First Malware that Attempts to Spread Onto a Virtual Machine

AlexNguyen

Crisis malware has functionality to spread to four different environments: Mac, Windows, virtual machines, and Windows Mobile.

Crisis Malware Able to Hijack Virtual Machines | SecurityWeek.Com
Crisis for Windows Sneaks onto Virtual Machines | Symantec Connect Community

ptilsen

No big shocker here. Virtual disk files used for all virtualization products should be relatively easy to inject virus payloads into. We're talking about a task simple enough it can be shell scripted because the formats are well known and the ability to do this is a documented, supported feature, in most cases.

What makes this compelling is the fact that it can effectively act as a privilege escalation attack. If a user executes the malware, and that user has access to a virtual disk file, the malware can effectively gain total system access to that virtual machine. If the machine is domain joined and such, that obviously opens the door for access privileged credentials.

This is important because it's a vector through which a compromised, unprivileged user account can in turn compromise a privileged account. The vast majority of common malware is limited by the user account's privileges, so this may necessitate a change in some shops' policies. To limit the scope of this kind of attack, unprivileged users mustn't be allowed to run domain-join virtual machines. That might seem trivial, but in a lot of environments there are legitimate needs for unprivileged users to run VMs.

The reality is a lot of (most?) organizations give their users full local admin rights anyway, but for those that don't, I think this will and should affect policies.

Roguetadhg

People fight for local admin right. It ends up not being a solution, but instead, causes problems with... well, they just don't care what they do. It's not their computers. As one rep told me.