When it was first discovered last month, researchers indicated the Crisis Trojan was a unique piece of malware in the way it can infiltrate both Windows- and Mac-based systems. It turns out that was only the beginning.
Symantec Corp. researchers said they have now discovered the Windows version of the Crisis Trojan can spread to Windows Mobile devices and VMware virtual machines. It's believed to be the first such instance of malware that can spread to a virtual machine in this way, indicating a possible new advance for malware writers.
The
Crisis Trojan was first reported by Bellevue, Wash.-based Apple platform security vendor Intego Inc. in July. It targets Apple and Windows users and installs a backdoor to record Internet usage and snatch confidential data. In a post this week on its Security Response blog, Cupertino, Calif.-based Symantec said the Windows version uses three methods to spread:
"One is to copy itself and an autorun.inf file to a removable disk drive, another is to sneak onto a VMware virtual machine, and the final method is to drop modules onto a Windows Mobile device."
The malware searches for a VMware virtual machine image on the compromised computer, mounts the image and copies itself onto the image using a VMware Player tool, wrote Takashi Katsuki, a software engineer at Symantec Security Response.
"It does not use a vulnerability in the VMware software itself," Katsuki wrote. "It takes advantage of an attribute of all virtualization software: namely that the virtual machine is simply a file or series of files on the disk of the host machine. These files can usually be directly manipulated or mounted, even when the virtual machine is not running, as is the case above.
"This may be the first malware that attempts to spread onto a virtual machine," Katsuki wrote. "Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed, so this may be the next leap forward for malware authors."
