308 Chapter13·ProtectioninUntrustedEnvironments One of the VMware Hypervisor architects boasted to me at the RSA Show in San Francisco in 2007 that VMware Hypervisor cannot be broken: A great promise, one of those that we always fear in software. Yet it appears to be holding water for now. Hypervisor technology is a great step forward as it locks down the micro-kernel to only the relevant set of components required to run the platform. To date most of the vulnerabilities found against VMware's Virtualization Server platform were related to packages not created by VMware, which has exposed the platform to standard vulnerabilities found against the Linux platform. This in itself has been a major driving factor for VMware and its customers moving to ESXi architecture, which promises to reduce ill effects of the underlying Linux platform. As the virtualization movement gains strength there will also be added scrutiny of virtualization server platforms. Similarly hypervisor installations (now few as the technology is rather new) will undergo further scrutiny, and any zero vulnerability boast will most likely not stand. This is important because vulnerabilities in virtualization platforms invite security exploits that could potentially erase all the security benefits the virtualization platform provides. Hence the question: Is it okay to allow VM to be infected? After all it is a disposable VM instance that can be recycled at will regardless of the exploit vectors that it was exposed to. The truth is that you better be disconnected if you want to be sure.Vulnerabilities found against the core platform could lead to wholesale system compromise where the damage could be much worse than with standard setups. Proper management and network optimization of virtual switches and virtual machines will go a long way to limiting damage. Looking back at the history of malware protection, we note that it didn't take very much for the blockbuster infections Sobig-F (see note number three) or MyDoom (see note number four) to circle the planet. And these are not the only ones. Sobig-F was the sixth variant in the Sobig virus series generating 300,000 infections per day. MyDoom extended this to 1.2 million infections per day. And this was still 2004. With today's broadband speeds you need to practice as much caution as possible. Hence I'd like to define levels of precaution, if not paranoia that are important when analyzing malicious samples. These precautions are increasingly costly and difficult to administer but nevertheless practiced widely in industry. Levels of Malware Analysis Paranoia Whether you are investigating suspicious software or an outright known and malicious piece of software, some core precautions are in order. Lessons from anti-malware and forensics industries are the best guidance. These are recommendations for the most