Modern Malware and Virtualization Security

Public and private sector businesses alike need to be aware that the driving factors for the creation of malware have dramatically evolved over the past few years. The fundamental change is in the underlying motivation of its authors. Until recently, most malware was written by technologists looking to make a name for themselves; ultimately they are after notoriety and bragging rights. However, in the last couple years a shift has taken place from individuals authoring malware on their own, to the creation of malware by organized crime factions as well as governments. This also means that the malware creator’s goals have changed from simple, personal satisfaction to significant financial or political gain.

This change in motivation has led to a change in how the malware actually behaves. Older malware was focused on spreading to as many machines as possible and drawing attention to itself as a way of promoting its author’s image. Newer malware frequently is designed to remain “out of sight” while surreptitiously extracting data and sending it to the controlling organization. Information of interest includes, but is not limited to, passwords, financial data, corporate intelligence, and government secrets. This lower profile approach allows the malware to stay on infected computers longer. About 30% of PCs are infected at any given time.1 This new breed of malware also allows the controlling entity to execute arbitrary programs on the infected machine(s). This is often referred to as an Advanced Persistent Threat (APT).

Because the goal has become financial or political gain, some modern malware is now precisely targeted towards a small number of specific, preselected systems or servers. This means it may never be seen in the wild prior to infecting a target machine. Knowing this, can anti-virus software truly function as an effective anti-malware tool?

Why Anti-Virus No Longer Works for Malware

Most anti-virus software is signature based. This means it has a list of known malware and scans files for those specific signatures or patterns. This works well when the main threat is from prolific malware, which is not specifically targeted at a single organization. But even in this case there is a dangerous, unprotected window of time between when the malware is first seen and the anti-virus company updates the database with the new signature. In the scenario where a piece of malware is specifically created and targeted at your organization, signature based anti-virus is completely ineffective.

Some anti-virus vendors have tried to address this deficiency by releasing heuristic based anti-virus systems. These systems look for suspicious patterns of behavior and flag them. While more likely to catch novel malware than the signature approach, they are still likely to fail against a modern APT type attack. This is in large part because the authors almost always test their malware against easily available anti-virus systems. Using test sites, which host a large number of anti-virus systems for developers to verify legitimate software against, the authors are able to ensure it is not correctly identified as malware.

Clearly some additional security measures would be prudent, particularly for users that are likely to be targeted or are involved in higher risk activities. One approach to address these issues is the use of virtualized environments.

How Virtualization Can Help

Virtualization technologies offer a number of mechanisms, which can help mitigate the risks that come from a new generation of malware and attackers. Two of the most important and effective capabilities enabled by virtualization are system isolation and system rollback.

System isolation separates your highest risk or most vulnerable environments and activities from the rest of your networks and data. Browsing to untrusted websites and email from outside sources can be compartmentalized within the virtual and isolated environment, ensuring that infections are safely contained. Likewise, investigations and other high-risk activities can be conducted from within the safety of the virtual machine without fear of compromising the rest of the network.

System rollback ensures that even undetectable malware is completely removed by regularly reverting the entire computer to a known clean and secure state. User data may be preserved outside the virtual machine, but all executable content is destroyed, and replaced with known good copies. This is typically done at the end of each session, and no less than daily.

The most effective isolation can be achieved by establishing a virtualized computer physically outside the corporate environment and only allowing connections via a restricted remote desktop protocol. That way, even if a machine becomes infected it cannot reach the rest of the corporate infrastructure. It has no access to the corporate network, and only communicates by receiving keyboard and mouse input and sending back a picture of the virtual screen. Firewall rules should restrict communications to only the explicitly allowed protocols between the virtualized machine and the corporate machines required for the remote desktop access. The servers must also be provisioned outside the company’s usual network. This requires dedicated hardware and networks. Safely persisting important data and enabling secure migration between the virtual environment and the local network is tricky. Another approach that can be used is to run a virtual machine on the local system. This can provide a layer of isolation from the host system, and it does not require additional hardware, however it does not provide the same level of protection a completely isolated system does. The local virtual machine might be able to access the local network unless it is carefully configured. Ideally the local virtual machine should only be able to communicate over a VPN to an exit point outside the network perimeter.

Either approach allows a user to roll back to a known clean state when they suspect they have been compromised or at the end of the day or session. It is important to ensure that there is no loss of critical data in the course of the rollback.

How Ntrepid Makes It Easier

Ntrepid’s cyber security product line makes the benefits of running in a virtualized environment easily available, even for non-technical staff members. Nfusion ( is a completely separate workstation environment providing robust protection from malware by rolling back to a pristine image every time the product is launched, while still allowing users to keep the data they need to do their jobs. Robust auditing is also available, so compliance and oversight issues faced by organizations are immediately accessible. Nfusion provides isolation for high risk activities, while allowing the user complete flexibility over which programs are used within the secure environment.

For a browser-only solution, Passages by Ntrepid ( runs in a lightweight virtual environment on the user’s existing machine, providing isolation from the base operating system and local network. This is designed for users with average risk profiles that only need protection for web browsing.

Whether you are investigating, verifying/detecting malicious content, or performing general research online, make sure that you are covering your own tracks and aren’t putting your own network at risk. Contact Ntrepid for a free trial today.

Have questions?

Contact Us: