Recently two different observations about virtualization have come up that need correcting. The first is that the Open Virtualization Format (OVF), which is a DMTF format for standardizing a VM file format, is the cause of VM sprawl and spreading malware. Kris Buytaert made this assertion about OVF. The second observation is that there is this thing called a VMtrojan that is a trojan somehow made more dangerous by virtue of being on a VM.
Let's take these one at a time. First, OVF is a file format. OVF is not a locomotive force directing your hands to deploy more and more VMs higgledy-piggledy throughout your network. Nor is OVF a vehicle for spreading malware either. If OVF makes adding to sprawl or spreading malware any more or less of a problem in your network, then you have far, far bigger problems to deal with like how you manage your VM infrastructure. People and processes are the cause of sprawl.
On the topic of virtual Trojans, how do you manage-by that I mean install, update, and protect- a VM is just like you manage a physical computer. It's not magic. There is nothing inherently special with virtualization that means you need to treat a VM much differently than any other computer. Rueven Cohen who gained some notoriety with the Cloud Computing Manifesto posted this frightful gem to the Cloud Computing Interoperability Forum (CCIF):
The types of attacks a VMT [virtual machine Trojan] can execute are different than a normal trojan. The VMT does not have access to the host machine; rather, it has access to the local network. Therefore, a VMT can be programmed to do the following:
- Sniff traffic in the local network
- Actively scan the local network to detect machines, ports and services
- Do a vulnerability scan to detect exploitable machines in the local network
- Execute exploits in the local network
- Brute force attacks against services such as ftp and ssh
- Launch DoS attacks within the local network, or against external hosts
- And of course, send spam and conduct click fraud
That list details what Trojans do and being on a VM makes absolutely no difference at all. None. Not in the infection. Not in the spreading. Not in the execution. A VM is a computer. A VM with access to the network is a networked computer which is no different than a physical computer on a network. Saying there is a difference is either FUD or shows a complete lack of understanding about what a VM and a computer are. Thankfully, there are some voices of reason in the CCIF who have pointed out the absurdity of equating Trojans in a VM as any different than any other Trojan.
In the meantime, outside of our own coverage of server virtualization security [registration required], and George Hulme's musings on cloud computing, Chris Hoff has some interesting thoughts on the topic as does Josh Corman from IBM in his Virtualization Tutorial on Internet Evolution.