source: Underground Webpage

Changing Threat Environment

More profitable $100 billion: Estimated profits from global cybercrime -- Chicago Tribune, 2008

More sophisticated, malicious & stealthy “95% of 285 million records stolen in 2008, were the result of highly skillful attacks” “Breaches go undiscovered and uncontained for weeks or months in 75% of cases.” -- Verizon Breach Report, 2009

More frequent We receive 40000 attacks per hour on a typical morning

-- Cleveland Clinic Health System @ HIMSS 2006

More targeted "Harvard and Harvard Medical School are attacked every 7 seconds, 24 hours a day, 7 days a week.” -- John Halamka, CIO

10

11

PCI DSS

• Layered and coordinated protection

• Closes security gaps in virtual environments

• Layer of isolation and immunity for the protection engine from target malware

• Baseline protection provided for VM sprawl

• Lower management complexity

• Provides cloud security

What NOT to worry aboutSource: Spamhaus Blocklist (SBL) database. Data is compiled automatically every 24 hours from the SBL database and sorted by the number of currently listed SBL records for each network (ISP/NSP). The source data, including record information on each spam issue listed can be viewed by clicking on the Issues hyperlinks above.Source: Spamhaus Blocklist (SBL) database. Data is compiled automatically every 24 hours from the SBL database and sorted by the number of currently listed SBL records for each network (ISP/NSP). The source data, including record information on each spam issue listed can be viewed by clicking on the Issues hyperlinks above.

08/25/0914

Some malware that uses anti-VMware tactics:

TROJ_CONYCSPA.M

» This Trojan may be downloaded from the Internet. It may also be dropped by another malware.

» contains anti-debugging technique to check if the system runs on the virtual platform, VMWARE. It does the said routine by checking for a file related to VMWare. If it is running in the said virtual platform, it does not proceed with its malicious routines.

» It exports functions that enables it to send spammed email messages using its own Simple Mail Transfer Protocol (SMTP) engine.

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_CONYCSPA.M

08/25/0915


• This file infector checks if the infected system is running on VMWare or on a virtual machine environment. It does its checking by comparing the reply on port. If the reply returns "VMXh", it adjusts its privileges so that it shuts down the affected system.

• Propagates via network shares and removable drives• Downloads TROJ_ALMANAHE.V• Upon execution, it decrypts the embedded rootkit file

NVMINI.SYS and CDRALW.SYS, detected by Trend Micro as TROJ_AGENT.THK.

PE_CORELINK.C-O

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_ALMANAHE.V

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.THK

08/25/0916


• gathers the contact list from the Windows Messenger and Windows Address Book (WAB), as well as the contents of certain.TXT files located in the Winny installation folder.

• It sends the stolen information to the 2CH.NET Bulletin Boards by posting a message to the said boards.

• terminates itself if VMWARE is installed. It does the said routine by

checking the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools

TROJ_KAKKEYS.S

08/25/0917

Other related VE entries:

Grayware (5)

• CRCK_VMWARE.B• CRCK_VMWARE.C• TSPY_GOLDUN.CD• TSPY_KAKKEYS.AE• TSPY_KAKKEYS.AK

08/25/0918

Other related VE entries

Malware (30)

• BKDR_HAXDOOR.DE• BKDR_HAXDOOR.FR• BKDR_HAXDOOR.IV• BKDR_HAXDOOR.JH• BKDR_SDBOT.LP• JS_RESETTABLE.A• PE_CORELINK.C-O• TROJ_AGENT.BRS• TROJ_CONYCSPA.M• TROJ_DLOADER.CPI• TROJ_KAKKEYS.P

» TROJ_KAKKEYS.S» TROJ_KAKKEYS.V» TROJ_LDPINCH.DX» TROJ_VMKILLER.B» TROJ_VMWARE.A» WORM_AGOBOT.CW» WORM_ARIVER.A» WORM_IRCBOT.AW» WORM_IXBOT.A» WORM_NUWAR.AOP» WORM_RBOT.ENZ» WORM_SDBOT.CDL» WORM_SDBOT.CKI» WORM_SDBOT.CMH

08/25/0919

WTC Stats

• The infection count on VMWare malware family increased from last year’s 1234 to 1304.

Figure 4. Infection count on VMWARE Malware Family

What NOT to worry about

Are there any Hypervisor Attack Vectors?

Concern: Virtualizing the DMZ / Mixing Trust Zones

Three Primary Configurations:

• Physical Separation of Trust Zones• Virtual Separation of Trust Zone with Physical

Security Devices• Fully collapsing all servers and security

devices into a VI3 infrastructure

Also Applies to PCI Requirements 2.2.1, 1.1.x, 6.3.2, and 6.3.3


• “How do you secure a virtualized environment” • “How do you virtualize all of the security infrastructure in

an organization” • “What do you call something that inspects memory

inside of VM and inspects traffic and correlates the results? We don’t really have a definition for that today, because it was impossible, so we never considered it.”

Questions?

How do we secure our Virtual Infrastructure?

