Author Topic: Newest malware now able to target virtual machines? (Read 14873 times)

40hz · « **on:** August 24, 2012, 12:09 PM »

This just posted at Tom's Hardware (link here)

Crisis Believed to be First Malware Infecting Virtual Machines
12:20 PM - August 24, 2012 by Wolfgang Gruener - source: Symantec

Crisis, a previously detected trojan, has turned out to be much more sophisticated malware than originally described.

Instead of just infecting Macs, Crisis also infects Windows PCs as well as Windows Mobile devices and, for the first time, a VMware virtual machine. Security researchers originally believed that the malware was limited to simply monitoring the applications Adium, Firefox, Skype and MSN Messenger.

Crisis is distributed via social engineering and tricks a user into running a Java applet Flash installer. The malware then identifies the operating system and uses the respective executable file. The trojan is carried in a JAR (Java ARchive) file, which is based on the ZIP format and usually includes Java class files, metadata and resources in one file to distribute a Java application or Java libraries.

What makes Crisis interesting is that it appears to be specifically looking for virtualized environments and is therefore believed to be the first malware to spread onto a virtual machine.

Tech details can be found over at Symantec. (link here)

The threat searches for a VMware virtual machine image on the compromised computer and, if it finds an image, it mounts the image and then copies itself onto the image by using a VMware Player tool.
.
.
.
It does not use a vulnerability in the VMware software itself. It takes advantage of an attribute of all virtualization software: namely that the virtual machine is simply a file or series of files on the disk of the host machine. These files can usually be directly manipulated or mounted, even when the virtual machine is not running as is the case above.

This may be the first malware that attempts to spread onto a virtual machine. Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed, so this may be the next leap forward for malware authors.

Just one more thing to have to start looking for.

daddydave · « **Reply #1 on:** August 24, 2012, 12:28 PM »

What makes Crisis interesting is that it appears to be specifically looking for virtualized environments and is therefore believed to be the first malware to spread onto a virtual machine.

Looks like they left out an adverbial phrase there.

Renegade · « **Reply #2 on:** August 24, 2012, 12:32 PM »

Drunk post

Ok. You're smart. Really smart. No, like really mother ****ing smart. No, even beyond that... Like super-mother-****ing-smart...

So why the **** to you need to be such a ****ing c**t?

There will always be douche-wads as long as there are people... I have further nothing positive to say that isn't violent and disgusting.

I hate a**holes.

daddydave · « **Reply #3 on:** August 24, 2012, 12:47 PM »

Wow. That was to me? Okey-doke.

rgdot · « **Reply #4 on:** August 24, 2012, 12:51 PM »

^To the person who wrote the malware

As far as the topic itself, I am not surprised and not even sure how it hasn't happened earlier....

daddydave · « **Reply #5 on:** August 24, 2012, 12:53 PM »

Oh, oh. Thanks rgdot, I was confused there. Don't know why I thought it was to me. I'm definitely not that ^m(.*)f(.*) smart.

Stoic Joker · « **Reply #6 on:** August 24, 2012, 12:58 PM »

Crisis is distributed via social engineering and tricks a user into running a Java applet Flash installer.
-Article

Well that shouldn't be so bad, (set off Jar-chive attachment) hell only about 98% of the people on the internet will be dumb enough to fall for that...

Stoic Joker · « **Reply #7 on:** August 24, 2012, 01:05 PM »

Wow. That was to me? Okey-doke.
-daddydave (August 24, 2012, 12:47 PM)

OMFG I cannot stop laughing ... I'm almost in tears!

Oh, oh. Thanks rgdot, I was confused there. Don't know why I thought it was to me. I'm definitely not that ^m(.*)f(.*) smart.
-daddydave (August 24, 2012, 12:53 PM)

That should be pinned as the best miscommunication ever. However you handled it brilliantly I must say.

daddydave · « **Reply #8 on:** August 24, 2012, 01:20 PM »

What makes Crisis interesting is that it appears to be specifically looking for virtualized environments and is therefore believed to be the first malware to spread onto a virtual machine.

