Crisis: First Malware Infecting Virtual Machines Discovered, Affects Multiple Platforms

Initially discovered last month, this malware was thought of as Mac based Trojan which was capable of intercepting emails and instant messages, user behaviour tracking, turning on internal microphones and cameras to spy on users and the likes.

But, the researchers over at Symantec have found that this malware, dubbed Crisis, is a JAR (Java archive) file that masquerades as a legitimate Flash installer. Because of the manner in which it spreads, it can attack a wider variety of platforms and even virtual machines (VM).

Symantec believes that Crisis is probably the first one that spreads onto a VM. “This may be the first malware that attempts to spread onto a virtual machine,” notes Takashi Katsuki, a researcher at Symantec, a blog post.

“Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed, so this may be the next leap forward for malware authors.” he added.

To infect a virtual machine, it doesn’t target any vulnerability in VMware. The method of infection adopted by Crisis uses one of the most fundamental methods normally used by viruses – copying itself onto another file. When the malware encounters a Windows-based system it searches for VMware virtual machine images. Once found, the malware copies itself onto an image using VMware Player.

Katsuki wrote, “It takes advantage of an attribute of all virtualization software: namely that the virtual machine is simply a file or series of files on the disk of the host machine. These files can usually be directly manipulated or mounted, even when the virtual machines is not running.”

The above diagram is an overview of how the infection takes place. First thing that the Crisis JAR file does is to check for the platform on which it is present. If it finds itself on an OS X system, Crisis accesses a Mach-O file that is capable of running on Macs. If it finds itself on a Windows system, it uses a standard Windows executable file to infect PCs following which it infects the virtual machines by copying itself. Crisis also contains a module that infects Windows Mobile devices as and when they’re connected to a compromised Windows computer.

According to data from Symantec, only 50 odd infections across the globe have been detected. But, the method of masquerading itself as a Flash installer and due to increased usage of file transfer programs and instant messengers such as Skype, Adium, MSN Messenger and its capability of tapping onto IM conversations, Crisis will definitely infect many more systems in days to come.