When a malware-free VM is shut down, it releases its ram to the host. The host can then give the same area of ram to another VM that carries malware.
Can the malware see the previous VM's data traces left in ram? Or is ram wiped (filled with zeroes) before being given to a VM?
All of VMware's hypersior do not allow 'cross contamination" of VMs being held in memory - each memory page is stored independently. Once a VM is shut down the memory is relaesed and even if there is fingerprint left since the VM us shut down the malware will not be able to infect the VM -
The second VM has been previously infected, we are not concerned with a spread of the infection but with the existing malware accessing private data that the first VM left in memory.
If the first VM is shut down it will not be accessing memory and as I indicated there is no cross conatmination of memory between running VMs -
Are you implying no private data exists in the physical ram when the first VM has been shut down?
Yes - once the VM is shut down the memory is released
This is surprising to me because normal C applications using malloc() and free() in the host leave this data intact after they release the memory, which is taken advantage by certain malware trying to find out encryption keys after an encryption application has closed.
But not the vmware hypervisors? Do you say that as a result of some study of the innards of the hypervisors, or is it just a general concept of release of memory you are familiar with?
That is correct with a physical machine - in this case you have another layer - the virtual machine - which is assigned its memory - so when the irtual machine is shut down the VM memory is released back to the hypervisor ready to be used by other VMs or the Hypervisor itself -