If malware does not run in a VM why not make everything a VM?

Question

There is a lot of malware that can detect whether it is running inside a VM or sandboxed environment and if such environment is detected it can conceal it self and not execute. So why not make everything a VM? Now all systems are safe!

I know not all malware does this but considering that there are many cloud services these days that run on VMs in remote servers does that mean that they are all immune to these types of malware?

I am aware that not all cybersecurity threats involve malware but the focus of this question is mainly on malware attacks.

The cost of "making everything a VM" is very high. Whatever that even means. The cost to make one small adjustment in the malware to also check for other things is tiny. — schroeder, Feb 15 '21 at 21:22
@schroeder Qubes OS does that. And yes, the cost is fairly high (large perf hit). — forest, Feb 15 '21 at 22:56
Putting each application running on the same physical hardware into a separate VM is actually a pretty good security practice, because it often (not always!) prevents a vulnerability in one application from affecting the others. But it is not bulletproof. There are ways to break out of a VM and affect the host system or other VMs. — Philipp, Feb 16 '21 at 09:56
This reminds me of the old joke that the probability of there being two bombs on a plane is infinitesimally small, so you can keep yourself safe by always bringing your own bomb with you. — pjc50, Feb 16 '21 at 10:35
More generally, I think you're asking about deactivating malware by intentionally triggering its anti-analysis feature. I think I've heard some cases where folks made tools in response to major malware outbreaks that'd cause users' systems to emulate whatever the malware would look for to inactivate it before a better solution would be available. — Nat, Feb 16 '21 at 11:21
I mean, every process on a desktop machine runs in a virtual address space. What we call VMs are just more virtualized in more ways. — Yakk, Feb 16 '21 at 16:21
The cost of "making your computer a VM" for the purposes of VM detection don't need to have any performance costs associated with them, for example, the supported way to detect if you're inside VMWare is by checking the BIOS name and/or hypervisor bit ([source](https://kb.vmware.com/s/article/1009458)), and this can be changed without impacting performance. But as the answer states, it's not really a sensible thing to do. — Erik A, Feb 16 '21 at 17:14
While the argument for VM's to deactivate malware may not be especially compelling, @Philipp's point about VM's for isolation is. This is, it's often considered good practice to sandbox untrusted apps in a VM rather than run them on the host system. — Nat, Feb 16 '21 at 17:22
@Nat Turnkey rollback (image restore) has a lot to do with that. There are odd packages in Linux distributions that that take half the system with them when removed. Not deliberately mal, but little consolation. Containers are a hot topic, one of their advantages is keeping these gaps. — mckenzm, Feb 16 '21 at 18:18
@Barmar - If the malware can detect that it's a VM then it's not a very good VM. — Hot Licks, Feb 17 '21 at 14:17
@HotLicks There are valid reasons a software should be able to detect running inside a VM (see paravirtualization). Running malware is just one of many use cases for a VM. — Martin, Feb 17 '21 at 16:09
@HotLicks continuing this line of thought (VMs are limited by the underlying HW, which is limited by the underlying processes and technologies and etc.) we can easily reduce it to "we live in not a very good/ideal world". — Dan M., Feb 17 '21 at 17:09
@pjc50 Or perhaps more relevantly, the other old joke about "If the black box on a plane can withstand a crash without serious damage, why not make the whole plane out of whatever the black box is made from?" — Darrel Hoffman, Feb 17 '21 at 18:55
I thought modern web browsers are already executing/rendering tabs/websites in a sandboxed environment? Isn’t this very similar to executing them in a VM? — Michael, Feb 18 '21 at 07:53
@Marcus Good question I have to admit! And welcome to S.SE! I think you are looking for Qubes (Is that right?) It's not a "vm" (not, in 100%) but I guess it gets you so close you want - If I understood the question correctly? — William Martens, Feb 18 '21 at 19:32

score 133 · Accepted Answer · edited Feb 16 '21 at 11:39

133

One has to take into account why the malware is doing this distinction in the first place.

Some malware does not run in the VM because the chance is high that this VM is used for inspecting the malware (i.e. some security researcher) since most normal users don't use a VM. But if everybody is using a VM then the chance is low that the VM is used for inspecting. This means there is no real reason anymore to use this kind of simple heuristic to distinguish between a potential security researcher and a victim. Therefore this heuristic will be considered useless and a different one will be used in the future. Which means that future malware will also run inside a VM.

Note that there are also other heuristics, like checking if specific tools often used by researchers are installed on the system. Now, why not just let everybody install such tools in order to disable malware? Same reason: the heuristic will be no longer used by the malware authors since it no longer works reliably enough.

edited Feb 16 '21 at 11:39

CL.

