Crisis malware threatens the virtualized environments

This is an hot summer under the malware perspective, we have spoken of new malware for cyber espionage and of new fraud schemas based on malicious software diffusion.

Many experts use to avoid malware diffusion making risky navigation and operations in a Virtual environment, a paradigm that is having a great diffusion in the last year also in every computer center due the great savings in terms of resources.

Today the many laboratory are totally based on virtualized machines, that is the miracle of last months that makes everybody happy … but what about their security? Are these environments really safe?

In this days is circulating on the web the news that a Windows version of the Crisis malware is able to infect VMware virtual machines.

The malware detect a VMware virtual machine image on the compromised hosts and it is able to mount it copying itself onto the image by using a VMware Player tool.

What is important is to clarify that the malware doesn’t exploit any vulnerability in the virtualization engine but uses the mechanism of storage as local files that could be manipulated by malicious applications.

Why we have no news in the past of infected virtual machines?

In many cases the malware designers implement a feature that make them inactive when the host is a virtual machine to avoid to be discovered and analyzed.

Takashi Katsuki of Symantec firm has explained on his blog post:

“Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed, so this may be the next leap forward for malware authors.

It also has the functionality to spread to Windows Mobile devices by dropping modules onto Windows Mobile devices connected to compromised Windows computers”

Crisis malware is an agent used to spy on victims intercepting every his communication, it is able to open a backdoor on the infected host once the user execute a Java archive (JAR) file made to look like an Adobe Flash Installer.

The malware has been developed for several OSs, last month a Mac version has been isolated.

The malware has a long history, one of the oldest version has been detected during the Arab Spring when it was spread to spy on journalists, the last usage discovery is the demonstration that it has been also adopted by groups of criminals with the intent to steal banking credentials.

Lysa Myers from Intego’s Mac Security Blog clarified that the malware could infect a virtual machine only once executed on infected host, outside of a virtual machine,  it’s not possible to infect any image of a virtual environment without compromising first the pc.

This characteristic makes the trojan harder to detect especially in absence of security protection on virtualized environment.

Resuming we have a malware that is able to infect four different environments such as Mac, Windows, virtual machines, and Windows Mobile and that represents an innovation for the way it spreads and for the targets it attacks … we must not underestimate it!

Pierluigi Paganini