Trend Micro Security Expert: Malware Attack Against VMware Limited In Scope


Security researchers have determined that some new variants of a new malware family called "Crisis," aka "Morcut," can infect VMware virtual machines and Windows Mobile devices. But, a security expert at Trend Micro points to current evidence that says the majority of VMware's most widely deployed products are not currently under attack.

"VMware has a family of test development and productivity products called Workstation and Player," said Warren Wu, director of datacenter products at Trend Micro, in an interview with CRN. "This malware only affects these types of hypervisors. The data center products are not under attack at this point. But, it's important to be aware that some malware writer in the future can try to leverage this same technique against the data center products. So, it's important to make sure that your anti-malware products are up to date and that you have effectively locked down access to key directories and repositories. If you've already done that, you're probably pretty good against this malware, as well as any other future threats that might be forthcoming."

The common denominator for products most at risk involves technologies where the hypervisor installs on top of a standard operating system and, in turn, hosts multiple virtual machines on top, according to Wu. It first compromises the host operating system, and then it looks for VMDK files where it will likely instantiate the virtual machine and deploy the same infection.

[Related: Attack Against Saudi Oil Company: Government Or Hacktivists?]

Wu, who was previously involved in security initiatives at VMware, also explained that the fundamental property of virtualization enables the disk, memory and other components to be abstracted into a file, much like a document. "That means it can be manipulated, copied, backed up and cloned much like a document," he said. "But, that also means it can be edited like a document, too. In this case, we have a hacker [who] has decided to exploit this characteristic to try to add malware to the virtual disk. This is pretty unique. We haven't seen this approach before."

Wu added that, at this point, it appears that the malware in question is aimed at spying upon the users, most likely Web behavior and communications.

"This does not affect the vast majority of customers because most of those people are using the data center products," he added. "But still, it is important to make sure for the long run and for the potential of future malware that you are following best practices around anti-malware software."

The rate of incidence in the wild appears to be very low, at this point, with fewer than 100 systems impacted, according to Trend Micro.

PUBLISHED AUG. 23, 2012