UPDATED 14:22 EDT / AUGUST 22 2012

NEWS

Symantec Warns That Crisis Malware Infects VMware Virtual Machines

Back in July, security firm Symantec discovered a new malware that’s been attacking Macs dubbed as OSX.Crisis.

Crisis is described as a Trojan “that installs a back door on compromised OSX systems” which enables attackers to monitor programs such as Adium, Mozilla Firefox, MSN Messenger (for Mac) and Skype.  The malware is then able to record traffic on MSN Messenger (for Mac) and Adium, record Internet usage on Safari or Mozilla Firefox, capture or record Skype sessions, and send confidential information to a command-and-control (C&C) server through a back door (176.58.100.3x) and receive commands.
Kaspersky, another top security firm, backed up Symantec’s findings and stated that the malware was “distributed using social engineering techniques via a JAR file with the name AdobeFlashPlayer.jar and allegedly signed by VeriSign Inc.”

According to Sergey Golovanov, a Kaspersky Lab Expert, if the JAR file is allowed to run, “it creates an executable file payload.exe (993,440 bytes) in a temporary folder ~spawn[selection of numbers].tmp.dir and launches it.”  After it launches, “the malicious program initializes its components and passes control to them.”

The malware thought to be exclusive to Macs was soon discover to be capable of infecting Windows PCs as well as the JAR file contains two executable files for both Mac and Windows.  The malware first checks what OS the computer has then drops the appropriate bomb.

According to the latest findings, the malware has three methods of spreading infection: first is to copy itself and an autorun.inf file to a removable disk drive, second is to sneak onto a VMware virtual machine, and the third is to drop modules onto a Windows Mobile device.

The most interesting method is infecting virtual machines.  What happens with this is that the malware “searches for a VMware virtual machine image on the compromised computer and, if it finds an image, it mounts the image and then copies itself onto the image by using a VMware Player tool.”

Symantec stated that this may be the first time malwares are infecting virtual machines as malware usually terminate itself when it comes across virtual machines to avoid being analyzed.  Symantec recognizes the fact that this could be the next trend in malware authoring.

As for spreading in mobile devices, iOS and Android users can breathe easily for now as Crisis uses the Remote Application Programming Interface (RAPI) which only allows it to infect Windows Mobile devices.  But who knows?  If malware authors found a way to infect virtual machines, they’re sure to find a way to infect other mobile operating systems.  Hopefully, security experts would be up to par.


A message from John Furrier, co-founder of SiliconANGLE:

Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.

  • 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
  • 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.