Use the Principles of Information Security– Hardening and Lockdown– Defense in Depth– Authorization, Authentication, and Accounting– Separation of Duties and Least Privileges– Administrative Controls

Securing Virtual Machines

•Host– Anti-Virus

– Patch Management

•Network– Intrusion

Detection/Prevention (IDS/IPS)

– Firewalls

25

Provide Same Protection as for Physical Servers

Secure Design for Virtualization Layer

26

Fundamental Design Principles

• Isolate all management networks

• Disable all unneeded services

• Tightly regulate all administrative access

Enforce Strong Access Controls

Security Principle

Implementation in VI

Least Privileges

Roles with only required privileges

Separation of Duties

Roles applied only to required objects

27

Administrator

Operator

User

Anne

Harry

Joe

Maintain Tight Administrative Controls

Requirement Example Products

Configuration management, monitoring, auditing

Tripwire Enterprise for VMware ESXNetIQ Secure Configuration ManagerConfiguresoft ECM for Virtualization

Track and Manage VM VMware Lifecycle ManagerVMware Stage Manager

Updating of offline VMs VMware Update ManagerTrend Micro Big Fix (ESP)

Virtual network security Third Brigade – Trend Micro

28

Diverse and growing ecosystem of products to help provide secure VMware Infrastructure

Overview – Trend Micro Solution

• Datacenter trends• Securing VMs

– Traditional approach– Problems

• VMsafe• The Trend Micro approach

– Architecture– Trend Micro Deep Security– Trend Micro Core Protection

for VMs

5/28/2009 29

30

Trends in the Datacenter

30

Physical

Virtualized

Cloud

Servers under pressure

Servers virtual and in motion

Servers in the open

Securing Virtual Servers the Traditional Way

31

App

OS

NetworkIDS / IPS ESX Server

App

OS

App

OS

AppAV AppAV AppAV

• Anti-virus: Local, agent-based protection

in the VM

• IDS / IPS : Network-based device or

software solution

VMs Need Specialized Protection

Same threats in virtualized servers as physical.

New challenges:1. Dormant VMs

2. Resource contention

3. VM Sprawl

4. Inter-VM traffic

5. vMotion

32

+

Problem 1: Dormant VMs are unprotected

33

Dormant VMs includes VM templates and backups:

• Cannot run scan agents yet still can get infected

• Stale AV signatures

App

OS

ESX Server

App

OS

App

OS

AppAV AppAV AppAVApp

OS

App

OS

AppAV AppAV

Dormant VMs Active VMs

Problem 2:Full System Scans

34

ESX Server

OS

AppAVTypical AV

Console

3:00am Scan

Resource Contention with Full System Scans

• Existing AV solutions are not VM aware

• Simultaneous full AV scans on same host

causes severe performance degradation

• No isolation between malware and anti-malware

Problem 3:VM Sprawl

35

ESX Server

Managing VM Sprawl • Security weaknesses replicate quickly• Security provisioning creates bottlenecks• Lack of visibility into, or integration with, virtualization

console increases management complexity

App

OS

AppAV

Dormant Active New

Problem 4:Inter-VM Traffic

36

Inter-VM traffic• NIDS / NIPS blind to intra-VM traffic• First-generation security VMs require intrusive vSwitch

changes

OS

AppAV

OS

AppAV

OS

AppAV

OS

AppAV

NetworkIDS / IPS

vSwitch vSwitch

Dormant Active

Problem 5:VM Mobility

37

vMotion & vCloud:• Reconfiguration required: cumbersome• VMs of different sensitivities on same server• VMs in public clouds (IaaS) are unprotected

OS

AppAV

OS

AppAV

NetworkIDS / IPS

vSwitch vSwitch

Dormant

OS

AppAV

Active

Introducing VMsafe

38

App

OS

ESX Server

App

OS

App

OS

VMsafe APIs

Security VM Firewall IDS / IPS Anti-Virus Integrity Monitoring

– Protect the VM by inspection of virtual components– Unprecedented security for the app & data inside the VM– Complete integration with, and awareness of, vMotion,

Storage VMotion, HA, etc.

VMsafe™ APIs

39

CPU/Memory Inspection• Inspection of specific memory pages • Knowledge of the CPU state• Policy enforcement through resource allocation

Networking• View all IO traffic on the host• Intercept, view, modify and replicate IO traffic• Provide inline or passive protection

Storage• Mount and read virtual disks (VMDK)• Inspect IO read/writes to the storage devices• Transparent to device & inline with ESX Storage stack

- Firewall- IDS / IPS- Anti-Malware- Integrity Monitoring- Log Inspection

The Trend Micro Approach

40

ESX Server

Security VMDormant

Comprehensive, coordinated protection for all VMs

• Local, agent-based protection in the VM

• Security VM that secures VMs from the outside

• Multiple protection capabilities

• Integrates with VMware vCenter and VMsafe

VMsafe APIs

IntrusionDefense

IntrusionDefense

1: Intrusion Defense VM - TM Deep Security

41

VMsafe APIs

IntrusionDefense

• Intrusion Defense provides IDS/IPS & firewall protection• Integrates VMsafe-NET APIs (firewall & IDS/IPS)• Enforces security policy• Newly emerging VMs are automatically protected

