Crisis continues to make appearances
Published November 14th, 2013 at 12:39 PM EST , modified November 14th, 2013 at 12:39 PM EST
Crisis, a high-priced remote access tool mostly used in targeted, government-sponsored attacks, was first discovered more than a year ago. Its high price tag (200,000 euros, according to Intego’s findings at the time) and targeted nature has meant that I have never yet seen a case of Crisis infection, nor have I ever located anything but bits and pieces of the malware. However, as Intego reported earlier this week, Crisis is not only still out there, but a new variant has appeared with some new tricks up its sleeve!
The most concerning aspect of the new variant is that it is currently recognized as malware by none of the anti-virus engines on VirusTotal. This is evidently due, in part, to the fact that the new variant’s code has been compressed with MPRESS. Compressing the code in this manner hides it from anti-virus software, preventing it from being detected by signatures that would trigger on the uncompressed code. A similar technique was discussed right here recently, in Invisible malware.
Because of this obfuscation of the executable code preventing detections, it’s impossible to know how long this has been out there. With malware that is used in extremely targeted fashion, like Crisis, it’s entirely possible that the malware could be in active use for quite some time before being discovered by the security community, simply because it’s only being used on small numbers of targets spread out over time. For all we know, this variant of Crisis could have been around for more than a year, shortly after the first version was “outed” by the security community.
This is probably not something that the average user will need to worry about. For those who may have garnered the attentions of a government or similar organization, see the list of files found on an infected system that Intego published in their report. If you’re not sure how to find those files, see Locating files from paths.