Research indicates that a there is a new virus on the loose. Dubbed “Crisis,” the malware is capable of spreading to four different platforms, including Windows, Mac OSX, Windows mobile devices, and VMware virtual machines.
Crisis was first labeled exclusively a Mac Trojan that generally tracked websites and recorded emails and instant message conversations. However, Integro and Symantec have both found that the virus targets Windows and OSX users and, surprisingly, virtual machines. “This may be the first malware that attempts to spread onto a virtual machine,” Katsuki, an employee at Symantec, wrote in a blog post Monday. “Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed, so this may be the next leap forward for malware authors.”
Crisis works by tricking computer users into installing a Java archive file that pretends to be an update to Adobe Flash. Once the virus has been installed, the malware identifies the machine’s OS and “adjusts” itself in the executable files as necessary.
Crisis then searches for a VMware virtual machine on the infected computer, and copies itself onto the image it finds using the VMware Player tool. The VMware Player tool allows for multiple operating systems to run on the same computer simultaneously. “It does not use a vulnerability in the VMware software itself,” the blog post from Symantec indicated. “It takes advantage of an attribute of all virtualization software: namely that the virtual machine is simply a file or series of files on the disk of the host machine. These files can usually be directly manipulated or mounted, even when the virtual machines is not running.”
The Windows “version” of Crisis can infect Windows phones that are connected to the computer at the time, however it cannot infect Android or iOS phones as of current.
Symantec says that they have active copies of the virus and are working on a solution currently.