Crisis malware targets virtual machines

Crisis malware targets virtual machines

Summary: Researchers have found that malware rootkit Crisis can spread via virtual machines, Windows mobile phones, Mac OS and Windows.

TOPICS: Security

Crisis, also known as Morcut, is a rootkit which infects both Windows and Mac OS X machines using a fake Adobe Flash Player installer. Discovered in July, the trojan OSX.Crisis targets Windows and Mac OS users and is able to record Skype conversations, capture traffic from instant messaging, and track websites visited in Firefox or Safari.

However, it has now come to light that the malware can be spread in four different environments -- including virtual machines.

symantec crisis trojan spreads virtual machines

It is spread through "social engineering attacks" -- in other words, it tricks a user into running a Java applet Flash installer, detects the operating system, and runs the suitable trojan installer through a JAR file. Both released .exe files open a back door, compromising the computer.

Originally, it was believed the malware could only spread on these two operating systems. However, Symantec has found a number of additional means of replication. One method is the ability to copy itself and create an autorun.inf file to a removable disk drive, another is to insinuate itself onto a VMware virtual machine, and the final way is to drop modules onto a Windows Mobile device.

Katsuki writes on the official Symantec blog:

"The threat searches for a VMware virtual machine image on the compromised computer and, if it finds an image, it mounts the image and then copies itself onto the image by using a VMware Player tool. This may be the first malware that attempts to spread onto a virtual machine."

This is the first time malware targeting virtual machines has been exposed, but Symantec insists that this is not due to security loopholes or vulnerabilities in the VMware software itself being exploited, but rather the Crisis trojan takes advantage of the form -- namely that the VM is nothing more than one or more files on the disk of a machine. Even if the virtual machine is not running, these files can still be mounted or manipulated by malicious code.

"Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed, so this may be the next leap forward for malware authors," Katsuki writes.

However, there is good news for iOS and Android device users. As it uses the Remote Application Programming Interface (RAPI), these systems are not held hostage by the same vulnerabilities as Windows phone models.

Symantec software detects the JAR file as Trojan.Maljava, the threat for Mac as OSX.Crisis, and the threat for Windows as W32.Crisis. Crisis was first discovered by Kaspersky Lab researchers last month.

Computer World reports that security researchers from Intego have suggested Crisis has connections as a trojan program originally licensed to authorties for surveillance uses.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Uhm...

    Make up your mind. Is is Windows Mobile or Windows Phone? You do know the difference, right?
    • Re; You do know the difference, right?

      Yeah, one is from Microsoft, and the other is ... from Microsoft.
    • windows phone

      I don't think she does know the difference. Windows Phone models are as immune to this malware as are Android and iOS devices. It only infects the Windows Mobile (6.x) devices, and only when they are plugged into an infected computer.
      • Correction

        She absolutely does know the difference. What we're dealing with here is an insidious iOS evangelist spreading FUD against WP. Given the currently very low market share of WP, you may be tempted to ask why. But then, so far, WP hasn't had confirmed malware, whereas Android and iOS have. The credible element regarding thumb drives and VMware is merely an attempt to lend credence to the attack on WP. Unfortunately, all the iOS and Android fanboys will merely take the story at face value and proclaim WP is a leaky OS.
  • Solution

    Remove Java unless you absolutely cannot live without it. The same goes for Adobe's Flash. Millions of IOS devices get along just fine without those 2 bug infested malware gates.
    • Better Solution

      Upgrade to Linux. An Ubuntu Live CD will instantly patch all of your Windows vulnerabilities, you just need to select the "use entire drive" option.
  • Just Proves

    That the weakest link in security is always the user. PICNIC (Problem In Chair, Not In Computer).