Attacks/Breaches
8/21/2012
08:45 AM
50%
50%

Crisis Financial Malware Spreads Via Virtual Machines

Malicious code, disguised as a VeriSign-approved Adobe Flash installer, affects Macs, Windows PCs, and Windows Mobile devices.

The recently discovered Crisis financial malware can spread using capabilities built into VMware virtual machines.

Also known as Morcut, the malicious rootkit--spread via an installer that's disguised as an Adobe Flash Player installer--was first discovered last month by antivirus vendor Kaspersky, which found it targeting Apple OS X systems. But the installer, which is a Java archive (a.k.a. JAR) file--dubbed Maljava by Symantec--that claims to have been signed by VeriSign, also includes the ability to infect Windows machines with the Crisis rootkit.

"The JAR file contains two executable files for both Mac and Windows. It checks the compromised computer's [operating system] and drops the suitable executable file," said Takashi Katsuki, a software engineer at Symantec Security Response, in a blog post. "Both these executable files open a back door on the compromised computer."

[ Security researchers, take note: Google Ups Bug Bounties Amid Booming Exploit Market. ]

Crisis includes multiple Windows-only features and propagation techniques. Notably, on Windows systems, "the threat uses three methods to spread itself: one is to copy itself and an autorun.inf file to a removable disk drive, another is to sneak onto a VMware virtual machine, and the final method is to drop modules onto a Windows Mobile device," said Katsuki.

But he emphasized that the malware doesn't spread using a flaw in the VMware virtual machine software. Rather, "it takes advantage of an attribute of all virtualization software: namely, that the virtual machine is simply a file or series of files on the disk of the host machine," he said. "These files can usually be directly manipulated or mounted, even when the virtual machine is not running."

According to Symantec, this is the first-known example malware that attempts to propagate via a virtual machine. "Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed, so this may be the next leap forward for malware authors," said Katsuki.

But as noted, the malware can spread not only via Windows, Apple OS X, and virtual machines, but also by dropping attack modules onto any Windows Mobile devices that are connected to a Windows PC. To do so, Crisis employs the Windows remote application programming interface (RAPI), which doesn't work on Android or iPhone devices. But Symantec said that while it's seen this capability in the malware, it has yet to recover any of the actual Windows Mobile attack modules.

The revelations over the additional Crisis capabilities reinforce that the malware--which offers spyware that can capture keystrokes in browsers and instant messaging clients, and which uses a rootkit that can survive reboots--has been professionally designed, apparently to steal people's personal financial information.

Interestingly, according to Internet discussion boards, the malware may have started life as the Remote Control System, which is information security software developed and sold by the Italian HackingTeam group. According to the company's website, the software is only sold to law enforcement and government agencies.

But the malware appears to have been at least repackaged for sale on hacker forums, according to a blog post from researcher Sergey Golovanov at Kaspersky Lab.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I've seen worse.  Last week Tim had a dragon."
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.