Security experts have discovered a virus strain that compromises VMware virtual machines, and is infecting Mac OS X, Windows computers as well as Windows Mobile devices.
This virus strain has capabilities that have yet to be seen before, the Crisis malware normally arrives in a Java archive file (.jar). It is typically installed by posing as a Flash Player Java applet to trick a victim into opening it, letting the Crisis malware onto the PC. This archive contains executable files (.exe). And the malware is able to detect which platform it is running on and serve up the correct variant, targeting Apple and Windows operating systems.
According to a Kaspersky Lab Expert, once launched the worm puts in place a rootkit to hide itself from view; installs spyware to record the user’s every move on the computer; and opens a backdoor to the IP address 126.96.36.199, allowing miscreants to gain further access to the machine. The code is also said to survive after a system reboots.
The Windows variant of the virus will snoop into these user applications: Firefox, Internet Explorer, Chrome, Microsoft Messenger, Skype, Google Talk and Yahoo! Messenger. It will also shut off any anti-virus programs, log keypresses, download and upload files, lift the contents of the user’s clipboard, take screenshots, and record from the computer’s webcam and mic.
The Mac variant is very similar to Windows. It monitors Adium, Mozilla, Firefox, MSN Messenger (for Mac) and Skype, and records keystrokes. But on Mac OS X, the user does not need administrative privileges to install the software although its functionality is affected if there is insufficient information used. With admin-level access, the virus can slot in the rootkit.
According to The Register Crisis uses three methods to spread itself from Windows desktops: it can copy itself and an autorun.inf file to a removable drive in order to infect the next machine the storage stick is plugged into; it can sneak onto virtual machines; and it can drop modules onto a Windows Mobile device.
The virus does not use a vulnerability in the VMware software, it relies on a feature that allows the virtual machine’s files to be manipulated while it is not even running. The virus searches for the virtual machines images on the Windows PC and attempts to copy itself onto the system using a VMware Player tool.
“This may be the first malware that attempts to spread onto a virtual machine. Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed, so this may be the next leap forward for malware authors,” Symantec researcher Takashi Katsuki concludes.