Suspended virtual images can reinfect networks with old malware when restarted: Trend Micro

Companies using virtual servers and desktops are regularly leaving their systems open to old and well-exploited security vulnerabilities, a virtualisation expert has warned.

While virtual computing environments allow organisations to rapidly deploy new server and desktop images, the nature of the process means that those images – whether restored after being paused for some time, or new images created from old snapshots – will invariably only enjoy the security protections that were in place the last time the image was updated.

After being brought live, Trend Micro technical consultant Michael Gioia warned attendees at the VMware Series 2013 technical conference in Melbourne, those images will be vulnerable to whatever exploits have subsequently discovered and patched – creating a latent security hole that can stymie efforts to manage virtualised environments.

“When you turn on the machine it needs to come up to spec,” Gioia said in explaining the problem of ‘instant-o gaps’. “You have tools to cater for that updating, but there’s always going to be that delta.”

In the worst-case scenario, the instant-on gap can resurrect old malware that has subsequently been eliminated from the network – reinfecting the network and creating, at the very least, more headaches for system administrators.

“I have clients today that have Conficker running around their networks,” Gioia said. “It’s fine, and we will catch it – but it means that it’s on your network somewhere. It’s often because of that instant-on gap, from something that has been turned off for a long period of time and reactivated with out-of-date security.”

The problem is multiplied when IT staff use old, infected images to bring up large numbers of new desktops or servers at once: “that leads to a whole heap of clones with that same bad posture,” he said, adding that “the threat market is now looking at sophisticated, targeted attacks that are the scariest thing in the last eight months.”

Updating virtual machines is essential to staving off such attacks, but the shared nature of virtual servers increases the degree of difficulty system administrators face.

The easiest solution – installing regularly-updated malware scanners inside those virtual machines – creates other problems, since malware scanning and protection are intrinsically demanding on limited computing resources.

Bringing up a dozen virtual machines at the same time, for example, will drive a spike in IOPS (I/O Operations Per Second) – a measure of virtual-machine system demands on their physical host's computing resources – as the scanners busily update themselves and churn through the virtual image looking for malware. The result can be a hit on the performance of all virtual machines on the server, which in turn will compromise the user experience.

Given the need to minimise virtual machines’ IOPS demands on the infrastructure, security vendors like Trend Micro have addressed the problem by shifting the scanning function to a network appliance that’s tightly integrated with the virtualisation hypervisor.

“You need to have scanning in there somewhere,” Gioia explained. “But security scanning is the one thing on the client that involves high IOPS. You take lots of that and put it over your shared host adapters, and you’ll start to see spikes in demand. By moving that function to a dedicated appliance, you’ve removed that footprint and all the IOPS contention is gone.”

Join the CSO newsletter!

Error: Please check your email address.

Tags malware

More about Trend Micro AustraliaVMware Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place