New Malware Can Infect VMware Virtual Machines, Windows Mobile Devices
A new malware dubbed OSX Crisis can compromise Windows mobile devices, infect removable USB drives and may be the first virus to threaten VMware virtual machines, according to a Symantec blog and published reports. The latest updates suggest the malware risks are worse than originally thought.
The Crisis Trojan, discovered in late July by Intego, an Apple Mac security specialist, attacks Mac Snow Leopard and Lion but does not run on Mountain Lion. Symantec now is reporting that a Windows version of Crisis can copy itself and an autorun.inf file to a removable disc drive, slip onto a VMware virtual machine, and install modules on mobile devices connected to the infected computer.
“This may be the first malware that attempts to spread onto a virtual machine,” wrote Takashi Katsuki, a Symantec security researcher. “Crisis malware has functionality to spread to four different environments: Mac, Windows, virtual machines, and Windows Mobile. It is an advanced threat not only in function, but also in the way it spreads.”
Kaspersky Labs uncovered that Crisis uses social engineering to get users to run a Java archive that houses two executable files for Windows and Mac, which, in turn, checks the attacked computer’s operating system and initiates the appropriate executable file, opening a back door on the compromised machine.
ThreatMetrix reported that Crisis can take screenshots on the infected computer, copy address books, calendars, capture webcam images, download and upload files, copy the clipboard, record sound, monitor Skype chats and log visited web sites.
To this point, Crisis only affects Windows mobile devices and not Android or iPhone smartphones, Katsuki said. Of particular concern is Symantec’s security team doesn’t yet understand the Crisis installed mobile modules. “We currently do not have copies of these modules and hence we are looking for them so we can analyze them in greater detail,” said Katsuki.
With VM virtual machines, should Crisis find a virtual machine image on the infected computer, it mounts and copies itself onto the image using a VMware Player tool. The malware doesn’t exploit a vulnerability in the VMware software itself, Katsuki wrote, but instead plays on a characteristic of virtualization software, manipulating or mounting files or series of files on the disk of the host machine even if the virtual machine is not running.
“Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed, so this may be the next leap forward for malware authors,” Katsuki wrote.