Crisis malware targets virtual machines

Researchers have found that malware rootkit Crisis can spread via virtual machines, Windows mobile phones, Mac OS and Windows.
Written by Charlie Osborne, Contributing Writer

Crisis, also known as Morcut, is a rootkit which infects both Windows and Mac OS X machines using a fake Adobe Flash Player installer. Discovered in July, the trojan OSX.Crisis targets Windows and Mac OS users and is able to record Skype conversations, capture traffic from instant messaging, and track websites visited in Firefox or Safari.

However, it has now come to light that the malware can be spread in four different environments -- including virtual machines.

symantec crisis trojan spreads virtual machines

It is spread through "social engineering attacks" -- in other words, it tricks a user into running a Java applet Flash installer, detects the operating system, and runs the suitable trojan installer through a JAR file. Both released .exe files open a back door, compromising the computer.

Originally, it was believed the malware could only spread on these two operating systems. However, Symantec has found a number of additional means of replication. One method is the ability to copy itself and create an autorun.inf file to a removable disk drive, another is to insinuate itself onto a VMware virtual machine, and the final way is to drop modules onto a Windows Mobile device.

Katsuki writes on the official Symantec blog:

"The threat searches for a VMware virtual machine image on the compromised computer and, if it finds an image, it mounts the image and then copies itself onto the image by using a VMware Player tool. This may be the first malware that attempts to spread onto a virtual machine."

This is the first time malware targeting virtual machines has been exposed, but Symantec insists that this is not due to security loopholes or vulnerabilities in the VMware software itself being exploited, but rather the Crisis trojan takes advantage of the form -- namely that the VM is nothing more than one or more files on the disk of a machine. Even if the virtual machine is not running, these files can still be mounted or manipulated by malicious code.

"Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed, so this may be the next leap forward for malware authors," Katsuki writes.

However, there is good news for iOS and Android device users. As it uses the Remote Application Programming Interface (RAPI), these systems are not held hostage by the same vulnerabilities as Windows phone models.

Symantec software detects the JAR file as Trojan.Maljava, the threat for Mac as OSX.Crisis, and the threat for Windows as W32.Crisis. Crisis was first discovered by Kaspersky Lab researchers last month.

Computer World reports that security researchers from Intego have suggested Crisis has connections as a trojan program originally licensed to authorties for surveillance uses.

Editorial standards