Crisis Trojan First Malware to Target Virtual Machines

[err0r]

Researchers have discovered additional capabilities within the Crisis financial malware, namely that it also spread via virtual machines.

 

Crisis, also known as Morcut, is a malicious rootkit which infects both Windows and Mac OS X machines using a fake Adobe Flash Player installer, Takashi Katsuki, a software engineer at Symantec Security Response, wrote on the company blog. The installer was actually a Java archive (JAR) file which had been digitally signed by VeriSign.

 

The JAR file contained two executables, one to infect Mac OS X and the other to infect Windows. The malware checks the operating system of the infected machine and drops the appropriate executable to open a backdoor onto the compromised computer, Katsuki said. The Windows executable can spread using one of the following mechanisms: copying itself and an autorun.inf file to a removable disk, infecting a VMware virtual machine by copying itself into the image, and dropping modules onto a Windows mobile device, Katsuki wrote.

 

While this is the first instance of a malware targeting virtual machines, Katsuki was quick to emphasize that the malware wasn't exploiting vulnerabilities in VMware's software. Rather, the malware was targeting how virtual machines are stored locally as files on the host machine, Katsuki said. The files that represent the VM can usually be directly manipulated or mounted, even when the VM is not active, he said.

 

"Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed, so this may be the next leap forward for malware authors," said Katsuki.

 

Advanced Capabilities

The newly discovered capability is a sign that the developers behind Crisis are still working hard at making new and more advanced versions, Intego Security's Lysa Myers told Security Watch. This version may have targeted malware researchers and other highly-security conscious users, as they are the ones likely to be using VMs in order to limit damage from running suspicious files, Myers said.

 

"This is indeed a surprising development, as this is the first malware to spread by this means," Myers said.

 

The malware also uses the Windows remote application programming interface to drop attack modules onto any Windows Mobile devices that are connected to a Windows PC, Katsuki said. However, Symantec has yet to see any actual Windows Mobile attack modules.

 

Commercial Origins?

Crisis was first discovered by Kaspersky Lab researchers last month. Intego Security also identified a maliciously-crafted Java applet which contained a known Flash exploit and shellcode to connect to an IP address used by other Crisis variants. Crisis was designed to spy on online communications, such as recording Skype calls, recording instant messages, and taking screenshots of Web browsing activities, as well as stealing financial details.

 

There have been a number of malware attacks against activists and not-for-profits, Myers noted on the Intego blog. Earlier this year, there were several specially-crafted Word documents targeting Tibetan non-governmental organizations. Crisis was observed in a targeted attack against a group of independent Moroccan journalists who were recently recognized for their efforts during the Arab Spring revolution.

 

There are hints that Crisis originally began life as part of a commercial malware package sold mostly in the US and Europe before being packaged for hacker forums. The company behind the commercial version, Remote Control System DaVinci, targets the software for government surveillance, Myers wrote. Priced at 200,000 Euros, it's unlikely Crisis will be ever used in anything other than targeted attacks, she said.

 

"If you are the intended target, it’s very important that you have good security measures," Myers said.

 

Source: PCMag