Crisis: The Advanced Malware

Over the past few months, we have blogged several times about OSX.Crisis and W32.Crisis. The Crisis malware is a highly advanced malware that has multiple infection vectors and a variety of information-stealing functions.

Figure 1. The Crisis infection routine


It targets Windows and Mac operating systems as well as devices running Windows Mobile. It can also sneak onto virtual machines if the compromised computer has a specific VMware virtual machine image installed on it and we believe that this is the first malware that can perform host-to-guest virtual machine infections.

Some security product vendors and researchers believe that a group in Italy constructed the Crisis malware as a product to sell to law enforcement agencies. In fact, several of the functions of the Crisis malware, such as recording sounds and stealing address book information, are suitable for private investigations or espionage.

Figure 2. Crisis information-stealing functionality


This information, and much more, is detailed in a white paper I have written called Crisis: The Advanced Malware.