Attacking Sandboxes

← Back to Stories (view on slashdot.org)

Posted by kdawson on Sunday July 15, 2007 @12:05PM from the just-another-brick-in-the-wall dept.

SkiifGeek writes "Many anti-malware applications use a sandbox as a tool to help identify potentially malicious software. Now knowledge is spreading about techniques and methods that can allow sandboxed software to target the sandbox itself (and by extension the application that applied it). While attacks that specifically target sandboxing applications are probably a little way off, this technology can be considered the logical extension of techniques and procedures to identify the presence of hosted systems (VMWare, Virtual PC, etc.)."

110 comments

Min score:

Reason:

Sort:

Enter the Sandbox by Anonymous Coward · 2007-07-15 12:08 · Score: 2, Funny

So when will we be able to attack the Matrix?
Sandbox the sandbox by robo_mojo · 2007-07-15 12:08 · Score: 4, Funny

That's ok. We can just sandbox the sandbox and still be safe.
1. Re:Sandbox the sandbox by langelgjm · 2007-07-15 12:19 · Score: 4, Funny
  
  But who will sandbox the sandboxers?
  
  --
  "Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
2. Re:Sandbox the sandbox by GizmoToy · 2007-07-15 12:23 · Score: 4, Funny
  
  You know, this was marked as Funny but I wouldn't be surprised if this was suggested as a solution at some point. "Hell, just wrap it in another (insecure) layer and it'll be fine."
3. Re:Sandbox the sandbox by Gregb05 · 2007-07-15 12:43 · Score: 1
  
  This article seems to be a bit of FUD to me.
  Most of the sandboxed systems it refers to in the article are anti(virus/spyware/malware) programs. If the machine is already compromised with some malware, there's no real incentive for a virus to become active only when Symantec's VM runs across them. If it's already on the system, there's no limit to the damage a file could do through other (more direct) methods.
  
  Referring to a cousin comment, it's probably better for the malware to lay low when scanned rather than to take advantage of the virus scanner.
  
  --
  --
4. Re:Sandbox the sandbox by ehrichweiss · 2007-07-15 13:37 · Score: 4, Funny
  
  HA! I got you on that one!!! It's sandboxes all the way down!!!!!
  
  --
  0x09F911029D74E35BD84156C5635688C0
5. Re:Sandbox the sandbox by CastrTroy · 2007-07-15 13:47 · Score: 5, Interesting
  Sounds like the security methods most online banking systems use. Here's the current layers:
  
  password
  
  mother's maiden name/ what's you're favourite movie
  
  secret picture
  
  randomized keypad for entiring password
  
  It's all layers of useless crap piled on top of eachother which doesn't stop the real problem of people falling for stupid fishing sites, and entering a password in a site that looks like their bank's. If they really wanted to add real security they'd hand out RSA key fobs to everyone instead of adding layers of stuff that makes it look more secure but actually isn't.
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
6. Re:Sandbox the sandbox by Meski · 2007-07-15 14:01 · Score: 2, Interesting
  
  When the real layer is equally insecure, how will you know you have reached it?
7. Re:Sandbox the sandbox by Miseph · 2007-07-15 14:37 · Score: 2, Insightful
  
  Because the AV/S/M app is frequently able to obtain all sorts of wacky permissions and access, it could be viable to piggyback on it into otherwise secure systems. For example, if an AV was set up such that it could scan encrypted data, then exploiting it to get past the encryption could be feasible.
  
  --
  Try not to take me more seriously than I take myself.
8. Re:Sandbox the sandbox by billcopc · 2007-07-15 15:11 · Score: 3, Insightful
  
  So you're saying the RSA key fob isn't another useless insecure layer of crap ? Have you even HEARD their sales pitch ?
  
  --
  -Billco, Fnarg.com
9. Re:Sandbox the sandbox by Poltras · 2007-07-15 15:20 · Score: 3, Insightful
  
  as long as USERS don't understand it, yes it is useless. Secure the communication and provide X509 certs all you want, if the user think it's a bank, he will enter his password.
  
  --
  Of Code And Men
10. Re:Sandbox the sandbox by arminw · 2007-07-15 16:35 · Score: 2, Informative
  
  ..... If they really wanted to add real security they'd hand out RSA key fobs to everyone......
  
  Does that mean the use is restricted to the users own computers or any others that has the correct interface and software which is able to send the key-fob data to the bank's server at the correct time?
  
  A password will work with *any* computer, but a piece of hardware, whether key-fob or biometric scanner will only work with a computer that has the correct software installed on it. That software would have to be standardized and work with every OS and all hardware that can at present access the bank's systems wit a password. All security, computer or physical, ultimately based on something you know, or something you have or both.
  
  --
  All theory is gray
11. Re:Sandbox the sandbox by sunami88 · 2007-07-15 17:53 · Score: 2, Funny
  
  When sandboxes are outlawed, only outlaws will have sandboxes.
  
  Oh Slashdot, your memes are teh win.
  
  --
  Sex. Drugs, and Unix.
12. Re:Sandbox the sandbox by Mike89 · 2007-07-15 19:08 · Score: 2, Funny
  
  falling for stupid fishing sites
  Yeah, somehow these places always manage to hook me with their bait.
13. Re:Sandbox the sandbox by TheLink · 2007-07-15 19:53 · Score: 1
  
  No. It's restricted to people who can submit the correct username and password, and correct number from the keyfob, in the three fields on the bank's login form, within X minutes for when the number from the keyfob is valid.
  
  Alternatively, if you have a smart keyfob, you punch in your password (cached for say 5 minutes) and then out comes some new number which you then use to log in.
  
  There are plenty of other alternatives - ask the crypto people.
  
  Still you do not want to be using an untrusted computer since once you are logged in, the malware will presumably get the resulting cookie and could do the naughty stuff secretly (BUT some banks require you to revalidate for important stuff like transferring money).
  --
  
  Too many replies beneath your current threshold
14. Re:Sandbox the sandbox by mcrbids · 2007-07-15 20:16 · Score: 2, Insightful
  
  as long as USERS don't understand it, yes it is useless. Secure the communication and provide X509 certs all you want, if the user think it's a bank, he will enter his password.
  
  I don't think you understand what he's really saying - you could hand out RSA key fobs and/or client certificates that authenticate the browser to the bank. Without that, the password would/could be utterly useless.
  
