Security Experts:

Crisis Malware Able to Hijack Virtual Machines

Researchers Say Crisis May be the First Malware that Attempts to Spread Onto a Virtual Machine

Crisis, the malware that was discovered last month in a repository, is unique in that it has several features, including the ability to infect Windows and Macintosh installations. However, on the Windows side, Crisis can also target VM images Symantec says, making the malware two times the threat it once was.

Symantec, building on analysis from security firms such as Kaspersky Lab and Intego, discovered that the JAR file that is used to infect a given system has an additional payload for Windows.

Mac OS X Malware

“The threat uses three methods to spread itself: one is to copy itself and an autorun.inf file to a removable disk drive, another is to sneak onto a VMware virtual machine, and the final method is to drop modules onto a Windows Mobile device,” Symantec explained in a blog post.  

“This may be the first malware that attempts to spread onto a virtual machine. Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed, so this may be the next leap forward for malware authors.”

When it comes to Windows Mobile, Symantec says they are still looking for actual examples of the modules. They have the proof that Crisis has the ability to target WinMo, but the modules themselves are not available.

Every security firm in the world who has a tie to the Virus Total submission list got a copy of Crisis. It would appear that the authors submitted it in order to see how well (or poorly) it was detected.

While the malware itself hasn’t been used in any widespread attack, and most vendors have basic detections for it, the developers have upped the stakes it seems when it comes to attack vectors.

Additional coverage on Crisis is here and here.   

Related Reading: Report Examines Code Behind Crisis Trojan Targeting Mac OS X

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.