Home > Virtualization, Virtualization Security > Oh Noes! ViMTruder – An Open Source VM Trojan! It’s Like Virtualized Swine Flu (Or Not…)

Oh Noes! ViMTruder – An Open Source VM Trojan! It’s Like Virtualized Swine Flu (Or Not…)

I had to chuckle and then sob when I saw this posting from Reuven Cohen on the Cloud Computing Interoperability Forum (CCIF) regarding the ViMTruder “virtual machine trojan:”

Sergio Castro has released a functional, open source Virtual Machine Trojan called ViMTruder.

I’ve held off for a few days before posting this news. I wasn’t sure if helping spread the news would do more harm then good but, several other blogs have picked up the story, so why not.

So what is a Virtual Machine Trojan? According to Castro virtual machine trojans are seemingly benign virtual machine you download from the Internet contains a trojan. The objective of the trojan is to remotely take control
of the machine for nefarious purposes: steal information, send spam, conduct click fraud, stage denial of service attacks within a botnet, etc.

ViMtruder is written in Python and consists of a client which is installed within a virtual machine, and a control server, which sits in a host on the Internet. The virtual machine, running Linux, is configured to automatically run the VMT client in the background upon boot up. The VMT tries periodically to contact the control server through the Internet using port 80 outbound. Once the control server links with the VMT, you can send it Nmap commands to scan the target LAN where the VMT is connected.

The types of attacks a VMT can execute are different than a normal trojan. The VMT does not have access to the host machine; rather, it has access to the local network. Therefore, a VMT can be programmed to do the following:

  1. Sniff traffic in the local network
  2. Actively scan the local network to detect machines, ports and services
  3. Do a vulnerability scan to detect exploitable machines in the local network
  4. Execute exploits  in the local network
  5. Brute force attacks against services such as ftp and ssh
  6. Launch DoS attacks within the local network, or against external hosts
  7. And of course, send spam and conduct click fraud

My first thought is imagine something like this embedded into an EC2 AMI and the potential damage it would cause.

Direct Link:

CCIF Instigator

You can read my response at the bottom of the thread in the link at the top of the page.  I am awe struck at the moment.

Keep in mind that frothy hyperbole misrepresenting security risks as unique and “damaging”  as illustrated above are being made by people invited to advise the U.S. government on how to secure Cloud Computing.  Joy.


  1. May 1st, 2009 at 02:14 | #1

    Wait a couple of days and they will be calling it a "cloud virus", or something similar.

  2. May 2nd, 2009 at 22:36 | #2

    As usual there's a conflict of interest just around the corner (from one of my replies in the same thread):

    "The thing that really doesn't sit well with me is that Enomaly will shortly (assuming they haven't already) announce product for securely managing virtual machines which will invariably [cl]aim to tackle many of these "issues". This comes right back to my earlier comment about their "pissing in the pool" and I fail to see how this overt FUD is any different. Most of us are working very hard to build trust in cloud computing and the last thing we need is our self-appointed one-man PR department selling us out."


  3. May 3rd, 2009 at 03:50 | #3

    @Sam Johnston

    To be perfectly honest and fair to Reuven, I'm not going to get in the middle of any purported conflict of interest issue here because that was not my point and I'm not privy to this (nor do I want to be.) You're certainly entitled to your opinion and expression.

    My problem is the hyperbole about this "new" threat that isn't unique at all and attaching virtualization and cloud to it without qualification in order to generate buzz. It is, for lack of a better word, lame.


  1. No trackbacks yet.