Looks like they left out an adverbial phrase there.
-daddydave (August 24, 2012, 12:28 PM)

Now that I realize Renegade didn't take this a grammar nazi type comment

What I meant by this is that they make it sound like make it sound like no virtual machine has ever had malware ever, which is obviously not true.

I would say something like "What makes Crisis interesting is that it appears to be specifically looking for virtualized environments and is therefore believed to be the first malware to spread onto a virtual machine by manipulating the files on the host machine" or something like that.

daddydave · « **Reply #9 on:** August 24, 2012, 02:01 PM »

This reminds me of why I am wary of dual boot set-ups. Someone could write a Windows virus to attack your Linux system files, or a Linux virus to attack your Windows system files. In either case any normal antivirus software would not be running.

Not sure if that exists in real life, either.

Stoic Joker · « **Reply #10 on:** August 24, 2012, 02:08 PM »

I was thinking this was the first exploit to be found in-the-wild that breaks the host guest barrier. It is a rather clever end-run around the sandbox.

40hz · « **Reply #11 on:** August 24, 2012, 03:04 PM »

This reminds me of why I am wary of dual boot set-ups. Someone could write a Windows virus to attack your Linux system files, or a Linux virus to attack your Windows system files. In either case any normal antivirus software would not be running.

Not sure if that exists in real life, either.
-daddydave (August 24, 2012, 02:01 PM)

I suppose you could create code that would copy something malicious onto an NTFS partition from the Linux side and still be fairly stealthy about it. Especially now that most distros include r/w support for Windows file systems by default.

But it would need to be fairly sophisticated in order to get its payload in ahead of the antimalware on the Windows side before Windows boots up. Not to say that you couldn't just nuke the Windows AV system (or all the Windows partitions for that matter while you were at it) since Linux ignores any Windows file security settings. (That's why a live Linux CD can be used to recover data off a password locked Windows disk.)

Hmm...

Romping on Linux from the Windows side would be a bit harder since Windows doesn't have any out-of-box ability to access NIX filesystems. Hardly an insurmountable problem. But it would be one more barrier to get past.

Probably the only way you could really protect yourself in that scenario would be to use full disk encryption on both systems.

superboyac · « **Reply #12 on:** August 24, 2012, 03:59 PM »

is full-disk encryption something that wouldn't be frustrating to use on a day to day basis?

jaden · « **Reply #13 on:** August 24, 2012, 04:29 PM »

is full-disk encryption something that wouldn't be frustrating to use on a day to day basis?
-superboyac (August 24, 2012, 03:59 PM)

I have to use full-disk encryption on a work laptop and for day-to-day use it means you have to type in the encryption passphrase before it can boot up, then it works as usual. In my case the laptop would frequently get stuck partway through loading the encryption screen and hang when I had the laptop in a docking station. Apart from that it hasn't been a nuisance.

One negative I've heard about is apparently when an encrypted drive fails there's little chance at recovering the data because even if you can read some sectors, they're all encrypted and meaningless. I don't if that's true or not.

barney · « **Reply #14 on:** August 24, 2012, 06:23 PM »

One negative I've heard about is apparently when an encrypted drive fails there's little chance at recovering the data because even if you can read some sectors, they're all encrypted and meaningless. I don't if that's true or not.
-jaden (August 24, 2012, 04:29 PM)

I wonder if you couldn't overcome that, to some extent, with a liveCD with TrueCrypt on it? (Assuming, of course that you'd used TrueCrypt to encrypt the disk.)

x16wda · « **Reply #15 on:** August 24, 2012, 07:34 PM »

I wonder if you couldn't overcome that, to some extent, with a liveCD with TrueCrypt on it? (Assuming, of course that you'd used TrueCrypt to encrypt the disk.)
-barney (August 24, 2012, 06:23 PM)

Depending on where the failure is, the device should be mountable on another machine with Truecrypt running. I've done that while testing, but unfortunately the disk didn't croak on me :-)

The usable lifespan of a broken disk is short enough, adding in the complexity and disk access to get the drive mounted might make it tougher to get anything off.

I could never convince my old company to use full disk encryption... even though I figured out how to work around users forgetting their boot password, the concensus was apparently the execs just didn't want to be bothered with another password...

barney · « **Reply #16 on:** August 24, 2012, 08:04 PM »

I wonder if you couldn't overcome that, to some extent, with a liveCD with TrueCrypt on it? (Assuming, of course that you'd used TrueCrypt to encrypt the disk.)
-barney (August 24, 2012, 06:23 PM)

Depending on where the failure is, the device should be mountable on another machine with Truecrypt running. I've done that while testing, but unfortunately the disk didn't croak on me :-)

The usable lifespan of a broken disk is short enough, adding in the complexity and disk access to get the drive mounted might make it tougher to get anything off.

I could never convince my old company to use full disk encryption... even though I figured out how to work around users forgetting their boot password, the concensus was apparently the execs just didn't want to be bothered with another password...
-x16wda (August 24, 2012, 07:34 PM)

Hee hee hee. Yeah, execs don't like interference ... turn it on, and it should work ... biggest problem I had when I was in the corporate world

.

About three (3) or four (4) decades ago, I had a desktop unit where the HDD gave out. It ran, but when the heads parked, they wouldn't unpark. So I removed four (4) screws and a cover, moved the heads with thumb & forefinger, put the cover and the screws back in place, and it ran like a charm. Did that for something like six (6) or eight ( 8 ) months before the drive totally died (probably because of contamination

). And I have two (2) drives right now that quit working, but I can still access 'em with an external connection. I've already pulled all the data off, I'm just hangin' on to 'em to see how much longer they'll last - goin' on two (2) years so far

.

Renegade · « **Reply #17 on:** August 24, 2012, 11:25 PM »

Wow. That was to me? Okey-doke.
-daddydave (August 24, 2012, 12:47 PM)

Ooops. Sorry. Had probably a few more than I should for posting. I meant that for the malware authors. (Need to have a breathalyzer on the post button.)

You have to be pretty darn smart to do that kind of thing, so why can't they do something productive instead of running around being destructive? Sigh... It's non-stop. All the time.

f0dder · « **Reply #18 on:** August 27, 2012, 04:51 AM »

This reminds me of why I am wary of dual boot set-ups. Someone could write a Windows virus to attack your Linux system files, or a Linux virus to attack your Windows system files. In either case any normal antivirus software would not be running.

Not sure if that exists in real life, either.
-daddydave (August 24, 2012, 02:01 PM)

It has been done, but pretty much just a proof of concept thing. Doesn't really make sense for a normal piece of malware, since the gains are extremely small and the code complexity quite a bit higher.

The usable lifespan of a broken disk is short enough, adding in the complexity and disk access to get the drive mounted might make it tougher to get anything off.
-x16wda (August 24, 2012, 07:34 PM)

Do what you always ought to do with a failing disk: make an image and salvage from that. It's less stressful to do a linear read from the beginning to the end rather than copying individual files that are likely to be scattered all over the disk...

Anyway, this vm-infecting thing is hardly a big deal. It's not a break-out of the vm. I find it kinda silly that this feature is included in a generic piece of malware, given that the gains for zombie-gathering purposes is pretty small.

For hitting specific targets it could be useful (infecting VMs that get mass distributd to the cloud, or images that are used for corporate roll-out), but in a generic piece of malware? Ho humm.

PS: vm-breakouts have been done, but tend not to make it into normal malware - again, the gains aren't big enough, and it makes the vendors aware of the exploit... makes much more sense to keep such an exploit private, and use it for high-profile targets

Jibz · « **Reply #19 on:** August 27, 2012, 11:17 AM »

Anyway, this vm-infecting thing is hardly a big deal. It's not a break-out of the vm. I find it kinda silly that this feature is included in a generic piece of malware, given that the gains for zombie-gathering purposes is pretty small.
-f0dder (August 27, 2012, 04:51 AM)

Actually my initial thought was that it was kind of clever. I agree that the target audience is rather small, but I would guess the code required to write something into a VM disk image in a file is not terribly complicated, and an action that is likely to not trigger too many alerts. And I don't know how many people use anti-virus and anti-malware inside their virtual machines, but if not, this could perhaps circumvent some of the security measures on your actual machine?

I mean of course it wouldn't have access to the outside machine, but it could communicate with the outside and possibly spread from the VM.