Newly Detected Crisis Virus Infects Windows, Macs and Virtual Machines

The malicious Java executable, which hasn't been observed in the wild, spreads not only among Windows machines, but includes code to infect Macs and VMware virtual machines.

A computer virus that aims to infect Windows machines and steal data can also opportunistically infect Apple's Mac OS X and VMware virtual machines, security firms said this week.

The malware, called Crisis, can spread through the autorun functionality of removable disk drives, install components on Windows Mobile devices and copy itself to virtual machine instances. The latter functionality is the most interesting, because malware typically attempts to avoid virtual machines, as attackers worry that any computers running the technology are generally owned by security analysts looking to reverse engineer malicious software, says Vikram Thakur, principal security response manager for Symantec.

"When attackers detect a virtual-machine instance, they (typically) turn themselves off," he said. "This is a case where the position is totally switched around. They want to run in the virtual machine."

When Crisis runs on a Windows system, it treats any virtual-machine instance as a file system, mounts it as a drive,and then copies itself into VM instance. The next time the virtual machine is run, it will be infected with Crisis, according to an analysis published by Symantec on Aug. 20.

"The functionality to mount a virtual machine ... is often used to patch VM images," said Thakur. "It is a functionality; it is not a bug."

The ultimate mission of the Crisis malware is to install a backdoor and request commands from a server at a specific Internet address. On Mac OS X, the malicious code installs itself as either a user, or-if possible-an administrator. On both Windows and Mac systems, the program will monitor and record activities in several instant messaging programs-such as Adium and Skype as well as popular browsers. The information is then sent back to the command-and-control server.

The program is not currently spreading. Antivirus researchers obtained copies of the malware from VirusTotal, but it's not clear where the program originated.

"This threat has not yet been found in the wild, and so far there is no indication that this Trojan has infected users. So right now the threat is considered to be a low risk," Mac security firm Intego stated in an initial analysis of the threat posted on July 25.

While analysts discovered the malware's ability to infect Mac OS X and Windows systems in July, analysts only recently clarified the connection between Crisis and its ablity to infect VMware virtual machines.

Crisis is written in Java and packed as a Java archive. The archive contains two executable files: One of Windows systems and the other for the Mac OS X. After it detects the victim's operating system, it installs the appropriate version of the backdoor. On a Mac, the program only has backdoor functionality and does not spread, while on Windows the malware has virus functionality, Symantec stated in its analysis.

The Crisis malware only works on Mac OS X 10.6 and 10. 7, not the latest version of the operating system released in July. On the Windows Mobile platform, Crisis attempts to install components through the Remote Application Programming Interface (ROPI).

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...