Slashdot Mirror

← Back to Stories (view on slashdot.org)

Crisis Trojan Makes Its Way Onto Virtual Machines

Posted by Soulskill on from the virtual-security dept.

Trailrunner7 writes "The Windows version of the Crisis Trojan is able to sneak onto VMware implementations, making it possibly the first malware to target such virtual machines. It also has found a way to spread to Windows Mobile devices. Samples of Crisis, also called Morcut, were first discovered about a month ago targeting Mac machines running various versions of OS X. The Trojan spies on users by intercepting e-mail and instant messenger exchanges and eavesdropping on webcam conversations. Launching as a Java archive (JAR) file made to look like an Adobe Flash Installer, Crisis scans an infected machine and drops an OS-specific executable to open a backdoor and monitor activity. This week, researchers also discovered W32.Crisis was capable of infecting VMware virtual machines and Windows Mobile devices."

13 of 49 comments (clear)

  1. err, A virtual machine is not a machine? by dudacgf · · Score: 2

    like any one else? The attack surface is not the same as any other windows physical machine? What is the point, there's an anti-virus vendor waiting to sell vmware specific software?

    1. Re:err, A virtual machine is not a machine? by Sarten-X · · Score: 5, Informative
      Other way around: It can break into a VM from a Windows host. From TFA:

      The threat searches for a VMware virtual machine image on the compromised computer and, if it finds an image, it mounts the image and then copies itself onto the image by using a VMware Player tool.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    2. Re:err, A virtual machine is not a machine? by AvitarX · · Score: 2

      Also, I bet that often times a non-privileged user can infect the privileged area of a VM set to be run-able by that user.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    3. Re:err, A virtual machine is not a machine? by RMingin · · Score: 2

      This is largely irrelevant and non-news. ESX/ESXi is not affected (bare metal, no host to infect), it only infects VMs running directly on a Windows box. That makes them almost certainly not production, just dev VMs, or most likely VMs set up to help bypass web filtering.

      The real interest here is that the infected VM can hang back, get missed by a virus search-and-destroy (by being off), then reinfect other hosts after admin thinks they're clean.

      --
      The preceding comment is my own, and in no way construes an opinon of the Emperor of Mankind.
    4. Re:err, A virtual machine is not a machine? by Jeremiah+Cornelius · · Score: 2

      OHHH NOES!

      Stuxnet targets USB DRIVES!!!!

      Really. It is about as relevant. The VMDK file is used to hitchhike.

      There's also 0% chance of this occurring on the real, VMware ESX - or vSphere stuff. It doesn't have an attached Windows instance to exploit.

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
  2. Re:Viroses are good for you by denvergeek · · Score: 2

    I can't believe you like money too. We should hang out.

  3. Am I the first to make this joke? by gman003 · · Score: 5, Funny

    So as it turns out, yes, VMWare can run Crysis. Er, Crisis.

  4. Re:ah don't get it by crunch_ca · · Score: 2
    I imagine this might be of concern to shared hosting sites.

    Imagine your VM being infected just because the hosting server is infected. In most cases, even if a server is infected, the VM remains in a relatively clean state. Now, just because you're hosted on an infected server, you can get rooted.

  5. Re:ah don't get it by dave562 · · Score: 2

    Imagine of the machine is mapped to a network share where a team of developers store their VM images. Before this risk came out, the developers could be fairly certain that if a workstation was infected, they could just pick up another laptop and resume their work while IT re-images the infected machine.

    One of the key benefits of virtual machines in a development environment is the portability of the VM. You can fire it up on a laptop, work on it, and then later deploy it onto a 50 node cluster. Or you can setup a golden image VM and use that VM to clone out all other subsequent VMs.

  6. Re:It's evolving... by tlhIngan · · Score: 2

    First Mac, then Windows... Windows Mobile... What if it mutates and becomes human-human transmissible??!!! SAVE US!!!

    I'm surprised it doesn't have adb and look for an attached Android phone to infect as well.

    Though, given it's multiplatform, it's also interesting that it skips out having a Linux vector - you'd think if you went to al lthe trouble of making a Mac OS X version, you'd also do Linux for not-very-much-more effort. Scanning for VMs on Linux and infecting those is also pretty profitable (especially if you go after VMWare AND VirtualBox).

  7. Re:ok by EXrider · · Score: 4, Informative

    It only affects windows and mac systems. ESXi is Linux.

    ESXi is not Linux in and of itself, it is a Hypervisor. ESXi boots a minimal Linux kernel, which then loads vmkernel (the Hypervisor) along with some other virtualization components. After vmkernel is loaded, it takes direct control of the hardware and partitions the Linux kernel off into the first VM with a custom BusyBox shell (compiled for vmkernel support) as the Service Console. While the vmkernel does utilize a proc filesystem and some modified linux kmods for 3rd party device driver support, it in and of itself is a microkernel and does not nearly contain all of the Linux API's. It has very few ways to communicate with the outside world, one of them being the Service Console itself. But you can literally crash (and reboot) or CPU bound the Service Console up completely and have little to no effect on the other VM's running on that host.

    ESX did contain a mostly complete Linux distro that was also cast off into a guest VM after vmkernel loaded. This Service Console was based off of RHEL, but they've abandoned ESX support in the latest versions of their Hypervisor releases and it will eventually be EOL.

    --
    grep -iw skynet /etc/services
  8. Oh no, not Windows Mobile! by epp_b · · Score: 3, Funny

    This will be disasterous for tens of people!

  9. Re:ok by mysidia · · Score: 2

    ESXi boots a minimal Linux kernel, which then loads vmkernel (the Hypervisor) along with some other virtualization components.

    No... there is no "Linux" kernel that ESXi contains, as the service console was completely removed, there is only the VMkernel; there are some superficial similarities between the Tech support ESXi shell and a Linux shell, much in the same way as there are some superficial similarities between a command shell interface on AIX and Linux.

    However, the VMkernel contains components that are derived from Linux, such as the driver system, and various drivers, so you could legitimately say that ESXi is a mixture of Linux code and some proprietary code in the same package.