ESG security researchers have received multiple reports of a dangerous cross-platform rootkit infection known as Crisis. This rootkit, also detected as Morcut by some security programs, can attack computers using the Mac OS X operating system, as well as various versions of Windows. The main way Crisis spreads from computer to computer is disguised as a fake installer for Adobe’s Flash Player. Crisis has been active since July of 2012 and is used to monitor online traffic on the infected computer. Crisis can also keep a record of instant messaging activity and even record conversations on Skype and other VoIP applications! One of the reasons why Crisis has caught the attention of PC security researchers is that it can apparently also spread to virtual machines, which is quite rare.
Crisis is Designed to Infect Numerous Platforms, Including Virtual Machines!
Most of the time, Crisis uses social engineering to convince computer users to install this fake version of Adobe Flash Player. Using Java vulnerabilities, Crisis can detect the operating system on the victim’s computer and then use vulnerabilities to install a backdoor on the infected computer. While Crisis can attack both Mac and Windows operating systems, PC security researchers have noticed that Crisis can also spread via removable memory drives, similar to computer worms. Crisis can also spread by entering a VMware virtual machine in order to infect Windows smartphones. Crisis may, in fact, be the first malware infection that uses this method in order to spread from one computer to another. Many computer users forget that virtual machines are still contained on a computer as files that can be manipulated and corrupted just like any other. Virtual machines are often used by PC security researchers to study malware infections in a safe, contained environment. In fact, many malware programs will terminate or delete themselves if they detect that there is a virtual machine involved when they are running. However, Crisis seems to try to infect virtual machines, which makes Windows phones vulnerable to these kinds of attacks.
Is Crisis a Government Sponsored Attack?
The vast majority of malware threats are not innovative. Creating new kinds of large-scale destructive malware usually requires a huge budget. Most malware recycles known models, adapting them to their particular needs. Because of this, when threats like Crisis pop up, it immediately makes malware analysts suspect the involvement of government organizations. It is no secret that the Chinese and Syrian governments have used malware attacks against political activists in the Middle East and Tibet. Powerful spy rootkits like Crisis may be derived from malware developed or commissioned by governments in order to stop political dissidents.
How Can You Detect Crisis?