Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Crisis: The Advanced Malware

Created: 30 Nov 2012 06:50:46 GMT • Updated: 23 Jan 2014 18:11:18 GMT • Translations available: 日本語
Takashi Katsuki's picture
+1 1 Vote
Login to vote

Over the past few months, we have blogged several times about OSX.Crisis and W32.Crisis. The Crisis malware is a highly advanced malware that has multiple infection vectors and a variety of information-stealing functions.

Figure 1. The Crisis infection routine

It targets Windows and Mac operating systems as well as devices running Windows Mobile. It can also sneak onto virtual machines if the compromised computer has a specific VMware virtual machine image installed on it and we believe that this is the first malware that can perform host-to-guest virtual machine infections.

Some security product vendors and researchers believe that a group in Italy constructed the Crisis malware as a product to sell to law enforcement agencies. In fact, several of the functions of the Crisis malware, such as recording sounds and stealing address book information, are suitable for private investigations or espionage.

Figure 2. Crisis information-stealing functionality

This information, and much more, is detailed in a white paper I have written called Crisis: The Advanced Malware.