Researchers are analysing a rare piece of malware that can spread onto virtual machines from the host operating system.
The Crisis trojan was detected in July by security firm Intego affecting Mac OS X systems. It was capable of recording keystrokes, webcams, tracking web traffic, taking screenshots and stealing data.
Now Symantec researchers have discovered a worm-like version of the trojan that targets Windows. Like the Mac version, this strain was installed onto victims' machines if they visited a compromised website that pushed a malicious JAR file.
Crisis then would search its target system for a virtual machine component and could make a copy of itself so it can "mount" the virtual image.
"Whenever the virtual machine is actually turned on, the Crisis copy would also load at that point," Symantec principal security response manager Vikram Thadkur told SC.
He said the trojan contains features he has never seen before.
"A virtual machine on anybody's computer...is essentially one large file which can be loaded with, for example, VMware Player," Thadkur said. "What Crisis is doing is it gets on the host computer and looks around and says, 'is there a VM file sitting around here somewhere?' If it finds it, it uses the same tools [such as VMware Player] to mount [the virtual machine]."
Normally malware purposely avoided running in virtual environments because its authors feared it would be studied. VMs are a common place for researchers to conduct malware analysis, but average users rarely run them, Thadkur said.
"Most trojans bail when they detect a virtual machine," he said. "It's the other way around in this case. It has the capability and it wants to get on virtual machines."
The threat of Crisis is "extremely low," he said, and researchers have reportedly spotted only a couple dozen infections.
That may be due to its apparent link between Crisis and a commercial malware package sold by Italy-based Hacker Team.
According to its website, the company's Remote Control System is only sold to government and law enforcement agencies and is "designed to evade encryption by means of an agent directly installed on the device to monitor."
Researchers at Intego first got their hands on the malicious code when a victim uploaded it to scanning portal VirusTotal. It appears the trojan was targeting "a group of independent Moroccan journalists who received an award from Google for their efforts during the Arab Spring revolution," researchers said in a July 26 blog post.