Malware can take ugly leap forward to virtual machines

Aug 23, 2012 by Nancy Owano report

(Phys.org) -- A piece of malware categorized as a malicious rootkit can spread via an installer disguised as an Adobe Flash Player installer and is capable of spreading to four different platform environments, including Windows, Mac OSX, VMware virtual machines, and Windows Mobile devices. The news this week is that the malware, dubbed Crisis, not only affects Macs, as originally assumed, but these other systems as well. The discovery is an example of expert security companies building on each other’s efforts.

In July, security sleuths got the ball rolling in reporting that there was a Mac Trojan, dubbed Crisis, intercepting e-mails and tracking web sites. Kaspersky Lab said that it arrives on a compromised computer through a JAR file by using social engineering techniques. Symantec said it was beyond Mac and targeting Windows users. They saw executable files for more than one operating system.

For those who follow the well beaten path of tricks that malware authors use to lure victims, it all sounds too familiar. There they are again, the two words, . Crisis is distributed using social engineering techniques designed to trick users into installing a Java archive file masquerading as an Adobe Flash installer. It makes itself look like the installer and proceeds to deliver a corresponding JAR file to infect the system.

But there is something not at all familiar, rather, annoyingly new. “This may be the first malware that attempts to spread onto a ," said Takashi Katsuki, a researcher with Symantec.

He thinks of it as a very unwelcome leap forward. Malware threats in the past tend to terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed. Instead, this time, the malware authors have embraced VMware. Crisis can look for a VMware virtual machine image on the compromised computer and, finding it, the malware copies itself onto the image using the VMware Player tool.

The VMware Player tool allows multiple operating systems to run on the same computer. “VMware Player is the easiest way to run multiple operating systems at the same time on your PC,” according to the company’s site. “With its user-friendly interface, VMware Player makes it effortless for anyone to try out Windows 8 developer release, Windows 7, Chrome OS or the latest Linux releases, or create isolated virtual machines to safely test new software and surf the Web.”

According to Symantec, though, Crisis does not leverage any vulnerability in VMware’s software itself but merely takes advantage of an attribute of all virtualization software, that the virtual machine is a file or files on the disk of the host machine.

The Windows version of Crisis can spread to Windows connected to compromised computers by installing a module on the device. Android and iOS devices are not affected.

In sum, the malware can sneak into a VMware virtual machine and drop modules onto a Mobile device using Remote Application Programming Interface.

Its payback includes an ability to record Skype conversations, monitor instant messaging programs and track websites visited in Firefox or Safari.

Kaspersky Lab’s assessment has been that this is no work of amateurs. Sergey Golovanov, in a July posting, found the modules were written professionally and, “from the code we can see that the cybercriminals developed this Trojan in order to sell it on hacker forums.”

Similarly, Intego, an antivirus software company, pegged Crisis as "a very advanced and fully-functional threat," and noted that some of the malware's code originated with commercial spying software.

Symantec said the has infected less than 50 machines.

Explore further: Hong Kong democracy protesters flock to new messaging app

More information: www.symantec.com/connect/blogs… aks-virtual-machines

Related Stories

Adobe confirms zero-day danger in Reader and Acrobat

Dec 07, 2011

(PhysOrg.com) -- Adobe on Tuesday issued a critical security advisory for Adobe Reader and Acrobat. A vulnerability was detected and confirmed in Adobe Reader X (10.1.1) and earlier versions for Windows and ...

Apple's Boot Camp Now Supports Vista

Mar 30, 2007

The Mac maker will now support Microsoft's newest OS, as well as XP, with its Boot Camp software, which allows Windows to run on its Intel-based machines.

Apple out to kill widespread Macintosh virus

Apr 11, 2012

Apple said it is crafting a weapon to vanquish a Flashback virus from Macintosh computers and working to disrupt the command network being used by hackers behind the infections. ...

Recommended for you

Microsoft to offer early look at next Windows

22 hours ago

Microsoft plans to offer a glimpse of its vision for Windows this week, as its new CEO seeks to redefine the company and recover from missteps with its flagship operating system.

User comments : 0