  If the bank uses the key fob, you can't enter by password alone. If the bank uses client certificates, then that must be installed on the browser first. (much more difficult than just lifting a password)
  
  Now, if only they made it easier to set up client certificates...
  
  --
  I have no problem with your religion until you decide it's reason to deprive others of the truth.
15. Re:Sandbox the sandbox by 0xygen · 2007-07-15 21:01 · Score: 2, Interesting
  
  How does prevent the existing real time man in the middle attack?
  
  e.g. user visits phisherman's site, phisherman's server visits bank, passes on RSA auth request to user's browser, user's browser passes auth request back to phisherman, who passes it to bank. Phisherman now logged on as user?
16. Re:Sandbox the sandbox by Anonymous Coward · 2007-07-15 23:15 · Score: 0
  
  In Soviet Slashdot, teh win memes you!
17. Re:Sandbox the sandbox by gnasher719 · 2007-07-15 23:42 · Score: 1
  
  '' I don't think you understand what he's really saying - you could hand out RSA key fobs and/or client certificates that authenticate the browser to the bank. Without that, the password would/could be utterly useless. ''
  
  A very low-tech approach would be this: On your paper bank statement that you receive every month, print a list of twenty 10-digit access codes. Each access code can be only used by you, in the following month, and only once. One month delay so you can tell your bank if the statement didn't arrive or looked tampered with. There would still be some danger that someone could steal _one_ access code via fishing, but not more.
18. Re:Sandbox the sandbox by Random832 · 2007-07-16 01:13 · Score: 1
  
  So what do you propose to do after you log in twenty times in a month?
  
  --
  We've secretly replaced Slashdot with new Folgers Crystals - let's see if it notices.
19. Re:Sandbox the sandbox by Anonymous Coward · 2007-07-16 01:54 · Score: 0
  
  Key fobs are nice. They are good for stopping replay attacks. However, you can still do a man-in-the-middle type
  fishing attack despite them, since all you're doing is passing on the credentials. SSL/TLS certificates on the otherhand
  are a good way of verifying a websites identity and therefore contribute far more in stopping fishing attacks.
20. Re:Sandbox the sandbox by Lord+Ender · 2007-07-16 02:49 · Score: 1
  
  Phishers can still MITM two-factor authentication. OTP methods, like SecurID, and smartcard authentication (hardware-based client X.509 certs), can be forwarded on to a bank if you get the user to go to a bogus site.
  
  --
  A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
21. Re:Sandbox the sandbox by murukusu · 2007-07-16 04:10 · Score: 1
  
  Here in Finland we have a system where the bank sends 80 one-time passwords to the customer along with 18 reusable passwords. To log on into the bank's website you need your customer id with the one-time password. To do anything in the website, eg pay the bills or do a money transfer to another account, you need to accept the transaction with one of the reusable passwords. When you've reached 60th or so of the passwords the bank sends you a list of the next 80 passwords. I feel it's secure and quite easy to use a system
22. Re:Sandbox the sandbox by owlstead · 2007-07-16 06:19 · Score: 1
  
  "If they really wanted to add real security they'd hand out RSA key fobs to everyone instead of adding layers of stuff that makes it look more secure but actually isn't."
  
  Bah, all banks in the Netherlands, and most of Europe, do this. Either that or they rely on mobile devices or one time codes to do secure login and transaction authentication. If they didn't, I would switch banks. Although the security devices here are delivered by a company named Vasco. The devices are not connected to the PC as you indeed mention in a reply on a reply. Time for the US banks to catch up.
23. Re:Sandbox the sandbox by CastrTroy · 2007-07-16 06:31 · Score: 1
  
  Are such things legislated into existence, or are the people running EU banks just that much more informed about what the real solutions are? Are there different laws for who is held accountable when money goes missing from someone's account? It seems to me like the US/Canadian banks are just trying to make things cheaper, and that, left to make their own decisions, the European banks would have the same crappy security. Is there any reason that the European banks would have something like this. Is it something the customers asked for? Or something that they are required to have?
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
24. Re:Sandbox the sandbox by mcrbids · 2007-07-16 09:18 · Score: 1
  
  How does prevent the existing real time man in the middle attack?
  
  This question belies a misunderstanding of public-key cryptography. With public cryptography (often called dual-key cryptography) the only thing exposed is a public key, which can only be used to encrypt. Without the matching private key, anything encrypted with the public key is indecipherable.
  
  Thus, the man-in-the-middle attack is prevented.
  
  --
  I have no problem with your religion until you decide it's reason to deprive others of the truth.
25. Re:Sandbox the sandbox by Lost+Engineer · 2007-07-16 14:21 · Score: 1
  
  I think that would really tee off the users. Having to keep your statement around for a month? I throw mine out as soon as I verify that there is roughly the expected amount of money in my account.
  
  Plus banks are trying to push people to electronic statements. They're actually more secure, since mail theft is a very common method of obtaining personal information.
  
  I would also appreciate it if they didn't let someone log in use "bill" pay, which I had never previously used, to send himself (well probably some else but I digress) a check for the entire contents of my account, then claim it was my fault that they couldn't recognize such an obvious fraud. Personally I think online access should be read and transfer only, unless explicitly authorized in person or by notarized document, and then bill pay should be limited to verifiable companies, not random ass strangers.
26. Re:Sandbox the sandbox by 0xygen · 2007-07-17 05:04 · Score: 1
  
  Sorry, you are indeed correct if we assume they are handing out private keys.
  
  When you said "RSA key fobs" I instantly thought of RSA SecurID tokens, which believe do not provide this as a feature, so would leave the mentioned hole open. However private keys clearly are provided by the RSA Smart Key range, which, as you say, would stop the MITM.
  
  Does anyone know if RSA Smart Keys (or equivalent) actually integrate with browsers easily?
27. Re:Sandbox the sandbox by billcopc · 2007-07-25 15:42 · Score: 1
  
  Every single bank I've dealt with, has done some sort of semi-secure bill registration. In some cases I even had to call a human being to add a bill to my account. If someone breaks into my online banking, the worst they could do is overpay my bills. That's very evil, but it doesn't benefit the intruder much at all, save for the sadistic pleasure of giving my money to my worst enemy: Rogers Telecom. If your bank lets anyone send money anywhere, you need to start shopping for a new bank.
  