VMsafe APIsVMsafe APIs

2: Anti-Malware Scanning VM - TM Core Protection for VMs

42

VMsafe APIs

• Anti-malware scanning for target VMs from outside• Integrates VMsafe VDDK APIs to mount VM disk files• Full scans of dormant & active VMs from scanning VM• Immunizes the protection agent from disruptive activities

ScanningVMs

VMsafe APIsVMsafe APIs

How It Works: Stopping Conficker

43

ESX Server

Security VM- Firewall- IDS / IPS- Anti-Malware- Integrity Monitoring- Log Inspection

Dormant

• Firewall: Limits VMs accessing a VM with vulnerable service

• IDS/IPS: Prevent MS008-067 exploits

• Anti-Malware: Detects and cleans Conficker

• Integrity Monitoring: Registry changes & service modific’ns

• Log Inspection: Brute force password attempts

VMsafe APIs

InfectedActive

44

Benefits of Coordinated approach

• Layered and coordinated protection

• Closes security gaps in virtual environments

• Layer of isolation and immunity for the protection engine from target malware

• Baseline protection provided for VM sprawl

• Lower management complexity

• Provides cloud security

Available from Trend

Trend Micro Core Protection for VMs

Trend Micro Deep Security 6

Trend Micro Deep Security 7

45

– Anti-malware protection for VMware virtual environments

– Firewall, IDS/IPS, Integrity Monitoring & Log Inspection

– Runs in VMs with vCenter integration

– Virtual Appliance complements agent-based protection

TODAY

OCT2009

Trend Micro Deep Security Modules

Deep Packet Inspection

Log InspectionIntegrity Monitoring

Firewall

04/21/2346Internal Training

• Centralized management of server firewall policy• Pre-defined templates for common enterprise server types• Fine-grained filtering: IP & MAC addresses, Ports• Coverage of all IP-based protocols: TCP, UDP, ICMP, IGMP …

Enables IDS / IPS, Web App Protection, Application Control, Virtual Patching

Examines incoming & outgoing traffic for:• Protocol deviations• Content that signals an attack• Policy violations.

• Collects & analyzes operating system and application logs for security events. • Rules optimize the identification of important security events buried in multiple log entries.

• Monitors critical files, systems and registry for changes

• Critical OS and application files (files,

directories, registry keys and values)• Flexible, practical monitoring

through includes/excludes

• Auditable reports

Deep Security: Platforms protected

47

• Windows 2000• Windows XP, 2003 (32 & 64 bit)• Vista (32 & 64 bit)• Windows Server 2008 (32 & 64 bit)• HyperV (Guest VM)

• 8, 9, 10 on SPARC• 10 on x86 (64 bit)• Solaris 10 partitions

• Red Hat 3• Red Hat 4, 5 (32 & 64 bit)• SuSE 9, 10

• VMware ESX Server (Guest VM)• Virtual Center integration

• XenServer Guest VM

• HP-UX 11i v2• AIX 5.3

Integrity Monitoring& Log Inspection

modules

04/21/2347Internal Training

Trend Micro Core Protection for Virtual Machines

More Protection• First virtualization-aware anti-malware product in the market

• Secures dormant and active VMs efficiently

• New VMs auto-scanned on creation and auto-assigned to a scanning VM

• Supports VI3 and vSphere 4 (needs vCenter)

Less Complexity• Flexible Management: Through standalone web console, as a plugin to

Trend Micro OfficeScan or through VMware vCenter• Flexible Configuration: Can be configured with multiple scanning VMs

on any ESX/ESXi (or physical) server • Flexible Deployment: CPVM can be setup to co-exist with OSCE or

competitive products if necessary (not ideal*)

CPVM System Requirements

References

– Security Design of the VMware Infrastructure 3 Architecture(http://www.vmware.com/resources/techresources/727)

– VMware Infrastructure 3 Security Hardening(http://www.vmware.com/vmtn/resources/726)

– Managing VMware VirtualCenter Roles and Permissions(http://www.vmware.com/resources/techresources/826)

– DISA STIG and Checklist for VMware ESX(http://iase.disa.mil/stigs/stig/esx_server_stig_v1r1_final.pdf)(http://iase.disa.mil/stigs/checklist/esx_server_checklist_v1r1_30_apr_2008.pdf)

– CIS (Center for Internet Security) Benchmark(http://www.cisecurity.org/bench_vm.html)

– Xtravirt Virtualization Security Risk Assessment (http://www.xtravirt.com/index.php?option=com_remository&Itemid=75&func=fileinfo&id=15)

08/25/0951

Other Sources:

TNL article on Virtualization:

http://tnl.trendmicro.com.ph/tnl_articles.php?id=242&action=view

Related blog entries:

http://blog.trendmicro.com/vmware-bug-provides-escape-hatch/

http://blog.trendmicro.com/rootkits-get-more-physical/


Always remember

It‘s not important how hard you work,

It is important, how smart you work!

Thank You

[email protected]+44 7979 993377

trend micro virtualization security jerome law emea solutions architect

Documents

exploit kit rental

compromised site

compromised pcs1

cents elsewheremalware

malicious code

compromised isp subnets

schedule access

ripe address