Crisis malware infects virtual machines
New rootkit infects Mac OS X, Windows, Windows Mobile as well as VMs.


Security researchers are studying malware that can infect virtual machines from the host operating system.
Intego first discovered the Crisis Trojan in July. The malware was found to infect Mac OS X computers and could record keystrokes, webcams, track web traffic, take screenshots and steal data.
But now researchers at Symantec have revealed that a worm-like version of the malware also targets Windows. As with the Mac version, this malware installs itself onto a victim's PC if they visit a compromised website, subsequently downloading a malicious JAR file.
The malware then looks through the victim's device for virtual machines and makes copies of itself so it can mount the virtual image and infect it.
"The threat uses three methods to spread itself: one is to copy itself and an autorun.inf file to a removable disk drive, another is to sneak onto a VMware virtual machine, and the final method is to drop modules onto a Windows Mobile device," said Takashi Katsuki, a researcher at Symantec.
The threat searches for a VMware virtual machine image on the compromised computer and, if it finds an image, mounts the image and then copies itself onto the image by using a VMware Player tool.
Katsuki said that the malware does not use a vulnerability in the VMware software itself, but takes advantage of an attribute of all virtualisation software: namely that the virtual machine is simply a file or series of files on the disk of the host machine.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
"These files can usually be directly manipulated or mounted, even when the virtual machine is not running as is the case above," said Katsuki.
But researchers are still puzzled by what the modules actually do. "We currently do not have copies of these modules and hence we are looking for them so we can analyse them in greater detail," Katsuki added.
Researchers have said less than 50 machines are currently infected with the malware.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.
-
M&S suspends online sales as 'cyber incident' continues
News Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
By Ross Kelly
-
Manners cost nothing, unless you’re using ChatGPT
Opinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
By Ross Kelly
-
A journey to cyber resilience
whitepaper DORA: Ushering in a new era of cyber security
By ITPro
-
A new framework for third-party risk in the European Union
whitepaper Report: DORA and cyber risk
By ITPro
-
Kali Linux releases first-ever defensive distro with score of new tools
News Kali Purple marks the next step for the red-teaming platform on the project's tenth anniversary
By Rory Bathgate
-
Microsoft releases scripts to restore shortcuts deleted in faulty Windows Defender update
News However, some users have resorted to creating their own fixes as they’ve encountered Microsoft’s to be problematic
By Zach Marzouk
-
Windows Defender update deletes Start Menu, Taskbar, Desktop shortcuts
News For now, it appears that administrators will have to manually recreate their shortcuts once the issue has been fixed
By Zach Marzouk
-
IBM LinuxONE for dummies
Whitepaper Secure your data, build an open hybrid cloud environment, and realise the cost benefits of consolidation
By ITPro
-
Windows 10 users encounter ‘blue screen of death’ after latest Patch Tuesday update
News Microsoft said it is working on a fix for the issue and has offered users a temporary workaround
By Ross Kelly
-
Apple issues fix for ‘actively exploited’ WebKit zero-day vulnerability
News The update marks the 10th fix for zero-day vulnerabilities this year
By Ross Kelly