  Mind you, I'm in Canada. Things are different here. I'm obviously biased, but it seems I hear about so many stupid scams in the USA because of the unbridled capitalism and the mentality that government should not get involved. Not enough rules leads to an unbalanced game. Up here in the great north, there's a laundry list of consumer rights agencies, many of them government-funded, that will brow-beat banks into doing the right thing for their customer.
  
  --
  -Billco, Fnarg.com
28. Re:Sandbox the sandbox by Lost+Engineer · 2007-07-26 09:58 · Score: 1
  
  I was at BofA at the time, lured in by their student accounts with no fees and forgiven overdraft fees. Of course I dropped them after that incident.
  
  For anyone in the US reading this, I would recommend finding a credit union. Since they are owned by the members, they are generally more responsive, offer lower rate mortgages to long time customers, etc. Also your money is lent out to people like you, based on whatever criteria for which you can find a credit union including: your religion, your local region, your profession/union.
Serves us right by jimbug · 2007-07-15 12:13 · Score: 3, Funny

for building a box out of sand. what were we thinking?

--
Bite my shiny metal ass.
1. Re:Serves us right by RAMMS+EIN · 2007-07-15 13:44 · Score: 2, Funny
  
  I thought sand was central to most boxen.
  
  Well, silicium, anyway.
  
  --
  Please correct me if I got my facts wrong.
Old news by Nick_taken · 2007-07-15 12:18 · Score: 4, Informative

Theres a simple detection program called RedPill that probes a simple method to do so, vmware leaves a lot of registry keys on windows, VirtualBox lacks supports for hardware breakpoints, cpu cycles counts is another way to detect virtualization, and some packed malware dont even run on virtual machines because of memory management, software packed with armadillo do not run on vbox and it used to fail on vmware player until they fixed that bug.

"Thwarting Virtual Machine Detection" is a nice paper on virtual machine detection.
1. Re:Old news by QuantumG · 2007-07-15 13:10 · Score: 2, Insightful
  
  It's pretty trivial to find a dozen ways to detect a virtual machine, just make a project that generates some random bytes and then jump to the bytes. Put the program in a script that calls it over and over again with a seed for the random number generator. When the VM crashes, look at the last seed that was used. Run the program again with that seed to confirm it is repeatable. This also happens to be a good way to detect if your VM is any good and fix it when it isn't. Unfortunately, many things are just so obscure on the x86 architecture that fixing all these bugs is just a chore that doesn't get you any big payout (as no real code uses these obscure things) so most VM developers don't bother.
  
  --
  How we know is more important than what we know.
2. Re:Old news by Anonymous Coward · 2007-07-15 14:05 · Score: 0
  
  Some time ago, I managed to bust out (uncontrollably) from the VMWare Server guest box. The trick I found required megabytes of code and ring-0 control of the guest machine. It involved a bug in v86 emulation that would propagate outwards in a manner I never could fully characterize.
  
  What I did:
  1. Installed MS-DOS 6.2
  2. Installed Windows 3.1 (the Win 3.1 Y2K patch is slipstremed into my install disks).
  3. Installed Win32s with the FreeCell sample shipped for developers.
  4. Executed FreeCell. This crashed Win3.1 back to a DOS prompt.
  5. Executed mem /c. This crashed.
  6. Rebooted the VM. This rebooted the host as often as not.
  
  I suspect the bug lies somewhere in emulating the (probably insane) CPU state the machine is left in after that sequence.
3. Re:Old news by bluephone · 2007-07-15 19:47 · Score: 1
  
  VMWare doesn't have any tools for DOS, so they recommend a third party tool called DOSidle so that when DOS is, well, idle, it won't continue to suckup 100% CPU doing nothing. It sounds like your hack is exploiting that flaw as well as 16/32bit thunking and memory emulation flaws. This is, mm, interesting. I'll have to play with this. On a box that I don't mind being rebooted spontaneously. ;)
  
  --
  jX [ Make everything as simple as possible, but no simpler. - Einstein ]
4. Re:Old news by AndroidCat · 2007-07-15 23:48 · Score: 2, Interesting
  
  I remember when Lotus 1-2-3 had code designed to crash if was run with debug.
  
  --
  One line blog. I hear that they're called Twitters now.
Strike vs Counterstrike by mcrbids · 2007-07-15 12:18 · Score: 5, Insightful

There will never, ever be an end to this.

As long as people are imperfect (and they always will be) there will be measures, countermeasures, and counter-counter measures. New techniques will make old ones obsolete, and even newer techniques will make the once-new techniques no longer apply.

With this understanding, any technology that can outsurvive more than one or two iterations of other products in the same field becomes "venerable" and "stable".

Which makes now a particularly good time to appreciate the guys who worked out the spec for TCP/IP some 30 (?) years ago. Despite going from mainframes, to minis, to PCs, and now on to the era of ubiquitous computing, the basic concepts and ideas behind the TCP/IP specification continue to hold steady and useful. They managed to come up with a technology, that whatever flaws have actually been found, hasn't come up against any real show-stoppers. None.

To which I can only say: WOW.

--
I have no problem with your religion until you decide it's reason to deprive others of the truth.
1. Re:Strike vs Counterstrike by Anonymous Coward · 2007-07-15 12:52 · Score: 0
  
  As long as people are imperfect (and they always will be)
  Speak for yourself. I consider myself as a perfect being. Thank you very much.
2. Re:Strike vs Counterstrike by QuantumG · 2007-07-15 13:06 · Score: 1
  
  uhhh.. TCP hijacking is almost just as easy now as it was 10 years ago. Back then you didn't have a whole lot of switches (they were much more expensive than hubs) so you could sniff packets for other hosts easier, but the act of hijacking TCP connections is still a major flaw in the protocol. We just work around it.
  
  --
  How we know is more important than what we know.
3. Re:Strike vs Counterstrike by imemyself · 2007-07-15 13:30 · Score: 1
  
  Back then you didn't have a whole lot of switches (they were much more expensive than hubs) so you could sniff packets for other hosts easier,
  
  Would that really be considered a flaw in TCP/IP though? That's really Ethernet's (L2/L1) fault, TCP/UDP (Layer 4) and IP (Layer 3) aren't really involved with hubs/non-L3 switches (Layer 1 and 2 respectively).
  
  On another note:
  
  How many of the major flaws/security issues have been entirelly the fault of the protocol's specification? I honestly don't know, I usually don't look that much into the details about security flaws, but it would seem like more of the problems would be in the implementation of the protocols.
  
