14 DAY TRIAL // There was a lot of press coverage lately about two security threats that could cause extreme damage if left untreated. These are VENOM, an 11-year-old bug in the code for the virtual floppy drive in QEMU hypervisor, and Rombertik, a piece of malware designed to pilfer credential data.
No denial on the potential risk they pose has been offered, but still, it would be a long while before they exert their destructive capabilities.
Serious glitch in hypervisor code, but far from Heartbleed
VENOM, short for Virtualized Environment Neglected Operations Manipulation, was discovered by CrowdStrike’s senior security researcher Jason Geffner, and was disclosed on Wednesday.
Successful exploitation of the threat would allow an attacker to escape the virtual machine and jump to others on the same server, or reach the host system.
QEMU (Quick Emulator) and its vulnerable code is used in other virtualization platforms, such Xen and Kernel-based Virtual Machine (KVM), used by cloud computing services.
A vulnerability of VENOM’s caliber is particularly significant since the instances of all the virtualized clients on the same physical server can be affected, consequences propagating to the end user.
For some reason, some voices in the security industry compared VENOM to Heartbleed, a bug in the code of OpenSSL crypto library implemented for secure online communication in innumerable products, from operating systems and web server software to mobile applications and embedded systems.
To get a better picture of the impact Heartbleed had, at disclosure time, it affected about half a million web servers with valid certificates from certificate authorities. The number may seem low, but certification is not always necessary to implement secure communication.
Apart from this, the bug could be exploited on clients, such as home routers, mobile phones and applications, which increased the attack surface exponentially. Furthermore, exploiting Heartbleed was trivial and did not entail much effort from an attacker.
In the case of VENOM, although the potential number of victims is considerable (thousands of products relying on virtualization technology are estimated to be affected), the impact is not as wide; it does not affect all hypervisors on the market and the cloud service vendor can deploy a patch that mitigates the risk on all virtualized server instances on the infrastructure.
Furthermore, larger cloud computing vendors, such as Amazon, are not affected, which would make VENOM exploitation feasible for targeted attacks on less popular services. At the moment, there are no reports that the glitch has been exploited in the wild.
Taking advantage of the flaw is not as easy as it was portrayed in the media, because the threat actor would need to have already compromised the virtualization instance and gain administrative or root privileges in the guest operating system.
Patching the glitch falls on the shoulders of the service vendor, who is highly likely to correct the flaw as soon as possible in order to keep their business humming.
“For users of external public cloud services, the responsibility to apply the remediation falls to the service provider, and so customers are likely to burn up the phone lines calling in to make sure this has been done promptly. For organisations running private cloud infrastructure, the responsibility falls to internal IT, as a part of routine patch management,” says Mike Lloyd, CTO at RedSeal, via email.
Rombertik's destructive power unlikely to be unleashed on regular systems
With Rombertik, the media hype was equally intense, as one of the capabilities of the malware allowed it to damage the master boot record (MBR) and render the system inoperable, or encrypt data on the system drive, if it detected it was being run in a controlled environment.
However, the focus was mostly on this destructive behavior and less on how the malware would reach this point. More than this, computer damaging function was described in terms of “nuclear,” “deadly,” “kamikaze,” or a “digital Pearl Harbor.”
The images appended to the articles depicted nothing short of a digital apocalypse, with hard drives on fire, nuclear blasts or users pulling their hair in despair.
Rombertik was discovered by Cisco Systems' Talos Group security researchers, who reverse engineered it and analyzed its functions and behavior. Analysis details were disclosed on May 4.
Besides multiple layers of obfuscation, which included a large portion of garbage code (over 97%) intended to pass the malicious file as legitimate, they also found aggressive anti-analysis features that would kick in in a final stage of the verification procedure.
Nonetheless, until that stage is reached, Rombertik employs highly efficient techniques that allow it to bypass analysis tools included in antivirus products, meaning that resorting to breaking the computer is unlikely to happen to regular users.
Researchers at Blue Coat analyzed the same sample as Cisco and have reached the conclusion that the malware has the nasty hard disk wiping reaction when it is reverse-engineered, an activity that is carried out by malware analysts with special tools in special environments; otherwise, the “nuclear” response is not triggered.
“Malware analysts, by and large, know how to keep pristine images of their analysis VMs and should not be affected much. Normal users should typically not see the wipe effect anyway. In fact, we were unable to trigger this effect through a natural run even in an instrumented analysis sandbox,” writes Snorre Fagerland in a blog post.
With all the brightly colored reports about malware and vulnerabilities these days, there is a great chance of misinformation. Search engines, just like websites, display the pics for the articles in the main page and it is easy for someone skimming the content to form an incorrect opinion.
An easy way to avoid this is to get past the title and check the actual content, although in many cases the articles fail to present the full details of a discovery made by security researchers.