Oh Noes! ViMTruder – An Open Source VM Trojan! It’s Like Virtualized Swine Flu (Or Not…)
I had to chuckle and then sob when I saw this posting from Reuven Cohen on the Cloud Computing Interoperability Forum (CCIF) regarding the ViMTruder “virtual machine trojan:”
Sergio Castro has released a functional, open source Virtual Machine Trojan called ViMTruder.
I’ve held off for a few days before posting this news. I wasn’t sure if helping spread the news would do more harm then good but, several other blogs have picked up the story, so why not.
So what is a Virtual Machine Trojan? According to Castro virtual machine trojans are seemingly benign virtual machine you download from the Internet contains a trojan. The objective of the trojan is to remotely take control
of the machine for nefarious purposes: steal information, send spam, conduct click fraud, stage denial of service attacks within a botnet, etc.
ViMtruder is written in Python and consists of a client which is installed within a virtual machine, and a control server, which sits in a host on the Internet. The virtual machine, running Linux, is configured to automatically run the VMT client in the background upon boot up. The VMT tries periodically to contact the control server through the Internet using port 80 outbound. Once the control server links with the VMT, you can send it Nmap commands to scan the target LAN where the VMT is connected.
The types of attacks a VMT can execute are different than a normal trojan. The VMT does not have access to the host machine; rather, it has access to the local network. Therefore, a VMT can be programmed to do the following:
- Sniff traffic in the local network
- Actively scan the local network to detect machines, ports and services
- Do a vulnerability scan to detect exploitable machines in the local network
- Execute exploits in the local network
- Brute force attacks against services such as ftp and ssh
- Launch DoS attacks within the local network, or against external hosts
- And of course, send spam and conduct click fraud
My first thought is imagine something like this embedded into an EC2 AMI and the potential damage it would cause.
You can read my response at the bottom of the thread in the link at the top of the page. I am awe struck at the moment.
Keep in mind that frothy hyperbole misrepresenting security risks as unique and “damaging” as illustrated above are being made by people invited to advise the U.S. government on how to secure Cloud Computing. Joy.