  --
  Every time you post an article on Slashdot, I kill a server. Think of the servers!
4. Re:Strike vs Counterstrike by QuantumG · 2007-07-15 13:37 · Score: 2, Insightful
  
  It's not about being able to sniff packets. That just makes it more applicable because, back then, you didn't need to be upstream. Today, if you're upstream of an end point you can hijack a TCP connection.
  
  --
  How we know is more important than what we know.
5. Re:Strike vs Counterstrike by Johnno74 · 2007-07-15 14:04 · Score: 1
  
  I thought that TCP hijacking was possible because of vulnerbilities in Sequence number generation in some TCP implementations, which have now been fixed?
6. Re:Strike vs Counterstrike by QuantumG · 2007-07-15 14:15 · Score: 1
  
  That's only the case for blind TCP hijacking.
  
  --
  How we know is more important than what we know.
7. Re:Strike vs Counterstrike by Anonymous Coward · 2007-07-15 14:16 · Score: 0
  
  There will never, ever be an end to this.
  
  Only if you never, ever learn thermodynamics.
8. Re:Strike vs Counterstrike by mcrbids · 2007-07-15 19:12 · Score: 3, Insightful
  
  TCP hijacking is almost just as easy now as it was 10 years ago.
  
  It may be even easier. Who cares? However you look at it, TCP is doing its job. If you want to prevent against hijacking, the layered topology of the communication stack lets you prevent that at a higher level. (EG: Using encryption - which can be interrupted, but not hijacked)
  
  TCP hijacking is merely a side effect of a missing layer in the stack of your application.
  
  --
  I have no problem with your religion until you decide it's reason to deprive others of the truth.
9. Re:Strike vs Counterstrike by bluephone · 2007-07-15 19:50 · Score: 1
  
  I'd have to say that's because they designed a solution that was compact, well defined, and didn't overreach and try to solve world hunger. They just designed a solution to the problem at hand. When your project starts trying to solve problems that you didn't start out to solve, that's where issues creep in. It's the /other/ downside to feature creep. Creeping features have creeping bugs. I'm a sucker for well compartmentalized and focused design.
  
  --
  jX [ Make everything as simple as possible, but no simpler. - Einstein ]
10. Re:Strike vs Counterstrike by moderatorrater · 2007-07-15 19:52 · Score: 1
  
  I'm a sucker for well compartmentalized and focused design. And that's why you'll never advance in the company.
11. Re:Strike vs Counterstrike by TheLink · 2007-07-15 19:59 · Score: 1
  
  If you can't do blind hijacking then TCP is fine and doing it's job.
  
  Just use SSL if you want more security. There's no point paying the extra cost of encryption when you don't need it.
  
  You need to do lots of extra stuff (check certs etc) if you do not want to be hijacked by MITM attacks.
  --
  
  Too many replies beneath your current threshold
12. Re:Strike vs Counterstrike by Errtu76 · 2007-07-15 21:08 · Score: 1
  
  CS .. now WoW ... are you sure you're posting in the right thread?
13. Re:Strike vs Counterstrike by master_p · 2007-07-16 00:34 · Score: 1
  
  There will never, ever be an end to this.
  It all depends on the host architecture: if it's properly engineered, then malware wouldn't even be a possibility. But as it is right now, PC operating systems are random bits of code thrown together without a clear architecture with security in mind. The overall PC architecture does not lend a hand to security.
14. Re:Strike vs Counterstrike by bluephone · 2007-07-16 08:06 · Score: 1
  
  That's why I work for myself. :)
  
  --
  jX [ Make everything as simple as possible, but no simpler. - Einstein ]
Once again, they didn't read the article. by Cafe+Alpha · 2007-07-15 12:28 · Score: 5, Insightful

The article didn't say that they've found code that attacks sandboxes, it said that they've found code that detects a sandbox (VMWare for instance) and plays innocent so as to avoid detection through the sandbox.

It also said that software has been found that detects when it's attached to a debugger. Big deal, copy protection schemes have been doing that for decades.

The article then goes on to FUD that code that attacks the sand box "must" be coming.

Oh, it must be coming. Uhuh.
1. Re:Once again, they didn't read the article. by Anonymous Coward · 2007-07-15 12:34 · Score: 0
  
  This should be modded up. Malware has no intention of ever attacking Sandboxed systems. User's who are running them are likely to be highly competent developers or highly paranoid. Either way, attacking said system has a prohibitive effort/pay-off ratio.
  Being ignored, or simply delaying detection will have its advantages, as the malware avoids detection and study, allowing it to spread to other, more cost-effective users.
2. Re:Once again, they didn't read the article. by Anonymous Coward · 2007-07-15 12:35 · Score: 0
  
  The article doesn't mention it, but VMware has had bugs that let malicious code "escape" onto the host. An example. Virtual machines aren't perfect.
3. Re:Once again, they didn't read the article. by xigxag · 2007-07-15 17:21 · Score: 1
  
  Interesting. So is there a way to SIMULATE running in a sandbox - in terms of a simple program could be installed by Joe Idiot and use up very few cpu cycles, so that the malware would believe the system was being sandboxed and thus behave innocently?
  
  --
  There are two kinds of people: 1) those who start arrays with one and 1) those who start them with zero.
4. Re:Once again, they didn't read the article. by Lord+Kano · 2007-07-15 19:23 · Score: 1
  
  The article didn't say that they've found code that attacks sandboxes, it said that they've found code that detects a sandbox (VMWare for instance) and plays innocent so as to avoid detection through the sandbox.
  
  How long before someone codes up a hack to make a real instance appear to be a sandbox so that malware will go dormant?
  
  LK
  
  --
  "Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
5. Re:Once again, they didn't read the article. by moderatorrater · 2007-07-15 19:57 · Score: 1
  
  Yes, that may be the case right now, but at one time the internet was the domain of the highly competent developers and look how that turned out.
6. Re:Once again, they didn't read the article. by TheLink · 2007-07-15 20:02 · Score: 1
  
  Sure that's called running stuff in a sandbox with hardware sandbox support.
  
  Just wait till Intel VT and AMD Pacifica improve.
  --
  
  Too many replies beneath your current threshold
7. Re:Once again, they didn't read the article. by FreakyLefty · 2007-07-16 00:07 · Score: 1
  
  The article then goes on to FUD that code that attacks the sand box "must" be coming.
  
