Researchers are analyzing a rare piece of malware that is able to spread onto virtual machines from the host operating system.
Known as Crisis, the trojan first was detected in July by security firm Intego affecting Mac OS X systems. It’s capable of recording keystrokes, recording webcams, tracking web traffic, taking screenshots and stealing data.
Now, researchers from Symantec said they have discovered a worm-like version of Crisis that also targets Windows. Like the Mac version, this strain is installed onto victims’ machines if they visit a compromised website that pushes a malicious JAR file.
Crisis then will search its target system for a virtual machine component, and if it finds one, it has the ability to make a copy of itself so it can “mount” the virtual image.
“Whenever the virtual machine is actually turned on, the Crisis copy would also load at that point,” Vikram Thadkur, a principal security response manager for Symantec, told SCMagazine.com on Tuesday.
He said the trojan contains features he has never seen before.
“A virtual machine on anybody’s computer…is essentially one large file which can be loaded with, for example, VMware Player,” Thadkur said. “What Crisis is doing is it gets on the host computer and looks around and says, ‘Is there a VM file sitting around here somewhere?’ If it finds it, it uses the same tools [such as VMware Player] to mount [the virtual machine].”
Normally malware purposely avoids running in virtual environments because its authors fear it is being studied. VMs are a common place for researchers to conduct malware analysis, but average users rarely run them, Thadkur said.
“Most trojans bail when they detect a virtual machine,” he said. “It’s the other way around in this case. It has the capability and it wants to get on virtual machines.”
The threat of Crisis is “extremely low,” he said, and researchers have reportedly spotted only a couple dozen infections.
That may be due to its apparent link between Crisis and a commercial malware package sold by Italy-based Hacker Team. According to its website, the company’s Remote Control System is only sold to government and law enforcement agencies and is “designed to evade encryption by means of an agent directly installed on the device to monitor.”
Researchers at Intego first got their hands on the malicious code when a victim uploaded it to scanning portal VirusTotal. It appears the trojan was targeting “a group of independent Moroccan journalists who received an award from Google for their efforts during the Arab Spring revolution,” researchers said in a July 26 blog post.