143
4

answered Feb 15 '21 at 21:22

Steffen Ullrich

184,332
29
363
424

21

In addition to this, there are already malware that specifically target VMs - some with the intention to hijack the hypervisor or host OS (there are specific attacks that try to break out of VM sandbox). The main targets of these malware are web servers and website hosting services. They normally carry a payload of regular malware that then try to infect user's PCs that browse the infected websites – slebetman Feb 16 '21 at 13:20
37

"Any solution to a problem changes the problem." - R. W. Johnson – candied_orange Feb 17 '21 at 03:42
2

So you're saying that if I make everything a VM and install those specific tools I'll have higher security as long as other people don't start doing this? Sounds like a prisoners dilemma. So just asking for a friend, what tools are those? – DonQuiKong Feb 17 '21 at 10:03
2

@DonQuiKong Even *if* everyone else starts doing it you will have higher security, just not for the reason addressed by this question/answer. Even if malware adapts to the sudden popularity of VMs, it will still be running inside a sandboxed environment to which any damage will be limited (barring hypervisor vulnerabilities). Indeed there are many software solutions which rely on sandboxing for added security, not just VMs (e.g. containers). The issue you will have with placing every package inside its own VM is the extreme cost in terms of CPU and memory resources. – Jon Bentley Feb 17 '21 at 10:37
@DonQuiKong Any tool that helps you analyze malware, of course! Just make sure to tell all the malware authors that you're using it to analyze malware. – user253751 Feb 17 '21 at 11:42
@JonBentley: Given the regularity with which we see CVEs for them, it is easy to forget that even the humble web browser is pretty heavily sandboxed (or at least, it is if it was made in the last ~20 years or so, anyway). In other words: Sandboxes are already used in many places where they make sense, but they are not magic. – Kevin Feb 17 '21 at 17:02
@JonBentley VM/sandboxing only helps protect "outside" from the thing being sandboxed. If everything is in it's own VM it just the problem one abstraction higher. To achieve the regular workflow, those VMs would still need to communicate (probably via internet now, instead of IPC), share data/disks and etc. breaking the isolation. So all the same issues would exist. You already have something like this on smartphones (although with Java's virtual machine). – Dan M. Feb 17 '21 at 17:17
@Kevin I believe I covered that with "higher security" (as opposed to total security) and "barring hypervisor vulnerabilities" which would also apply to other sandboxing technologies. – Jon Bentley Feb 17 '21 at 18:39
@DanM. No, not all the same issues would exist. Security is always a matter of degree, not absolute (see my comment above). For example, if I run my word processor in a VM and my document is attacked and I open that document outside the VM, then the VM can't protect me. But if a RCE vulnerability is found in the word processor then the damage is limited to the VM. Not *every* workflow requires *all* the same communication channels that they would outside a VM, and some would not require any cross-VM communcation at all (e.g. a browser in normal operation). – Jon Bentley Feb 17 '21 at 18:42
@JonBentley's point applies particularly to RAM. There are exceptions but to a first approximation you need your system to have have enough physical RAM for all the VMs you want to run to have enough. So my machines that have plenty to run Linux/sufficient to run Win10 are marginal when running Windows under Linux (not help by needing Windows for memory-heavy CAD software). A 2nd VM for an old Linux requires shutting down the Win10VM first, even to only give it 1GB – Chris H Feb 22 '21 at 08:39

score 8 · Answer 2 · answered Feb 18 '21 at 17:56

In fact, something similar is being practiced. First of all, note the following:

Not all malware check for VMs, and there are other common criteria for not running such as research or monitoring tools.
You don't need to run in a VM. You just need to make the malware think as if you do.

One company which uses this technique is Minerva. They call it Hostile Environment Simulation:

Attackers invest tremendous efforts to develop and test malicious programs that evade your existing defenses and will only launch in an environment it considers safe. Evasive malware checks for a variety of security tools e.g. sandbox, debugger, antivirus and others, and only then decides whether or not to attack.

Minerva Labs' Hostile Environment Simulation mimics the presence of security products that evasive malware is designed to bypass. When advanced malware encounters artifacts belonging to the following categories, it shuts itself down instead of exhibiting its true nature:

Anti-Virus and other security solutions used for malware detection.

Virtual machines and emulators, used for manual and automatic malware analysis.

Sandbox products, used to learn the behavior of suspicious programs by detonating them in a controlled environment.

Forensics toolkits, used by analysts to dissect malware samples as part of forensics investigations.

score 4 · Answer 3 · answered Feb 17 '21 at 21:38

4

Because malware runs in a VM.

It can not infect the host machine or other VMs.

