• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Crisis Malware Specifically Targets Virtual Machines

August 22, 2012 By Corey Nachreiner

In a WatchGuard Security Week in Review video from about three weeks ago, I highlighted a new cross-platform malware variant called Crisis, which could infect both Windows and Mac computers by using a Java vulnerability that affected both platforms. The cross-platform nature of this malware alone made it pretty unique and interesting. This week, Symantec has uncovered new details about Crisis, which makes it even more impressive and scary; and could also represent an evolutionary new step  for malware. In short, Crisis specifically targets and infects virtual machines.

According to Symantec’s blog post, when Crisis executes on a Windows computer, it searches the hard drive for VMware format virtual images. When it finds a VM image, it mounts the image and copies itself to the virtual machine, thus infecting it as well. Since virtual machines pretty much look identical to physical ones, malware has always been able to inadvertently infect virtual machines. However, this is the first time that I have seen malware that specifically targets and infects virtual images.

I think this is a pretty big deal in malware evolution. Unlike physical computers, virtual images get cloned, copied, and shared quite a bit. Often, IT administrators have pre-set virtual images they use as the base image whenever building a new virtual machine. If one of these base images got infected, you could inadvertently spread that infection to every new virtual image you spun up.

Furthermore, many administrators haven’t yet implemented the same security controls they have on their physical networks, on their virtual ones. This makes their virtual network a black hole, as far as visibility and security are concerned. One of my predictions this year was that SMB’s increased adoption of virtualization technology would reawaken the need for virtual security solutions. Crisis’ new virtual spreading technique reinforces that prediction.

The good news is there are solutions out there. For instance, WatchGuard’s own XTMv and XCSv virtual appliances can deliver all the typical layers of security you use today to your virtual network.

Today’s malware authors use modular code and like to share. I suspect many other malware authors will adopt this new virtual image infection trick soon, and we will see them more aggressively target virtual machines. If you haven’t already implemented virtual security solutions, I recommend you do so soon. — Corey Nachreiner, CISSP (@SecAdept)

Share This:

Related

Filed Under: Uncategorized Tagged With: Malware, Morcut, Virtualization, VMware, XTMv. XCSv. virtual security

Comments

  1. David Weston says

    August 22, 2012 at 1:55 pm

    Corey,

    I can appreciate that you need to promote your products but I really think you are stretching it here to imply that a virtual network appliance is going to keep a VM disk from being mounted.

    David Weston
    DBM Associates
    The IT Department for Small Business
    908-534-1665

    Reply
    • Corey Nachreiner says

      August 24, 2012 at 9:18 am

      David,

      Sorry for my late reply. I literally ran to the airport immediately after that post to catch a quick flight, and speak at a small conference. So I haven’t paid as much attention to comments as normal, due to being at that event.

      Anyway. You are entirely correct that our virtualization products would NOT prevent this malware from mounting images and spreading. For that matter, our virtual product is vswitch network-based, not host-based… so it also wouldn’t help the virtual host from detecting the malware on it once you spun it up.

      However, that wasn’t what I was trying to imply our virtual product did. My point was that virtual networks are a security blackhole in our infrastructure. While I’m sure many organizations have security and visibility tools to detect attacks on physical networks (like IPS, AV, reputation tools, anomaly detection tools, etc..). They do not have those tools for their virtual networks. Thus as virtual machines are infected, they can’t detect the infections and attacks that happen on the virtual network (unless they come out to the physical network).

      Once a VM that had been infected spun it up, that malware will start doing things like trying to contact it’s C&ampC, or using typical network spreading mechanisms (automated vulnerability scanning and exploitation, or just looking for open shares) to spread on the network — and in this case, it would be a virtual network (though, depending on your hypervisor config, it may eventually go out a physical interface too). If you don’t have virtual network security controls to see, report on, and block this sort of malicious traffic, lots of havok would occur on your virtual network before you even knew it. That is the kind of thing that XTMv CAN help with.

      Cheers,

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • 3CX Supply Chain Attack
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use