The virtual way to defeat real monsters

Virtualisation is hot, but it's being sold for the wrong reasons. We need it to kill malware - and we need it now

Processor virtualisation is one of the most exciting developments in IT this decade. It's not a new concept — IBM mainframes supported virtual machines in the 1960s — but for the current crop of enterprise hardware it's an idea whose time has come. With hardware and operating system support as well as a number of established companies supporting the market, virtualisation is here to stay.

VMware is capitalising on the foresight and good fortune that have made it the right company selling the right products at the right time. Its latest product announcements make all the appropriate noises about improved performance, reliability and security. The road ahead is clear for more of the same.

Yet the company is missing one of the most important and pressing opportunities that virtualisation affords — our best chance to regain the initiative in the war against malware. No matter how a virtual machine has been attacked, it can be restored to life by the click of a mouse — and, more importantly, the VM management software can be set up to detect infections in ways that no malware author can stop. In the battle to stop rootkits and other deep-diving, system-compromising attacks, there is no technology with more potential.

We know this works, because Microsoft's researchers have been using exactly this approach to analyse new Web-based exploits. Their honeymonkeys are Web browsers running in a virtual machine: they actively explore the Web while the virtual machine manager constantly monitors their state of health. The moment an attack succeeds, it is detected and analysed — meaning that security analysts are alerted to zero-day exploits as quickly as possible no matter how they work or how stealthily they try and hide themselves. Meanwhile, the honeymonkey is renewed and back at work.

VMware should be talking to the anti-malware companies with a view to partnership or acquisition. It has the nuclear option which can devastate the attackers; they have the knowledge of how to build and deploy end-user security software. We can use virtualisation to make our systems prettier and easier to manage tomorrow; we need to defeat the monster of malware today.