Putting everything in VMs is still a viable way to improve security, and it is being done.

answered Feb 17 '21 at 21:38

peterh

2,938
6
25
31

2

Actually some malware checks whether it's running in a VM, and if so, stops running . That's what the asker is talking about. – user253751 Feb 18 '21 at 14:34
3

`It can not infect the host machine or other VMs` -- it _should not be able to_, that is true. In practice however, exploits can break out of VM if VM has bugs, and virtually all of them do have such a class of bugs. Still, running each program in its own VM does help with damage control a lot. – Matija Nalis Feb 18 '21 at 15:50
1

@MatijaNalis This is true - my answer was the general way (i.e. the concept), not that all VMs can always be trusted. Furthermore, infecting other VMs are still possible over the channel over that they interact (mostly, networking), it is only much more hard. – peterh Feb 18 '21 at 16:06

Dmitry Grigoryev · Answer 4 · 2021-02-18T10:16:13.543

The concept of a VM protecting from the malware is based on the idea that you run untrusted programs in a VM which has no valuable information that malware could destroy or steal.

If you put everything in a VM, that VM becomes just as sensitive to malware as the original system was.

The malware being inactive in a VM is not a protection feature: the malware expects there will be very little benefit in infecting a VM so it tries to keep a low profile until it is run on a real hardware, thus maximizing the impact. As soon as people start keeping valuable information in VMs, the malware will start infecting those just fine.

A virus which steals user's personal data from the home folder has no interest to infect an AWS instance in a VM, so yes, in that sense the VM is immune to it. Just like SIP users are immune to a virus which steals Skype passwords specifically.

No, the concept is based on the fact that some malware stops running if it detects that it's running in a VM. — user253751, Feb 18 '21 at 14:35

score 1 · Answer 5 · answered Apr 23 '21 at 09:52

There is a lot of malware that can detect whether it is running inside a VM or sandboxed environment and if such environment is detected it can conceal it self and not execute. So why not make everything a VM? Now all systems are safe!

There is a better reason than that to put things inside a VM. Basically, the process boundary is often exploited by finding bugs in the kernel. Placing every process inside a VM machine means the malware author needs to find a bug in the kernel and a bug in the VM to escape into another process. Products like HP's Sure Click do implement the security approach you've described.

I know not all malware does this but considering that there are many cloud services these days that run on VMs in remote servers does that mean that they are all immune to these types of malware?

Yeah, there's a company that does exactly that: Menlo Security. Products like Google Docs, yes are going to be less dangerous to the user's computer than a process that runs on a local computer. Mainly because the document could be run on google's server rather than your local machine. The main target (if the malware is trying to attack the user) is going to be finding a way to exploit the user's browser via the online document. Browsers, like Chrome etc, have plenty of zero-day vulnerabilities. But over time, I think the security of the browsers have increased a lot. So it's not trivial to find a vulnerability, but it's doable.

I am aware that not all cybersecurity threats involve malware but the focus of this question is mainly on malware attacks.

Yeah these systems do significantly reduce the attack surface of a normal users activity. They haven't taken the market by storm (yet?). (There are lots of other security products that can soak up cash/security is just one of many considerations.)

There are performance considerations but they really aren't as significant (in a well engineered product) as people might expect. The products can use highly specialised cut-down vms, allowing a single machine to run many, many vms. Or a product can run multiple 'dangerous' processes in a single vm, like Hysolate. And these products can achieve near-native performance for most tasks. (The products can use a bunch of performance optimisations.)

I think some of the early creators of these solutions - like Bromium that HP bought - had some product issues that prevented the solution gaining more traction. Windows have introduced similar solutions, including Windows Defender Application Guard. Lots of very security conscious organisations like governments, big corporates etc, use virtualisation-based solutions already. In 2021, the use of these approaches is largely confined to some highly-security conscious organisations. (Excluding things like Google Docs that are mass-market for totally different reason.)

score 0 · Answer 6 · edited Apr 26 '21 at 18:14

0

Some malware does not run in VM, but if you convert everything to a VM, malware will run in VM.

Want to stop malware? Implement application whitelisting and other controls from famous top 4 critical security controls publication from Australian DSD https://www.cyber.gov.au/acsc/view-all-content/publications/strategies-mitigate-cyber-security-incidents

edited Apr 26 '21 at 18:14

schroeder

123,438
55
284
319

answered Apr 26 '21 at 17:47

Alex Bodryk

1

Welcome! You basically repeat the top-voted answer then go off on a tangent on generic malware prevention (which is not the question). Can you expand on the on-topic part of the answer? – schroeder Apr 26 '21 at 18:16
Hi! Well, running everything as VM would require connections between those VMs to interact and lead us to two things: 1) increasing level of complexity (with all the consequences) 2) reproducing a lot of mechanisms from operating systems concept leaving a door open to the same malware techniques concepts as usual operating systems - process injects, worm spreading, weak authentication etc. – Alex Bodryk Apr 27 '21 at 19:45
Can you edit your answer with these details? – schroeder Apr 27 '21 at 19:59

If malware does not run in a VM why not make everything a VM?

6 Answers6