Sign in with
Sign up | Sign in

Crisis Believed to be First Malware Infecting Virtual Machines

By - Source: Symantec | B 23 comments

Crisis, a previously detected trojan, has turned out to be much more sophisticated malware than originally described.

Instead of just infecting Macs, Crisis also infects Windows PCs as well as Windows Mobile devices and, for the first time, a VMware virtual machine. Security researchers originally believed that the malware was limited to simply monitoring the applications Adium, Firefox, Skype and MSN Messenger.

Crisis is distributed via social engineering and tricks a user into running a Java applet Flash installer. The malware then identifies the operating system and uses the respective executable file. The trojan is carried in a JAR (Java ARchive) file, which is based on the ZIP format and usually includes Java class files, metadata and resources in one file to distribute a Java application or Java libraries.

What makes Crisis interesting is that it appears to be specifically looking for virtualized environments and is therefore believed to be the first malware to spread onto a virtual machine. "The threat uses three methods to spread itself: One is to copy itself and an autorun.inf file to a removable disk drive, another is to sneak onto a VMware virtual machine, and the final method is to drop modules onto a Windows Mobile device," Symantec wrote on its blog.

In the case of the virtualized scenario, "the threat searches for a VMware virtual machine image on the compromised computer and, if it finds an image, it mounts the image and then copies itself onto the image by using a VMware Player tool." Symantec stressed that Crisis does not take advantage of a vulnerability in VMware, but exploits a characteristic of virtualization in general and the fact that "the virtual machine is simply a file or series of files on the disk of the host machine."

 

Contact Us for News Tips, Corrections and Feedback

Discuss
Display all 23 comments.
This thread is closed for comments
Top Comments
Other Comments
  • 16 Hide
    master_chen , August 24, 2012 4:25 PM
  • 11 Hide
    jaquith , August 24, 2012 4:27 PM
    Well that sucks! It's going to be hard to get a handle on that one, just add one more JAVA exploit to the list.
  • 16 Hide
    mylloc , August 24, 2012 4:30 PM
    now, can it run crysis?
  • 22 Hide
    JOSHSKORN , August 24, 2012 4:38 PM
    LOL @ "infecting MACs". Yeah, I've heard this one before.,.."MACs don't get viruses"...
  • 10 Hide
    master_chen , August 24, 2012 4:48 PM
    myllocnow, can it run crysis?

    It runs on Crysis.
  • 0 Hide
    Anonymous , August 24, 2012 4:54 PM
    Now, I see that it can infect VMs through the host, but is the reverse true? Can the host be infected by a virus through the VM?
  • 11 Hide
    spartanmk2 , August 24, 2012 4:55 PM
    Java is malware by itself.
  • 2 Hide
    manicmike , August 24, 2012 5:03 PM
    Quote:
    Now, I see that it can infect VMs through the host, but is the reverse true? Can the host be infected by a virus through the VM?


    Excellent question... I expect we'll here more about this in a couple months (after it does some real damage). Just cuz they found one variant doesn't mean the threat is over... Just means they've identified one new family of threats to keep an eye one.
  • -5 Hide
    nforce4max , August 24, 2012 5:09 PM
    This is why I keep most of my machines of the net from now on, second those bloated windows updates grrr.
  • 1 Hide
    jhansonxi , August 24, 2012 5:37 PM
    M1A1DNow, I see that it can infect VMs through the host, but is the reverse true? Can the host be infected by a virus through the VM?
    Yes - in theory. The closest I've heard of is an exploit against the Xbox 360 VM which allowed virtualized software (most everything on the console) to get access to the hardware. But it was only used by some hackers to install Linux on it.
  • 0 Hide
    Maxor127 , August 24, 2012 5:43 PM
    That's why I use Noscript with Java disabled.
  • 0 Hide
    Hiii , August 24, 2012 5:48 PM
    You guys hate Java?, and if you do, why?
  • 1 Hide
    mouse24 , August 24, 2012 6:08 PM
    nforce4maxThis is why I keep most of my machines of the net from now on, second those bloated windows updates grrr.


    So you keep most of your machines from the net because things are "distributed via social engineering and tricks a user into running a Java applet Flash installer."? I take it you don't have a phone either because someone keeps tricking you into sending money to a prince in india? You can turn off windows updates btw. Though you should keep installing the security patches.
  • 0 Hide
    danwat1234 , August 24, 2012 6:10 PM
    I guess an encrypted VM volume would prevent this from happening?
  • 6 Hide
    fb39ca4 , August 24, 2012 7:09 PM
    lol I just read the Crysis 3 article then I was like WTF since when is Crysis malware?
  • 1 Hide
    Marcus52 , August 24, 2012 8:34 PM
    HiiiYou guys hate Java?, and if you do, why?


    Did you read the article?

    "Crisis is distributed via social engineering and tricks a user into running a Java applet Flash installer."

    Java is a security risk, and Flash is even worse. It's not a matter of "hating Java", it's a matter of caring about security when you connect to the internet.

    ;) 
  • 0 Hide
    A Bad Day , August 24, 2012 9:02 PM
    "Cloud computing is the future"

    And so are the new breeds of malware...
  • 2 Hide
    in_the_loop , August 24, 2012 9:06 PM
    Marcus52Did you read the article?"Crisis is distributed via social engineering and tricks a user into running a Java applet Flash installer."Java is a security risk, and Flash is even worse. It's not a matter of "hating Java", it's a matter of caring about security when you connect to the internet.


    Now, don't put java and flash in the same bracket.
    Many people seems to confuse java with javascript, which are two completely separate things.
    For example, when it is said that the chrome browser is really fast for java, it is really implicated to mean that it is fast for javascript, not Java the language.
    Most security risks come from javascript, the java language isn't nearly as common as javascript on the web.
    And the so often nagging "update java" from oracle that have you update java manually has nothing to do with the javascript that many people really think is java.
    And in this exploit there is a third thing, java-applet, which is based on java the language, not javascript.

    Somebody else talked about using "noscript" to block java. I don't use noscript, but isn't that blocking javascript and not java? Or is it blocking both?
  • 0 Hide
    Hiii , August 24, 2012 11:39 PM
    Marcus52Did you read the article?"Crisis is distributed via social engineering and tricks a user into running a Java applet Flash installer."Java is a security risk, and Flash is even worse. It's not a matter of "hating Java", it's a matter of caring about security when you connect to the internet.


    I did not, thank you for the answer.
  • 0 Hide
    the_brute , August 25, 2012 12:08 AM
    Sad. but now they know that it can happen and now start the hunt instead of the "phantom if". As for windows updates please tell me you are getting the security updates at least, an updated Windows is hard to get into. @in_the_loop thanks for posting that early.
    That said I hate all the Java & Flash exploits.
Display more comments