Crisis Malware Threatens Virtualized Environments

Friday, August 24, 2012

Pierluigi Paganini

03b2ceb73723f8b53cd533e4fba898ee

(Translated from the original Italian)

This is an hot summer and we undertaking a different malware perspective. We have already spoken of new malware developed for cyber espionage and of new fraud schemes based on malicious software diffusion.

Many experts used to avoid malware diffusion by making risky navigation and operations in a virtual environment, a paradigm that is having a great acceptance in the last year in computer centers due the great savings in terms of resources.

Today, many networks are totally based on virtualized machines... but what about their security? Are these environments really safe?

Lately news is circulating on the web that a Windows version of the Crisis Malware is able to infect VMware virtual machines.

The malware has been detected on VMware virtual machines on compromised hosts and it is able to copy itself onto an image by using a VMware Player tool.

What is important is to clarify is that the malware doesn't exploit any vulnerability in the virtualization engine, but uses the mechanism of storage of local files that could be manipulated by malicious applications.

Why did hear no news in the past of infected virtual machines?

In many cases, the malware designers implemented a feature that made them inactive when the host is a virtual machine to avoid to being discovered and analyzed.

Takashi Katsuki of Symantec explained in his blog post:

"Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed, so this may be the next leap forward for malware authors. It also has the functionality to spread to Windows Mobile devices by dropping modules onto Windows Mobile devices connected to compromised Windows computers"

Crisis Malware is an agent used to spy on victims by intercepting communications, and it is able to open a backdoor on the infected host once the user executes a Java archive (JAR) file made to look like an Adobe Flash Installer.

The malware has been developed for several OSs, and last month a Mac version had been isolated.

The malware has a long history, one of the oldest versions was detected during the Arab Spring when it was spread to spy on journalists, and it has been also been adopted by groups of criminals with the intent to steal banking credentials.

Lysa Myers from Intego's Mac Security Blog clarified that the malware could infect a virtual machine only after executed on an infected host. Outside of a virtual machine,  it’s not possible to infect ay image of a virtual environment without compromising the PC first.

This characteristic makes the trojan harder to detect especially in the absence of security protections on the virtualized environment.

Assuming we have a malware that is able to infect different environments such as Mac, Windows, virtual machines, and Windows Mobile, that represents an innovation for the way it spreads to the targets it attacks… we must not underestimate it!

Cross-posted from Security Affairs

Possibly Related Articles:
11965
Viruses & Malware
Information Security
malware Javascript Application Security Virtualization Espionage VMware Innovation Sniffer Crisis Malware
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.