Researchers in "Crisis" mode over virtual malware find

By Dan Kaplan on Aug 22, 2012 8:06 AM
Filed under Security

Rare trojan surfaces.

Researchers are analysing a rare piece of malware that is able to spread onto virtual machines from the host operating system.

Known as Crisis, the trojan first was detected in July by security firm Intego affecting Mac OS X systems. It's capable of recording keystrokes, recording webcams, tracking web traffic, taking screenshots and stealing data.

Researchers from Symantec said they have discovered a worm-like version of Crisis that also targets Windows. Like the Mac version, this strain is installed onto victims' machines if they visit a compromised website that pushes a malicious JAR file.

Crisis then will search its target system for a  virtual machine component, and if it finds one, it has the ability to make a copy of itself so it can "mount" the virtual image.

"Whenever the virtual machine is actually turned on, the Crisis copy would also load at that point," Vikram Thadkur, a principal security response manager for Symantec, said.

He said the trojan contains features he has never seen before.

"A virtual machine on anybody's computer...is essentially one large file which can be loaded with, for example, VMware Player," Thadkur said. "What Crisis is doing is it gets on the host computer and looks around and says, 'Is there a VM file sitting around here somewhere?' If it finds it, it uses the same tools to mount [the virtual machine]."

Normally malware purposely avoids running in virtual environments because its authors fear it is being studied. VMs are a common place for researchers to conduct malware analysis, but average users rarely run them, Thadkur said.

"Most trojans bail when they detect a virtual machine," he said. "It's the other way around in this case. It has the capability and it wants to get on virtual machines."

The threat of Crisis is "extremely low,"  he said, and researchers have reportedly spotted only a couple dozen infections.

That may be due to its apparent link between Crisis and a commercial malware package sold by Italy-based Hacker Team. According to its website, the company's Remote Control System is only sold to government and law enforcement agencies and is "designed to evade encryption by means of an agent directly installed on the device to monitor."

Researchers at Intego first got their hands on the malicious code when a victim uploaded it to scanning portal VirusTotal. It appears the trojan was targeting "a group of independent Moroccan journalists who received an award from Google for their efforts during the Arab Spring revolution," researchers said in a July 26 blog post.

This article originally appeared at scmagazineus.com

 
Follow us on Facebook and Twitter
 

Copyright © SC Magazine, US edition

Researchers in "Crisis" mode over virtual malware find
 
 
 
 
 
Top Stories
Born-in-the-cloud partner to go global after rampant growth
Not even four years old, Melbourne's Kloud aiming for $35m.
 
Aussie icon to distribute "technician in a box"
Hills becomes distie for Uplogix's M2M technology.
 
Amcom breaks Cisco record with 13,000-user rollout
Monster HCS collaboration deal in Melbourne.
 
Sign up to receive CRN email bulletins
   FOLLOW US...
Polls
Which mobile device couldn't you live without?


Latest Comments
CRN Magazine

Issue: 329 | July 2014

CRN Magazine looks in-depth at the emerging issues and developments for the channel, and provides insight, analysis and strategic information to help resellers better run their businesses.