Crisis Financial Malware Spreads Via VMs

The Crisis financial malware that was recently found can spread using the capabilities in VMWare.

The malware is also known as Morcut or the malicious rootkit.  Morcut is spread via an installer that is disguised as an Adobe Flash Player installer.  It was first found by Kaspersky last month who found it attacking Macintosh OS X computers.  The installer which is a Java archive (JAR) called Maljaba by AV vendor Symantec.  The archive looks like is has been signed by VeriSign.  The Java archive also has the ability to infect Windows macines that have the Crisis rootkit.

The Java Archive has two programs, one for OSX and one for Windows.  The proper executable is dropped on the machine based upon which operating system it is running.  The executable that is dropped on an infected machine  open a back door into the infected computer.

The Crisis malware includes some Windows only features and proagation techniques.  On Windows systems the threat makes a copy of itself and an autorun.inf file to an attached removeable disk (USB thumb drive, etc).

Another method it uses is to install itself onto a VMWare virtual machine.  And the last method could be the most scary of them all, it tries to install itself onto windows mobile deivces.

There are many pieces of malware that will not run if they are running on a VM machine but this is the first one I have heard of that tries to distribute itself via VM's.  According to research from Symantec, the malware does not jump into VM's via some security hole or flaw in VMWare, instead it writes directly to the files that make up the VM image.

As I learn more I will keep this post updated.