'Crisis' malware targets VMware virtual machines
Security researchers have discovered a single piece of malware that is capable of spreading to four different platform environments, including Windows, Mac OSX, VMware virtual machines, and Windows Mobile devices.
First uncovered last month by security company Integro, Crisis was originally described as a Mac Trojan capable of intercepting e-mails and instant messages and tracking Web sites visited. Additional scrutiny by Symantec has found that the malware targets both OSX and Windows users with executable files for both operating systems.
Crisis is distributed using social engineering techniques designed to trick users into installing a JAR, or Java archive, file masquerading as an Adobe Flash installer. The malware then identifies the computer's OS and installs the corresponding executable (see diagram below).
"This may be the first malware that attempts to spread onto a virtual machine," Takashi Katsuki, a researcher with antivirus provider Symantec, wrote in a blog post Monday. "Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed, so this may be the next leap forward for malware authors."
Crisis spreads by searching for a VMware virtual machine image on the compromised computer. When it finds such an image, the malware copies itself onto the image using the VMware Player tool, which allows multiple operating systems to run on the same computer.
"It does not use a vulnerability in the VMware software itself," Katsuki wrote. "It takes advantage of an attribute of all virtualization software: namely that the virtual machine is simply a file or series of files on the disk of the host machine. These files can usually be directly manipulated or mounted, even when the virtual machines is not running."
The Windows version of Crisis can also spread to Windows Mobile devices connected to compromised computers by installing a module on the device. However, because it uses the Remote Application Programming Interface, it does not affect Android or iOS devices.
"We currently do not have copies of these modules and hence we are looking for them so we can analyze them in greater detail," Katsuki wrote.
Symantec said the malware has infected fewer than 50 machines.