Automated Web-Based Malware Behavior Analysis
I just watched a video presentation from September's OWASP conference. The presenter, Tyler Hudak, talked about the Truman-based hybrid sandnet he created to automate the analysis of web-based malware. He references Google's The Ghost in the Browser paper, as well as the Honeynet Project. One tool he used to help automate things in Windows is AutoIt, something I had not heard of before, but it sounds handy. The demo also shows a tool called InCtrl5, a utility for Windows that monitors changes to your system, primarily for use when installing some new program. I guess it's used to compliment the usual Sysinternals tools, so maybe it has some extra features that Tyler finds useful.
Some of the problems this approach is trying to solve are browser-dependent obfuscated JavaScript, plug-in dependencies (like Flash), multiple redirects, etc. All of these issues make malware analysis more complex and time consuming, so any automation you can get away with is a big help. The demo at the end is pretty cool, but he glossed over how the information from the automated analysis is presented to the user. I'm guessing it's not (yet) in a pretty report format. Either way, you still need someone with the right knowledge to analyze the output and decide what to do with it to help defend your network.
Virtualization Security Risks?
This article on Dark Reading presents several security risks created by virtualization - at least according to a few experts. I think they are neglecting to mention enough of the security benefits that virtualization technologies (such as VMware and Xen) can provide. In my mind, the advantages of virtual machines outweigh the few added risk areas that are listed.
Yes, the hypervisor is a "new layer that's another opportunity for attack." However, if you convert 10 physical servers into 10 VMs running on one hardware platform, you just decreased your exposure on the hardware and physical security side from 10 to one. That's especially true if the servers were running on disparate hardware platforms, which is often the case. You would have fewer drivers to worry about updating, and require less floor space in a secure data center.
There is also the mention of "VM sprawl" in the article. The idea is VMs will pop up out of no where and be unmanaged and unprotected, since the proper security controls will not be in place. In my experience, I have not seen enterprise VMs created by accident or somehow without the VM administrators knowledge. Sure, someone can download VMware Server and load up a virtual machine on his laptop. But that's no different than the problem of users downloading other unauthorized software - you have to try to prevent it with policy and technical controls on the workstation.
In fact, I believe VM technology will improve our ability to manage servers, and keep our security policy enforced. Using a product like VMware ESX, you can configure a "template" VM, and deploy it as many times as needed. For example, you can make a template for your standard Windows 2003 server, with all the patches, configuration settings, security tools, and typical applications - then deploy it 10 times, and you've got 10 good servers up and running. There's one less excuse for not having time to properly setup security before deploying a server.
Overall, I'm glad this topic is making some headlines, to get those of us in the infosec world thinking about virtualization. As always, there are trade offs that need to be taken into account.