  Verbing weirds acronyms.
  
  --
  Strength through redundancy and over-design
8. Re:Once again, they didn't read the article. by A+non-mouse+Coward · 2007-07-16 04:53 · Score: 1
  
  Right, but if you think about how a person would determine if software was bad...
  
  Imagine that an "analyst" is either not allowed to use automated tools or that s/he doesn't have any (but if s/he doesn't have any, why do this? Just bear with me...). If the analyst looks at each instruction and maps them all out, the analyst would then be able to see if the software is benevolent or malevolent. The analyst could also see if the software attempts to determine if it's running in a VM, etc.
  
  This is why I think that, in the end, only a lazy analyst could be defeated (i.e. one that isn't looking closely at the instructions or at all of the instructions hitting the CPU). And if a human can do it, we could certainly build better automated tools to work more slowly and under less assumptions, asking the human analyst for input as necessary.
  
  --
  libertarian: (n) socially liberal, financially conservative; neither left, nor right.
Umm... yes? And? by Opportunist · 2007-07-15 12:43 · Score: 5, Interesting

That malware detects VMs is old news. I'd wager about 60% of current malware has VM detection built in. About as many have debugger detection. Some overlapping allowed.

So far, malware that "breaks out" of the sandbox would be new to me (though I'd be grateful for a sample). Though, seriously, why not run a VM with Windows (to analyze) on a box running Linux? I'd be very interested if someone manages to do the feat of creating a piece of malware that manages to break out of the sandbox and then run on a machine with a completely different operating system.

If you wanna throw another stick between the malware's feet, run the VM on a non-i386 architecture. If someone manages to break out of THAT and manages to hijack my machine, he really earned it and should get it.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:Umm... yes? And? by Anonymous Coward · 2007-07-15 14:05 · Score: 0
  
  Stealth (i.e. undetectable) debuggers seem possible in principle. The only one I know about is
  Cobra. Unfortunately it looks proprietary and closed source.
  
  If anyone knows of free-software stealth debuggers I'd like to hear about them.
2. Re:Umm... yes? And? by martin_henry · 2007-07-15 18:53 · Score: 1
  
  I'd wager about 60% of current malware
  Are you saying that you own over 60% of current malware?
  
  --
  www.purevolume.com/martyd
3. Re:Umm... yes? And? by LittleBigLui · 2007-07-15 20:02 · Score: 1
  
  Are you saying that you own over 60% of current malware?
  
  It's just too tempting:
  In soviet russia, malware pnws YOU! :)
  
  --
  Free as in mason.
4. Re:Umm... yes? And? by Opportunist · 2007-07-15 21:23 · Score: 2, Funny
  
  Actually, forget the "in soviet". "Russian malware pnws YOU!" is more to the point.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
5. Re:Umm... yes? And? by Opportunist · 2007-07-15 21:26 · Score: 1
  
  Well, you know, some collect stamps, some collect trading cards... hey, everyone needs a hobby.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
6. Re:Umm... yes? And? by teh_chrizzle · 2007-07-16 06:05 · Score: 1
  
  why not run a VM with Windows (to analyze) on a box running Linux? I'd be very interested if someone manages to do the feat of creating a piece of malware that manages to break out of the sandbox and then run on a machine with a completely different operating system.
  
  you are right, the point of using virtualization is to isolate applications from one another and the host operating system, but that is not the only security feature provided by virtualization.
  
  the article fails to mention that most virtualization packages let you take snapshots of a running system and move machines to and from different physical hosts.
  
  the worst hypothetical case would be for malware to break out of the VM and infect the host, causing the host to infect other VMs. malware would have to break out of the compromised VM, break into the host, and then break back into the other VMs running on the host... now my brain hurts :-(
  
  even if this "doomsday scenario" were to come to pass the damage done could be mitigated thanks to virtualization. once a VM was determined to be infected, you could stop it in place and check your host. if the host is determined to be infected, you could stop all your other VMs and migrate them to an alternate host which is known to be malware free. any infected hosts could be restored from non-infected snapshots as soon as the files were copied to the proper location.
  
  If you wanna throw another stick between the malware's feet, run the VM on a non-i386 architecture. If someone manages to break out of THAT and manages to hijack my machine, he really earned it and should get it.
  
  i think that emulating one chip architecture while running on another would impact performance significantly. i used to use kju to run a win2k machine on my mac G5 tower and the machine worked but it was hella slow. winXP on an intel based macbook pro was significantly faster.
  
  --
  sarcasm:
  -noun
  1. harsh or bitter derision or irony.
7. Re:Umm... yes? And? by owlstead · 2007-07-16 06:29 · Score: 1
  
  "If you wanna throw another stick between the malware's feet, run the VM on a non-i386 architecture. If someone manages to break out of THAT and manages to hijack my machine, he really earned it and should get it."
  
  I don't see what kind of difference this makes. It's pretty easy to compile stuff to run on multiple platforms. I don't see how it is any more difficult to break out of a virtual box running xxx and infect yyy than it is to break out of xxx and infect xxx. Much of the same VM code - including bugs and flaws - would be in both xxx and yyy, and recompiling is - well - easy.
8. Re:Umm... yes? And? by Opportunist · 2007-07-16 10:01 · Score: 1
  
  The tricky part is to compile malware that runs on one architecture yet has the ability to infect another architecture. Yes, it's possible. What you'd have to do is to create malware that runs on the target (host) architecture, then wrap it in code for the VM'ed architecture.
  
  Simply recompiling won't cut it, though. You have to roll two very heterogenous binaries into one. The lengths you'd have to go to to create something like this tell me that we'll never see more of that than a PoC.
  
  Malware is a business. The times when it was geek dick-waving to show who's got the longest are long gone. Current malware is about as shoddy as business software, it's clogged, bloated and often created using RAD tools. Sometimes even VB.
  
  It hurts me, from an artistic point of view. Where are the times when malware creators prided themselves that they've written the smallest file infector or the trickiest rootkit? Today, it's just "it compiles, gets the job done, fire up the spambots".
  
  *sigh*
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Re:Watch what I can do by click2005 · 2007-07-15 12:51 · Score: 4, Funny

I've got friends who know how to block your friend's actions.

