In a WatchGuard Security Week in Review video from about three weeks ago, I highlighted a new cross-platform malware variant called Crisis, which could infect both Windows and Mac computers by using a Java vulnerability that affected both platforms. The cross-platform nature of this malware alone made it pretty unique and interesting. This week, Symantec has uncovered new details about Crisis, which makes it even more impressive and scary; and could also represent an evolutionary new step for malware. In short, Crisis specifically targets and infects virtual machines.
According to Symantec’s blog post, when Crisis executes on a Windows computer, it searches the hard drive for VMware format virtual images. When it finds a VM image, it mounts the image and copies itself to the virtual machine, thus infecting it as well. Since virtual machines pretty much look identical to physical ones, malware has always been able to inadvertently infect virtual machines. However, this is the first time that I have seen malware that specifically targets and infects virtual images.
I think this is a pretty big deal in malware evolution. Unlike physical computers, virtual images get cloned, copied, and shared quite a bit. Often, IT administrators have pre-set virtual images they use as the base image whenever building a new virtual machine. If one of these base images got infected, you could inadvertently spread that infection to every new virtual image you spun up.
Furthermore, many administrators haven’t yet implemented the same security controls they have on their physical networks, on their virtual ones. This makes their virtual network a black hole, as far as visibility and security are concerned. One of my predictions this year was that SMB’s increased adoption of virtualization technology would reawaken the need for virtual security solutions. Crisis’ new virtual spreading technique reinforces that prediction.
The good news is there are solutions out there. For instance, WatchGuard’s own XTMv and XCSv virtual appliances can deliver all the typical layers of security you use today to your virtual network.
Today’s malware authors use modular code and like to share. I suspect many other malware authors will adopt this new virtual image infection trick soon, and we will see them more aggressively target virtual machines. If you haven’t already implemented virtual security solutions, I recommend you do so soon. — Corey Nachreiner, CISSP (@SecAdept)
David Weston says
I can appreciate that you need to promote your products but I really think you are stretching it here to imply that a virtual network appliance is going to keep a VM disk from being mounted.
The IT Department for Small Business
Corey Nachreiner says
Sorry for my late reply. I literally ran to the airport immediately after that post to catch a quick flight, and speak at a small conference. So I haven’t paid as much attention to comments as normal, due to being at that event.
Anyway. You are entirely correct that our virtualization products would NOT prevent this malware from mounting images and spreading. For that matter, our virtual product is vswitch network-based, not host-based… so it also wouldn’t help the virtual host from detecting the malware on it once you spun it up.
However, that wasn’t what I was trying to imply our virtual product did. My point was that virtual networks are a security blackhole in our infrastructure. While I’m sure many organizations have security and visibility tools to detect attacks on physical networks (like IPS, AV, reputation tools, anomaly detection tools, etc..). They do not have those tools for their virtual networks. Thus as virtual machines are infected, they can’t detect the infections and attacks that happen on the virtual network (unless they come out to the physical network).
Once a VM that had been infected spun it up, that malware will start doing things like trying to contact it’s C&C, or using typical network spreading mechanisms (automated vulnerability scanning and exploitation, or just looking for open shares) to spread on the network — and in this case, it would be a virtual network (though, depending on your hypervisor config, it may eventually go out a physical interface too). If you don’t have virtual network security controls to see, report on, and block this sort of malicious traffic, lots of havok would occur on your virtual network before you even knew it. That is the kind of thing that XTMv CAN help with.