Crisis Malware Specifically Targets Virtual Machines

In a WatchGuard Security Week in Review video from about three weeks ago, I highlighted a new cross-platform malware variant called Crisis, which could infect both Windows and Mac computers by using a Java vulnerability that affected both platforms. The cross-platform nature of this malware alone made it pretty unique and interesting. This week, Symantec has uncovered new details about Crisis, which makes it even more impressive and scary; and could also represent an evolutionary new step  for malware. In short, Crisis specifically targets and infects virtual machines.

According to Symantec’s blog post, when Crisis executes on a Windows computer, it searches the hard drive for VMware format virtual images. When it finds a VM image, it mounts the image and copies itself to the virtual machine, thus infecting it as well. Since virtual machines pretty much look identical to physical ones, malware has always been able to inadvertently infect virtual machines. However, this is the first time that I have seen malware that specifically targets and infects virtual images.

I think this is a pretty big deal in malware evolution. Unlike physical computers, virtual images get cloned, copied, and shared quite a bit. Often, IT administrators have pre-set virtual images they use as the base image whenever building a new virtual machine. If one of these base images got infected, you could inadvertently spread that infection to every new virtual image you spun up.

Furthermore, many administrators haven’t yet implemented the same security controls they have on their physical networks, on their virtual ones. This makes their virtual network a black hole, as far as visibility and security are concerned. One of my predictions this year was that SMB’s increased adoption of virtualization technology would reawaken the need for virtual security solutions. Crisis’ new virtual spreading technique reinforces that prediction.

The good news is there are solutions out there. For instance, WatchGuard’s own XTMv and XCSv virtual appliances can deliver all the typical layers of security you use today to your virtual network.

Today’s malware authors use modular code and like to share. I suspect many other malware authors will adopt this new virtual image infection trick soon, and we will see them more aggressively target virtual machines. If you haven’t already implemented virtual security solutions, I recommend you do so soon. — Corey Nachreiner, CISSP (@SecAdept)