--
I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
oh, yes by Anonymous Coward · 2007-07-15 13:00 · Score: 0

If you'll review the vmware source,
you'll see, about line 452 of vm_ostat.c,
that there is a major flaw.
This might be good for end-users by tkrotchko · 2007-07-15 13:05 · Score: 1

Stuff like this will make VMWare, Parallels, and others improve their product so it becomes difficult (if not impossible) to detect that the host is virtual.

By the same token, it suggests a new attack against malware.... find out what makes a piece of malware think it's running on a VM and then make a physical machine react the same way. The possibilities are endless here.

--
You were mistaken. Which is odd, since memory shouldn't be a problem for you
1. Re:This might be good for end-users by CastrTroy · 2007-07-15 13:54 · Score: 1
  
  Well, it isn't the point of VMWare and Parallels to ensure that it isn't detectable. A simple check of the video card driver or something else similar will show that it is indeed a virtual machine. If you wanted to build a VM that was much harder to detect, then it could be done. But instead VMWare et al have other priorities such as increasing the efficiency and adding management functions. If you have malware installed on your ESX server, then you got more issues then whether or not it can detect that you are running in a VM.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
2. Re:This might be good for end-users by arminw · 2007-07-15 17:19 · Score: 1
  
  ........A simple check of the video card driver or something else similar will show that it is indeed a virtual machine.......
  
  Not if the VM is emulates the actual HARDWARE accurately. Ultimately, if the emulation software is written to behave EXACTLY the same way the hardware it is emulating, there can be no SURE way any software running under that emulator can determine whether it is running on real hardware or not. Modern microprocessors are combinations of hardware and software also. The software part is called microcode, intimately associated with the actual gates and switches that make up the elements of every computer.
  
  It may not always be very efficient to emulate all hardware functions. Any software running on such an accurately emulated machine might be able to tell from the slower timings for certain operations, that it was running on a machine too slow for the kind of hardware the emulator is supposedly telling the software which is running such detection routines. However the software could not be SURE whether is wasn't running on real hardware on which the speed was deliberately throttled.
  
  VM makers of course are interested in efficiency. Making an undetectable VM accurately mimicking hardware probably would sacrifice too much efficiency.
  
  --
  All theory is gray
3. Re:This might be good for end-users by Lord+Kano · 2007-07-15 19:41 · Score: 1
  
  Not if the VM is emulates the actual HARDWARE accurately.
  
  VMWare emulates the same video and sound cards. All one has to do is check for the specified hardware. Look for the hardware emulated by VMWare and if you find it, turn off certain "functionality".
  
  LK
  
  --
  "Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
4. Re:This might be good for end-users by kma · 2007-07-16 04:34 · Score: 1
  
  Stuff like this will make VMWare, Parallels, and others improve their product so it becomes difficult (if not impossible) to detect that the host is virtual.
  
  Why would it be an improvement on our (I work for VMware) products to make them undetectable? To the extent that malware disables itself in the presence of a VMM, VMMs only become more attractive for production use. Not all PCs are alike, and we make no effort to hide it, and yet the world continues in peace. We don't make any effort to hide the chipset, the vendor/model/stepping of the CPU you're using, the particular version of the vendor's BIOS, or the version and patches of the kernel. Why should a VMM be any different? I think we should just consider the virtual machine monitor another piece of the hardware/software stack on which you happen to find yourself running. In the long run, the arms race between "stealthy" VMMs and VMM detectors is hopelessly skewed in favor of the detectors, anyway.
5. Re:This might be good for end-users by arminw · 2007-07-16 05:28 · Score: 1
  
  ......All one has to do is check for the specified hardware. Look for the hardware emulated by VMWare and if you find it, turn off certain "functionality"......
  
  If that were done, then the real hardware in other systems would also be detected. That means if the VM emulated really popular hardware, the detector would give many false indications for the real hardware the potential malware would otherwise infect..
  
  --
  All theory is gray
6. Re:This might be good for end-users by tkrotchko · 2007-07-16 05:57 · Score: 1
  
  I see it as an improvement in the entire virtual machine evolution. Why can't virtualized machines emulate any given set of hardware? I want to look like a P3, or a P4, or something newer? It would be nice to make random piece of hardware visible or invisible to allow the virtual machine access to hardware (or not) as desired. I'd like to ability to hide from my software that it's been virtualized.
  
  As to VMWare, it's a great product, I've bought it and I use it, but the way it virtualizes CD's/DVD's, USB's and other hardware needs to be improved. Maybe the market is geared towards server virtualization. That's fine, but I'd like a lot more ability to control and configure the virtualized machine. Maybe I don't want it to emulate an S3 video card. Maybe I'd like it to emulate a USB sound card. More flexibility is better.
  
  --
  You were mistaken. Which is odd, since memory shouldn't be a problem for you
7. Re:This might be good for end-users by Lord+Kano · 2007-07-16 16:27 · Score: 1
  
  That means if the VM emulated really popular hardware, the detector would give many false indications for the real hardware the potential malware would otherwise infect..
  
  That's a big if. VMWare emulates less common hardware. How many people do you know who still use S3 video cards?
  
  LK
  
  --
  "Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
You Don't Even Need Special Code to Detect VMwa... by Comatose51 · 2007-07-15 13:31 · Score: 1

To detech VMware, it's almost trivial. VMware can be detected with a built-in backdoor. The backdoor is a configurable setting that's on a lot of times. Programs like VMware Tools use it to enhance KVM operations. An easier check would be to look on the system to see if your network driver is the VMware NIC drivers.

"Piercing the abstraction" as they call it in the business, however, is much more difficult especially on a VM running on top of VMware's ESX, which don't actually interact with the guest OS except via software that uses the backdoor. If it is turned off, VMware doesn't talk to the guest OS so I don't see an easy way of doing this. VMware works by intercepting special system calls and getting out of the way and allowing the VM to execute its code on the CPU itself.

Solutions like paravirtualization would be more susceptible to these attacks than a hypervisor like VMware.

--
EvilCON - Made Famous by /.
Sand Toys by DanMelks · 2007-07-15 13:33 · Score: 1

So the little tykes are refusing to play nice in the sand box, so add some sand toys. I always wanted one of those little shovel things.
Question to those who sandbox by Anonymous Coward · 2007-07-15 13:39 · Score: 1, Interesting

Malware's built-in detection makes hell of the casual e-sleuth's investigation techniques, and there seems only one sure-fire way to make sure malware behaves as you wish; keep it on a real system. I'm mostly speaking of network-oriented malware (ie: botnet clients), where you don't really care so much about what goes on with the infected system, so much as what occurs during the control/attack phase.

