Malware can take ugly leap forward to virtual machines

Aug 23, 2012 by Nancy Owano report

(Phys.org) -- A piece of malware categorized as a malicious rootkit can spread via an installer disguised as an Adobe Flash Player installer and is capable of spreading to four different platform environments, including Windows, Mac OSX, VMware virtual machines, and Windows Mobile devices. The news this week is that the malware, dubbed Crisis, not only affects Macs, as originally assumed, but these other systems as well. The discovery is an example of expert security companies building on each other’s efforts.

In July, security sleuths got the ball rolling in reporting that there was a Mac Trojan, dubbed Crisis, intercepting e-mails and tracking web sites. Kaspersky Lab said that it arrives on a compromised computer through a JAR file by using social engineering techniques. Symantec said it was beyond Mac and targeting Windows users. They saw executable files for more than one operating system.

For those who follow the well beaten path of tricks that malware authors use to lure victims, it all sounds too familiar. There they are again, the two words, . Crisis is distributed using social engineering techniques designed to trick users into installing a Java archive file masquerading as an Adobe Flash installer. It makes itself look like the installer and proceeds to deliver a corresponding JAR file to infect the system.

But there is something not at all familiar, rather, annoyingly new. “This may be the first malware that attempts to spread onto a ," said Takashi Katsuki, a researcher with Symantec.

He thinks of it as a very unwelcome leap forward. Malware threats in the past tend to terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed. Instead, this time, the malware authors have embraced VMware. Crisis can look for a VMware virtual machine image on the compromised computer and, finding it, the malware copies itself onto the image using the VMware Player tool.

The VMware Player tool allows multiple operating systems to run on the same computer. “VMware Player is the easiest way to run multiple operating systems at the same time on your PC,” according to the company’s site. “With its user-friendly interface, VMware Player makes it effortless for anyone to try out Windows 8 developer release, Windows 7, Chrome OS or the latest Linux releases, or create isolated virtual machines to safely test new software and surf the Web.”

According to Symantec, though, Crisis does not leverage any vulnerability in VMware’s software itself but merely takes advantage of an attribute of all virtualization software, that the virtual machine is a file or files on the disk of the host machine.

The Windows version of Crisis can spread to Windows connected to compromised computers by installing a module on the device. Android and iOS devices are not affected.

In sum, the malware can sneak into a VMware virtual machine and drop modules onto a Mobile device using Remote Application Programming Interface.

Its payback includes an ability to record Skype conversations, monitor instant messaging programs and track websites visited in Firefox or Safari.

Kaspersky Lab’s assessment has been that this is no work of amateurs. Sergey Golovanov, in a July posting, found the modules were written professionally and, “from the code we can see that the cybercriminals developed this Trojan in order to sell it on hacker forums.”

Similarly, Intego, an antivirus software company, pegged Crisis as "a very advanced and fully-functional threat," and noted that some of the malware's code originated with commercial spying software.

Symantec said the has infected less than 50 machines.

Explore further: SHORE facial analysis spots emotions on Google Glass

More information: www.symantec.com/connect/blogs… aks-virtual-machines

Related Stories

Adobe confirms zero-day danger in Reader and Acrobat

Dec 07, 2011

(PhysOrg.com) -- Adobe on Tuesday issued a critical security advisory for Adobe Reader and Acrobat. A vulnerability was detected and confirmed in Adobe Reader X (10.1.1) and earlier versions for Windows and ...

Apple's Boot Camp Now Supports Vista

Mar 30, 2007

The Mac maker will now support Microsoft's newest OS, as well as XP, with its Boot Camp software, which allows Windows to run on its Intel-based machines.

Apple out to kill widespread Macintosh virus

Apr 11, 2012

Apple said it is crafting a weapon to vanquish a Flashback virus from Macintosh computers and working to disrupt the command network being used by hackers behind the infections. ...

Recommended for you

Watching others play video games is the new spectator sport

8 hours ago

As the UK's largest gaming festival, Insomnia, wrapped up its latest event on August 25, I watched a short piece of BBC Breakfast news reporting from the festival. The reporter and some of the interviewees appeared baff ...

SHORE facial analysis spots emotions on Google Glass

Aug 28, 2014

One of the key concerns about facial recognition software has been over privacy. The very idea of having tracking mechanisms as part of an Internet-connected wearable would be likely to upset many privacy ...

Does your computer know how you're feeling?

Aug 22, 2014

Researchers in Bangladesh have designed a computer program that can accurately recognize users' emotional states as much as 87% of the time, depending on the emotion.

User comments : 0