Skip to main content

Crisis Believed to be First Malware Infecting Virtual Machines

Instead of just infecting Macs, Crisis also infects Windows PCs as well as Windows Mobile devices and, for the first time, a VMware virtual machine. Security researchers originally believed that the malware was limited to simply monitoring the applications Adium, Firefox, Skype and MSN Messenger.

Crisis is distributed via social engineering and tricks a user into running a Java applet Flash installer. The malware then identifies the operating system and uses the respective executable file. The trojan is carried in a JAR (Java ARchive) file, which is based on the ZIP format and usually includes Java class files, metadata and resources in one file to distribute a Java application or Java libraries.

What makes Crisis interesting is that it appears to be specifically looking for virtualized environments and is therefore believed to be the first malware to spread onto a virtual machine. "The threat uses three methods to spread itself: One is to copy itself and an autorun.inf file to a removable disk drive, another is to sneak onto a VMware virtual machine, and the final method is to drop modules onto a Windows Mobile device," Symantec wrote on its blog.

In the case of the virtualized scenario, "the threat searches for a VMware virtual machine image on the compromised computer and, if it finds an image, it mounts the image and then copies itself onto the image by using a VMware Player tool." Symantec stressed that Crisis does not take advantage of a vulnerability in VMware, but exploits a characteristic of virtualization in general and the fact that "the virtual machine is simply a file or series of files on the disk of the host machine."

Contact Us for News Tips, Corrections and Feedback

  • master_chen
    NOOOOOOOOOOOOOOO~
    Reply
  • jaquith
    Well that sucks! It's going to be hard to get a handle on that one, just add one more JAVA exploit to the list.
    Reply
  • mylloc
    now, can it run crysis?
    Reply
  • JOSHSKORN
    LOL @ "infecting MACs". Yeah, I've heard this one before.,.."MACs don't get viruses"...
    Reply
  • master_chen
    myllocnow, can it run crysis?It runs on Crysis.
    Reply
  • Now, I see that it can infect VMs through the host, but is the reverse true? Can the host be infected by a virus through the VM?
    Reply
  • spartanmk2
    Java is malware by itself.
    Reply
  • manicmike
    Now, I see that it can infect VMs through the host, but is the reverse true? Can the host be infected by a virus through the VM?

    Excellent question... I expect we'll here more about this in a couple months (after it does some real damage). Just cuz they found one variant doesn't mean the threat is over... Just means they've identified one new family of threats to keep an eye one.
    Reply
  • nforce4max
    This is why I keep most of my machines of the net from now on, second those bloated windows updates grrr.
    Reply
  • jhansonxi
    M1A1DNow, I see that it can infect VMs through the host, but is the reverse true? Can the host be infected by a virus through the VM?Yes - in theory. The closest I've heard of is an exploit against the Xbox 360 VM which allowed virtualized software (most everything on the console) to get access to the hardware. But it was only used by some hackers to install Linux on it.
    Reply