Apart from virtual machines, Symantec has discovered that it can drop from an infected Windows device onto a connected Windows Mobile device. It’s not yet sure whether Android or iPhone devices can be similarly infected, but is conducting further analysis.
However, the ability to spread to VMware is new. It doesn’t use a vulnerability in VMware, but the nature of all virtual machines: ultimately they’re all just a file or series of files on the disk of the host machine. Crisis looks for a VMware virtual machine image on the infected host computer. If it finds one, it mounts the image and then copies itself onto the image by using a VMware Player tool.
Because the virtual machine is just files, it doesn’t even have to be operational to get infected – the files can usually be directly manipulated or mounted even when the virtual machine is not running. Researchers have become accustomed to malware trying to hide from virtual machines because this is what they use to analyze malicious code. Crisis reverses this behavior.
What is not clear, however, is whether this behavior is specifically intended to target the virtual machines of malware researchers – in which case we have to wonder why – or whether it is the first signs of serious attempts to colonize the growing number of virtual installations.
SecurityWatch makes an interesting observation here. “There are hints that Crisis originally began life as part of a commercial malware package sold mostly in the US and Europe before being packaged for hacker forums. The company behind the commercial version, Remote Control System DaVinci, targets the software for government surveillance, Myers [Lisa Myers of Intego] wrote. Priced at 200,000 Euros, it's unlikely Crisis will be ever used in anything other than targeted attacks, she said.”
This would lend argument to both possibilities. Either the ‘target’ is one or more security researchers, or it is the first attempts by malware writers to be able to target specific businesses or government departments that operate with a virtualized infrastructure. Either way, says Symantec, it may be “the next leap forward for malware authors.”