Forgot your password?
typodupeerror
Security Virtualization IT

Crisis Trojan Makes Its Way Onto Virtual Machines 49

Posted by Soulskill
from the virtual-security dept.
Trailrunner7 writes "The Windows version of the Crisis Trojan is able to sneak onto VMware implementations, making it possibly the first malware to target such virtual machines. It also has found a way to spread to Windows Mobile devices. Samples of Crisis, also called Morcut, were first discovered about a month ago targeting Mac machines running various versions of OS X. The Trojan spies on users by intercepting e-mail and instant messenger exchanges and eavesdropping on webcam conversations. Launching as a Java archive (JAR) file made to look like an Adobe Flash Installer, Crisis scans an infected machine and drops an OS-specific executable to open a backdoor and monitor activity. This week, researchers also discovered W32.Crisis was capable of infecting VMware virtual machines and Windows Mobile devices."
This discussion has been archived. No new comments can be posted.

Crisis Trojan Makes Its Way Onto Virtual Machines

Comments Filter:
  • like any one else? The attack surface is not the same as any other windows physical machine? What is the point, there's an anti-virus vendor waiting to sell vmware specific software?
    • by EmagGeek (574360)

      According to the article, the malware looks for virtual machine files on the host PC (for example a windows box running VMWare Player) and mounts the image. It then adds itself to the image.

      This is not a vulnerability in VMWare Player or ESXi. It's just a better mousetrap that mounts virtual hard disks and infects them.

    • by Sarten-X (1102295)
      The attack surface of a VM is (surface of the guest) + (surface of the host). In this case, an infected Windows host can infect a VM image residing there.
      • by AvitarX (172628)

        Also, I bet that often times a non-privileged user can infect the privileged area of a VM set to be run-able by that user.

        • by mysidia (191772)

          If the user has physical access to a machine, then they have privileged access to that machine, and every virtual machine and local software run on that physical machine while they have physical access to it.

          • by AvitarX (172628)

            Yes, the user the person does obviously, but that does not necessarily imply that the user the account do.

            I think the risk is that the user account essentially has physical access to the virtual machine. I've read many a post here recommending all banking be done from a virtual machine that only goes to a bank's website. This malware demonstrates why that's poor advice by taking advantage of software's "physical" access to a machine

            • by mysidia (191772)

              This malware demonstrates why that's poor advice by taking advantage of software's "physical" access to a machine

              A keylogger on the host can still capture keystrokes sent to a guest VM.

              It's sound advise, but missing an an important additional proviso:

              In addition to doing banking in a banking VM, the web browser on the host, and all software other than virtualization software should be disabled and removed

              A new separate Virtual machine should be created for all non-Banking activity.

              Any program r

  • First Mac, then Windows... Windows Mobile... What if it mutates and becomes human-human transmissible??!!! SAVE US!!!

    • by tlhIngan (30335)

      First Mac, then Windows... Windows Mobile... What if it mutates and becomes human-human transmissible??!!! SAVE US!!!

      I'm surprised it doesn't have adb and look for an attached Android phone to infect as well.

      Though, given it's multiplatform, it's also interesting that it skips out having a Linux vector - you'd think if you went to al lthe trouble of making a Mac OS X version, you'd also do Linux for not-very-much-more effort. Scanning for VMs on Linux and infecting those is also pretty profitable (especiall

  • +1 to redundancy in the summary

  • Presumably this means that the affected host systems must have Java installed. Seems to me a brilliant example of the "Write Once, Run Anywhere" paradigm!
  • by gman003 (1693318) on Wednesday August 22, 2012 @05:00PM (#41086543)

    So as it turns out, yes, VMWare can run Crysis. Er, Crisis.

  • by epp_b (944299) on Wednesday August 22, 2012 @09:58PM (#41089767)
    This will be disasterous for tens of people!
    • by mysidia (191772)

      This will be disasterous for tens of people!

      I believe you may be in error on that.... last I heard, the remaining 10 people using windows Mobile have since been assimilated, and joined Balmer's army of Windows-using (formerly human) Zombies, as a result, the total count is 0 of the mobile users effected are people.

"Irrationality is the square root of all evil" -- Douglas Hofstadter

Working...