So, does anyone know of a particularly home-friendly way to handle a real-hardware box? I'm not sure of the best way to do this, but I assume it may simply require a CD/DVD that boots windows, instead of re-imaging the drive every time you want to test something new (which sounds quite...painful).
Re:You Don't Even Need Special Code to Detect VMwa by QuantumG · 2007-07-15 13:52 · Score: 1

Setup a callgate, call it, the exceptions generated will be subtlety wrong. There's a lot of real weird stuff in the Intel instruction set that VMWare doesn't even try to emulate because the only OS that uses even 1% of it is OS2.

These are so called WONTFIX bugs.. all VMs have them. There ain't enough hours in the day to worry about every nook and cranny of the x86 architecture.

--
How we know is more important than what we know.
Great timing. :( by Anonymous Coward · 2007-07-15 13:58 · Score: 0

My wife just stormed out of the house, after we had an argument over whether Slashdot is "professional" for me or just encourages "antisocial views and behavior". I bet her that if we browsed to Slashdot RIGHT NOW the first headline would be NEWSWORTHY and NOT antisocial. "Attacking Sandboxes". Thanks a lot.
1. Re:Great timing. :( by Anonymous Coward · 2007-07-15 13:59 · Score: 0
  
  Yeah, you've a wife. brb, milking my girlfriend
Smells like MS FUD to me. by opieum · 2007-07-15 14:18 · Score: 0, Flamebait

This sounds like MS FUD to me. Considering that their aim is to stop virtualization (if they are not doing it on their crippleware). It makes their OS irrelevant. And the increasing amount of reports on how virtualization is helping build leaner more efficient server farms and the like bolster this.

This reeks of MS tactics. No proof yet but I am sure it will come out eventually. It usually does. I would not be surprised if they indirectly had something to do with finding these vulnerabilities. MS Fanbois flame away.
1. Re:Smells like MS FUD to me. by Anonymous Coward · 2007-07-15 14:30 · Score: 0
  
  No, this proves VMs have an advantage over regular hardware; they are resistant to malware.
This has been proposed in 1980s science fiction by Anonymous Coward · 2007-07-15 14:43 · Score: 0

An idea similar to this was proposed in 1980s science fiction. In particular, Eternity by Greg Bear had a computer virus that could escape any sandboxed environment.
Sandboxes and Firewalls by Sammy+Loo · 2007-07-15 14:58 · Score: 1, Funny

People will start to think of sandboxes like they do fire walls. (Hay its wallz of fires! hay im no0b!)

hahahahahahhahahahahaha

I hate when people do that.
1. Re:Sandboxes and Firewalls by Anonymous Coward · 2007-07-15 18:19 · Score: 0
  
  Security comes in layers, but it's important not to build your firewalls too tightly around your sandboxes or vice versa. The reasoning behind this is that sand is known to put out fires. Even when these two technologies are deployed properly this is usually not enough to secure a computer system, as both suffer from the same weakness: water.
Love this -- like the turtles.... by CFD339 · 2007-07-15 15:00 · Score: 4, Funny

Just remember....recursive code is great code, because its recursive, so its great.

--
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
1. Re:Love this -- like the turtles.... by ettlz · 2007-07-15 19:59 · Score: 4, Funny
  
  Just remember....recursive code is great code, because its recursive, so its great.
  Well I'd just like to point out thaStack overflow Aborted
All I saw was... by DelitaTheFridge · 2007-07-15 15:18 · Score: 1

Sandbox Sandbox Sandbox
1. Re:All I saw was... by Taleron · 2007-07-15 16:13 · Score: 1
  
  Developers, Developers, Developers?
  
  --
  Registered Linux User #449434
Detecting virtualization? by macemoneta · 2007-07-15 15:19 · Score: 3, Funny

Being able to detect virtualization would be great, if the technique can be generically applied.
There is no spoon

--
Can You Say Linux? I Knew That You Could.
Arms race for nothing by billcopc · 2007-07-15 15:23 · Score: 1

I've always said it, and I'll keep saying it until malware takes my baby away, but every time someone makes a smarter anti-virus, some teenager will create a better virus. It's the computer equivalent to pesticide: it kills one batch of bugs, but the next generation grows immune.

Meanwhile, I avoid ALL forms of anti-malware tools, and magically I rarely get infected. When I do, I notice pretty quickly because I actually pay attention to what my PC is doing. If a certain task (or game) is used to running smoothly, and all of a sudden it starts wigging out, I'll know something is up. It's not like malware has ever cared to be spartan when it comes to CPU and memory usage.

If McAfee could stop selling anti-virus software, and instead just sell a book or instructive video on how to not be stupid and how to not click on all those sexy ActiveX prompts, well first of all they'd go out of business because they're a sloppy ass company, but secondly maybe some people would actually develop the ability to not click everything under the sun.

As it stands, I am of ZERO value to malware authors because my PC doesn't get involved in their spam/botnets, nor do I spread the plague to my friends and coworkers. I'm also worth ZERO to the anti-virus companies. If more people could self-police their PC like me, it would put a dent in both the virus and anti-virus businesses and as a result, it would slow the evolution of malware.

If two kids are fighting over a silly toy, when you take away the toy, they find something else to occupy them. Virus authors are no different. Businesses are no different. Humankind as a whole is no different.

--
-Billco, Fnarg.com
1. Re:Arms race for nothing by dbIII · 2007-07-15 16:25 · Score: 3, Interesting
  
  Meanwhile, I avoid ALL forms of anti-malware tools, and magically I rarely get infected. When I do
  
  Isn't once enough for anyone? You did format and restore from a known good backup or install media afterwards didn't you? There's a tendency lately to trust that whoever had full control of your PC did nothing but run a set script and blindly hope that there is nothing else on there. I've played with various removal tools when people have given me compromised machines and different tools gave me different answers the other tools could not detect - perhaps there were some things neither could detect, hard to be sure especially when you are booting from a compromised system.
  Fdisk it from orbit - it's the only way to be sure.
2. Re:Arms race for nothing by Saurian_Overlord · 2007-07-15 17:05 · Score: 1
  
  If more people could self-police their PC like me, it would put a dent in both the virus and anti-virus businesses and as a result, it would slow the evolution of malware.
  
  Yeah, I did things that way for a long time myself. It's gotten to the point, however, at which things I trusted in the past are becoming littered with infectious software. I had no problems for years until fairly recently.
  
  If two kids are fighting over a silly toy, when you take away the toy, they find something else to occupy them. Virus authors are no different.
  
  By that logic, if we all "self-police" our PCs and "slow the evolution" of malicious programs as you predict, then the "virus authors" will simply find another way of doing things. Perhaps they'd focus their attention on more legitimate-looking fronts. Then even more people would be forced to run software for fear of a virus imitating or hijacking something like a device driver or a critical Windows update.
  
  Anyway, call me paranoid, but I've long suspected that the anti-virus companies themselves are the ones releasing the malicious code, or at least exposing known security flaws (we already know that happens within other companies), so I doubt it would make a difference either way.
3. Re:Arms race for nothing by bmo · 2007-07-15 17:42 · Score: 4, Insightful
  
  "Fdisk it from orbit - it's the only way to be sure."
  
  Even Microsoft agrees with you. You can't "clean" a compromized machine.
  
  http://www.microsoft.com/technet/community/columns /secmgmt/sm0504.mspx
  
  That goes for other OSes too.
  
  --
  BMO
4. Re:Arms race for nothing by Random832 · 2007-07-16 01:26 · Score: 1
  
  That article goes a bit too far:
  
  You can't clean a compromised system by reinstalling the operating system over the existing installation. Again, the attacker may very well have tools in place that tell the installer lies.
  
  How exactly are these tools going to start running, when the system is booted to the install CD rather than the hard drive? I mean, by that logic the attacker could have tools in place to tell fdisk lies, too, so the only option is to literally incinerate the disk and buy a new one. Unless the attacker managed to flash your bios, you're probably safe here. And if that did happen, then you're completely screwed.
  
  Also, the issue of having tools to tell an antivirus tool lies is, again, much less of an issue if you boot from a known-clean CD rather than using it from the running compromised installation
  
  You can't trust any data copied from a compromised system. Once an attacker gets into a system, all the data on it may be modified. In the best-case scenario, copying data off a compromised system and putting it on a clean system will give you potentially untrustworthy data. In the worst-case scenario, you may actually have copied a back door hidden in the data.
  
  Again, once all that might be compromised is data, there's nothing there to tell lies to the antivirus software. A text file isn't going to somehow run executable code when you open it in notepad. (whether "untrustworthy data" is an issue depends on what kind of data it is and, for that matter, what kind of attack - that shiny new browser toolbar might be nasty, but it isn't likely to be all like "im in ur spreadsheets messin with ur numbers" - for that matter, the worst a virus is likely to do is destroy data in obvious ways, not mess with it in a way that you won't notice and will cause problems if you rely on it later. The article seems to be geared towards cases of actual human attackers, not virus/spyware/etc)
  
  --
  We've secretly replaced Slashdot with new Folgers Crystals - let's see if it notices.
5. Re:Arms race for nothing by Anonymous Coward · 2007-07-16 05:39 · Score: 0
  
  > Fdisk it from orbit - it's the only way to be sure.
  
  That is a great fsking line! I'm stealing it, and turning it into a meme!
  
  Would you like a credit, or just annon ?
  
  Thanks!
  
  btw- if you search for it in google you find it here... How often is google updating their bloody slashdot index!?
6. Re:Arms race for nothing by dbIII · 2007-07-16 14:05 · Score: 1
  
  Would you like a credit, or just annon ?
  
  I stole it from the first Alien movie anyway and have been using it for years.
7. Re:Arms race for nothing by dbIII · 2007-07-16 14:07 · Score: 1
  
  Also pretty obvious - Linux Gazette #68 had a very similar phrase along with a lot of other places.
8. Re:Arms race for nothing by billcopc · 2007-07-25 15:50 · Score: 1
  
  Actually if anti-virus peddlers are "creating the market", so to speak, that makes it easier to beat them up because they get doubly hurt by each unprotected PC; they lose a victim and a customer at the same time, but talking paranoid won't help at all. It doesn't matter who writes the viruses, what matters is that there is a financial incentive to do it. If we can take away that incentive, we take away the motivation behind this underground industry.
  
  If McDonalds weren't making tons of money selling their crap, they would stop and find something else to do, like war-mongering or somethin'.
  
  --
  -Billco, Fnarg.com
Over coming sandboxing by zoomshorts · 2007-07-15 15:29 · Score: 1

What you need to run, in order to overcome sandboxing, is my handy
utility called Cats(TM). It will effectively pollute any benefits of
sandboxing. In addition, it will spawn child processes Kittens(TM) to
further confuse the processes.
cat /dev/colon /proc/virtual/1 by eknagy · 2007-07-15 18:47 · Score: 1

Ha!

I always know there are security problems with sandboxes - and all the cats on the world surely know how to break them:
cat /dev/colon >/proc/virtual/1
Who cares if it can detect a virtual machine? by Anonymous Coward · 2007-07-15 23:52 · Score: 0

Isn't it awful that a VMware virtual machine has its own VMware specific registry entries, drivers, services that make it so obvious the system is virtual? NO!!! Who cares! If a hacker can get at your registry or list drivers, they don't need to attack the hypervisor. Give them a bit and (assuming your VM is on the network) they'll be running through your network without going through the hypervisor.

I have not worked much with other virtualization technologies but if I wanted to attack a VMware virtual infrastructure (and I don't), IMO the weakest link is the VirtualCenter server. It communicates with each VMware Host (ESX, Virtual Server) and controls resource allocation (memory, network, CPU, disk shares), network connectivity through the host, virtual machine power functions, etc. of the entire virtual environment. And hey, it runs on Windows, a hacker's favorite target. Why would a hacker waist time learning how to hack into the hypervisor (rhetorical.. I know the answer... Because it's there...) when he already know how to hack into the one box with the keys to the virtual kingdom. Sure the hypervisor is an attack vector, but there are bigger, more probable ones that would concern me first!

Protect your VirtualCenter server folks. It is the weakest link.
Centipedes? by Wiseman1024 · 2007-07-16 00:52 · Score: 1

In MY sandbox?

--
I was about to say 13256278887989457651018865901401704640, but it appears this number is private property.