New Crisis Behavior Observed, Now Infecting Virtual Machines

Posted on by

The folks in Symantec’s research lab have found new behavior of a previously discovered Crisis package. To describe this newly discovered action in more technical terms, when the Windows component of the malware is run on a host machine which has VMWare installed, Crisis will mount VMware images it finds and then copy itself to those images. That way, all VMWare images will be infected with the malware without the user being aware.

To break that down a bit more, let’s describe VMWare a bit further. VMWare creates an operating system within an operating system, kinda like Picture in Picture on a TV. It “mounts” a drive for each Virtual Machine image you create, which is a little partition for each image of the operating system. For those of you who run OS X, you see drives mounted on the system all the time in Finder, like when you run an install (DMG) file or insert a thumb drive. Those things that show up with an eject symbol next to them. This is a similar idea, in a very general sense. What this Crisis variant does is, when it’s run on a Windows system, it will mount all those virtual drive images that you created and then it will make a copy to that operating system within your operating system. It’s as if they were a physical drive like a thumb drive, and the malware will copy itself to the drive. So when an infected user tries to access those images again, the malware will be spying on them without them being aware.

In order for this to happen, you have to be running the malware (initially) outside of a virtual machine. It’s not going to escape from one virtual machine directly into other images. So this does not invalidate the usefulness of virtual machines if you’re using VMWare in a security research environment. This just means that this malware can be that much harder to find and eradicate on infected machines, especially if you don’t make a habit of scanning your virtual machines like you would your physical machine.