Google LLC today announced the general availability of VMTD, a service that can detect if hackers attempt to use a company’s cloud environment to mine cryptocurrency. 

VMTD stands for Virtual Machine Threat Detection. The service was first released in public preview earlier this year and has since been adopted by customers “around the world and in every industry,” Google Cloud senior product manager Timothy Peacock detailed in a blog post. Since the service’s initial release, Google has also added a number of new features. 

VMTD can detect if a Google Cloud customer’s cloud environment contains malware that hijacks infrastructure resources to mine cryptocurrency. Moreover, the service provides technical data about the malware to help administrators block it.

There are many cybersecurity products that can detect attempts by hackers to use a company’s infrastructure for cryptocurrency mining. Usually, such products require companies to install specialized programs known as agents in their cloud instances. The agents gather technical data about how each instance is used and scan the collected data for signs of malicious activity.

According to Google, VMTD can detect malware without requiring companies to install additional software in their cloud instances. It’s built directly into the hypervisor that powers Google Cloud’s data center infrastructure. Through the hypervisor, the service analyzes data about cloud instances to find crypto mining malware. 

According to Google, VMTD has several major advantages over traditional cybersecurity products. The software agents that traditional cybersecurity products install in cloud instances to detect malware can sometimes be disabled by hackers. VMTD doesn’t rely on software agents to detect malicious activity, which means that it can’t be disabled during a cyberattack. 

According to Google, VMTD also simplifies information technology teams’ day-to-day work. In a large cloud environment with upwards of thousands of instances, adding a cybersecurity agent to every instance can be a time-consuming process. VMTD, in contrast, can be deployed with a few clicks.

Since VMTD made its initial debut in February, Google has made enhancements that enable the service to scan cloud instances for malware more frequently. The service runs scans every 30 minutes and summarizes its findings at the end of each day. 

One way VMTD finds malware is by analyzing cloud instances’ memory usage patterns, which can provide insight into potentially malicious activity. Google has upgraded the service to scan the most important parts of cloud instances’ memory more often. Moreover, VMTD can now not only detect the presence of malware but also point out the specific software process that is mining cryptocurrency. 

Google plans to extend VMTD to additional cybersecurity use cases in the future. In particular, the company will equip the service with the ability to detect rootkits and bootkits, malicious programs that are often difficult to spot using traditional cybersecurity tools. According to Google, the fact that VMTD is integrated into its hypervisor enables the service to more effectively detect such programs. 

Image: Google