Wednesday, January 09, 2008

Use Virtualization to Avoid Malware While WebSurfing

In presentations at Infoworld's Virtualization Summits (slides here), I have repeatedly discussed how virtualization can prevent malware infections when you surf the web. The idea is to surf and do all transactions from inside a VM. Most attendees listen to this suggestion, but they seem primarily to be waiting for me to move onto the meat of my talk. I suspect they don't take the advice to heart because they feel they have various utilities on the alert for viruses and malware infections. However, as we see here, even well-known companies, such as Sears and Kmart, install key loggers and malware that route private data to third parties. Meaning, that even if you go only to sites you believe are known good, you can still be infected with malware.

By browsing from within a VM, you protect yourself against many malicious packages. In the ideal scenario, you use two VMs: One for important transactions where security is paramount (online banking, investment accounts, etc.) and another for all other browsing.

If either VM becomes infected, delete it, make a clone of the master VM, and resume browsing. Periodically, you should throw out the "just browsing" VM and bring over a clean instance, so that any undetected stealth malware is disposed of. You'll need to bring over your bookmarks file when you swap VMs or, if you prefer, you can use any of the tag services (del.icio.us and the like) to maintain your list of favorites.

I use VirtualPC from Microsoft, which can be downloaded for free. You can use it to run a Windows VM, but you need to make sure you have valid licenses for those VMs. (Actually, until April 1, you need no license at all. You can download a Windows VM with IE installed directly from Microsoft.) Using a UNIX/Linux VM is an alternative approach that provides three advantages over Windows: licenses are free, the VMs are smaller (less than the 750MB Windows needs, typically), and malware writers rarely target Linux, so your VMs stay cleaner/safer longer.

One version of Linux you can't use for this purpose, though, is Ubuntu, surprisingly. It does not install correctly on Microsoft Virtual PC. Despite a wealth of tips, I have not been able to find a way to get it to run. However, Novell SUSE works fine. And I am sure other distros do too.

Anyway, this rarely discussed use of virtualization enables me to surf with impunity and with no fear of being hijacked.

6 comments:

Unknown said...

Though this might sound futile, I think it would be worthwhile exploring the usage of "virtualization to avoid bad things while playing on-line games".

Indeed, millions of people play on-line games, unknowingly exposing their complete PC to the game vendor (and crafty hackers) thanks to client agents like PunkBuster.

The expert advice is: "do not run the game as administrator or root". Being conscious of the high performance requirements of modern games, I am still wondering if virtualization could be a viable option here.

Vasudev Ram said...

Sounds like a suggestion worth checking out - thanks!

Vasudev Ram
www.dancingbison.com

Traveling Tech Guy said...

Why not use the Browser Appliance from VMWare?
A self contained OS (Linux) with a FireFox browser. I trash it after every use. It's like browsing from a new computer every time.

And since VMWare Player is free, the whole solution is permanently free.

Here's a review I had on my blog that includes a link:
http://www.guyvider.com/2007/08/surf-securely-and-stealthily.html

Andrew Binstock said...

@traveling: Thanks for the link. This appliance works so long as Firefox suits your needs. If you need to use IE, though, you have to go the full VM route I describe.

Adrian said...

I gave up using MSVPC and started using Sun VirtualBox instead.

There is an open-source edition, the "personal" license is delightfully broad (you can run your business on it - as long as you installed it personally), and yes, it runs Ubuntu out of the box.

If you really insist on running Ubuntu in MSVPC, the trick is to pass extra parameters to the kernel when booting.

Andrew Binstock said...

@Mike. Thanks for your note. It entirely depends on your level of paranoia, need for security.

At one time, it might have been an overwrought solution used by only the truly paranoid. Today, however, opening a VM for your browser or opening the browser on the native machine are no longer terribly different in terms of startup time and today's systems have more than enough RAM to accommodate the VM easily.