Google Cloud Hypervisor Tweaked to Identify Cryptominers Without Agents 

Google Cloud Hypervisor Tweaked to Identify Cryptominers Without Agents 

Google has released a public beta of its new Virtual Machine Threat Detection (VMTD) system, which can identify cryptocurrency miners and other malware without requiring software agents. The ongoing targeting of threat actors who penetrate servers to install cryptominers is a massive challenge for developers and companies employing cloud-based virtual machines. These miners take advantage of the virtual machine’s GPU and CPU resources while degrading the performance of legitimate applications.

According to Google’s Threat Horizons Report for 2021, cryptocurrency miner infections account for over 86% of all incidences of cloud instance compromise. Cloud providers typically install software agents that operate as security software within the server to identify risks running on virtual machines. These agents, however, can degrade performance, and once a server has been hacked, threat actors can disable these agents before installing their malware.

Google Cloud developers used a novel strategy that does not rely on agents or extensive signal and telemetry data collecting to detect currency miners. Instead, programmers upgraded the Google Compute Engine hypervisor, the core emulation software that virtual machines operate on, to incorporate scanning features that look for suspicious behavior in the VM’s memory and potential network requests.

“Traditional endpoint security relies on deploying software agents inside a guest virtual machine to gather signals and telemetry to inform runtime threat detection,” clarifies Google while announcing this new feature. “But as is the case in many other areas of infrastructure security, cloud technology offers the ability to rethink existing models.”

“For Compute Engine, we wanted to see if we could collect signals to aid in threat detection without requiring our customers to run additional software.”

As a result, performance is unaffected because software agents are no longer necessary. Yesterday was the first day of a public preview for the Virtual Machine Threat Detection (VMTD) function, which can be turned on via the Security Command Center. On GitHub, Google has also published an inactive miner that administrators may use to test whether they’ve applied the necessary settings to their instances. 

Google Cloud assures its customers that maintaining their faith in the service is a top concern, and the VMTD workload assessments will not jeopardize that. VMTD will not process confidential nodes’ memory because it is encrypted anyhow. It will also continue to be an opt-in service that users may choose to use or not use.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Share: