A piece of malware that is able to spread onto virtual machines from the host operating system, record user actions and steal data has been detected.
Known as Crisis, the Trojan was first detected in July by security firm Intego and affects Mac OS X systems. Researchers from Symantec have also said they have discovered a worm-like version of Crisis that targets Windows.
Like the Mac version, this strain is installed onto victims' machines if they visit a compromised website that pushes a malicious JAR file. Crisis then will search its target system for a virtual machine component and upon finding one, it has the ability to make a copy of itself so it can ‘mount' the virtual image.
Vikram Thakur, a principal security response manager for Symantec, told SC Magazine US that it contained features that he has never seen before.
He said: “Whenever the virtual machine is actually turned on, the Crisis copy would also load at that point. A virtual machine on anybody's computer...is essentially one large file that can be loaded with, for example, VMware Player.
“What Crisis is doing is it gets on the host computer and looks around and says, ‘is there a VM file sitting around here somewhere?' If it finds it, it uses the same tools [such as VMware Player] to mount [the virtual machine].”
Thakur said that malware usually avoids running in virtual environments because its authors fear it is being studied and virtual machines are a common place for researchers to conduct malware analysis, but average users rarely run them.
“Most Trojans bail when they detect a virtual machine, it's the other way around in this case. It has the capability and it wants to get on virtual machines,” he said.
However he claimed that detections are in the low twenties and said that the threat of Crisis is "extremely low".
Researchers at Intego first got their hands on the malicious code when a victim uploaded it to scanning portal VirusTotal.