Computer Crime Research Center


Virtual machines vs cybercrime tools

Date: November 07, 2007
By: Charles Arthur and Andrew Brown

Virtualisation software, used to make hardware more efficient, is catching the eye of big business

Server room

Last year, about 1% of the web servers bought worldwide didn't exist physically. The licences for the operating systems were paid for, but no machines were sold with them. That's because, going by the licences sold by a company called VMWare, those servers ran inside other operating systems, running on a single machine. Where two physical machines might have existed, only one does; the other exists in a "virtual machine" (VM) made of software.

That is part of a growing, and important, trend called virtualisation - the use of software (such as VMWare's) which pretends to an operating system that it, VMWare, is a physical machine.

The virtualised operating system can't tell the difference; it sends out requests and receives answers that are consistent with running inside its own physical machine. It's like the question posed by the film The Matrix: how would you know if everything you experienced were being fed directly to your brain, rather than through your physical body? How does the operating system or application know whether it's running inside another program, or its own physical machine?

Virtualisation acceleration

The number of virtual machines created last year may be larger than 1%, as those for Linux machines, still the largest proportion of web servers, don't require a licence from Sun or Microsoft. The analyst group IDC forecasts that virtualisation will accelerate, and that by 2011 half of all physical servers will have been virtualised. The effect of that, says David Rose of the consultancy Xantus, will be to slow down hardware sales as bigger companies consolidate their server farms. "You have five physical servers consolidated down to one server, which makes more efficient use of resources," he explains. "Rather than five servers running at 15% to 20% of their capacity, you have one server running at 90% capacity."

The use of fewer servers means virtualisation is often mentioned in the same breath as power saving, and with it the idea of "green" computing - or using less power to do the same amount of processing. With energy costs rising dramatically, the owners of server farms are looking to cut down on energy use. Fewer servers running close to capacity is the ideal. Neil Hodson, general manager of the hosting company 1&1 Internet - which claims to be the world's largest, with 5,000 servers - explains: "For instance, instead of one customer on one server, we can have 1,000 customers on one server - reducing hardware, administration and energy costs considerably."

Because a virtualised computer has a completely standard "hardware" and "software" configuration - since the whole thing is written in software anyway - it can be treated as a dedicated appliance which can simply be switched on and will run without the nagging problems with software or hardware incompatibilities that turn up in the real world. The principal risk, Hodson notes, is that if the main server crashes, everything goes with it: there's no resilience.

Still, companies that now sell single applications which have to fit on all sorts of hardware, and fit with all sorts of other software, can now hope to sell not just their own programs but the machines they run on, all in one virtual bundle which can simply be dropped in to run on a server. One company - rpath, based in North Carolina - already sells programs designed to make it easier to build these virtual self-contained worlds.

VMWare, the first company in the business to go public, was the great bubble stock of the summer, shooting up from $56 (£27) to $85; its present $122 stock price values the business at more than $40bn; it is reckoned to have two-thirds of the present virtualisation business. Another (open source) rival, XenSource, was bought for a mere $500m in cash and stock the day after the VMware IPO by Citrix, whose business had been in providing terminals to mainframes. Explaining the move, Citrix noted that "industry experts estimate that up to 30 million office workers will move to virtual desktops over the next five years, creating a new $1bn market for desktop virtualisation".

Citrix in particular envisions a world where it would control the gamut of virtualisation: an individual worker would "see" a Windows desktop on a terminal which would in fact be virtualised on a (Citrix-based) central server. There could even be virtualised Microsoft Office applications, which might not even need an entire desktop. Dell and HP have moved rapidly to offer Citrix's products on their servers - because if virtualisation becomes key to winning the shrinking number of contracts, it's important to support it, not resist it.

Microsoft has its own offerings, but it also has unique problems, because virtualisation could damage its upgrade business: a company that relies on old programs or whose PCs are wheezing but functional might choose to buy a single new machine and virtualise all the old ones inside it - denying Microsoft the licence fees for new copies of Windows.

Dramatic vision of the future

While EMC has profited tidily from VMWare, which is close to hitting $1bn annual revenues, Dell said this week it will spend $1.4bn on EqualLogic, a minor partner in VMWare, which sells storage systems adapted for virtualisation; its growth has been rapid, having only shipped its first products in 2003, yet already having more than 3,200 customers.

It's a dramatic vision of the future, one where increasingly powerful hardware sells in fewer units, and where, 1&1's Hodson notes, problems with hacking and, in some cases, viruses can be solved by just pausing or restarting the virtual machine. The virus writers are already fighting back: antivirus testers have seen some viruses use sophisticated tests to check whether they're running in a VM; if they are, they won't run. That prevents the antivirus companies dissecting them, since VMs are their preferred method of investigating malware: if the virus messes up the virtual machine, you simply stop the program and restart from the original, virus-free dataset.

Clearly, both the stock market and the virus writers think virtualisation is important enough to take note of. Since the focus of both is money, that also suggests it's a force which can't be ignored.
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo