Crisis is described as a Trojan “that installs a back door on compromised OSX systems” which enables attackers to monitor programs such as Adium, Mozilla Firefox, MSN Messenger (for Mac) and Skype. The malware is then able to record traffic on MSN Messenger (for Mac) and Adium, record Internet usage on Safari or Mozilla Firefox, capture or record Skype sessions, and send confidential information to a command-and-control (C&C) server through a back door (18.104.22.168x) and receive commands.
Kaspersky, another top security firm, backed up Symantec’s findings and stated that the malware was “distributed using social engineering techniques via a JAR file with the name AdobeFlashPlayer.jar and allegedly signed by VeriSign Inc.”
According to Sergey Golovanov, a Kaspersky Lab Expert, if the JAR file is allowed to run, “it creates an executable file payload.exe (993,440 bytes) in a temporary folder ~spawn[selection of numbers].tmp.dir and launches it.” After it launches, “the malicious program initializes its components and passes control to them.”
The malware thought to be exclusive to Macs was soon discover to be capable of infecting Windows PCs as well as the JAR file contains two executable files for both Mac and Windows. The malware first checks what OS the computer has then drops the appropriate bomb.
According to the latest findings, the malware has three methods of spreading infection: first is to copy itself and an autorun.inf file to a removable disk drive, second is to sneak onto a VMware virtual machine, and the third is to drop modules onto a Windows Mobile device.
The most interesting method is infecting virtual machines. What happens with this is that the malware “searches for a VMware virtual machine image on the compromised computer and, if it finds an image, it mounts the image and then copies itself onto the image by using a VMware Player tool.”
Symantec stated that this may be the first time malwares are infecting virtual machines as malware usually terminate itself when it comes across virtual machines to avoid being analyzed. Symantec recognizes the fact that this could be the next trend in malware authoring.
As for spreading in mobile devices, iOS and Android users can breathe easily for now as Crisis uses the Remote Application Programming Interface (RAPI) which only allows it to infect Windows Mobile devices. But who knows? If malware authors found a way to infect virtual machines, they’re sure to find a way to infect other mobile operating systems. Hopefully, security experts would be up to par.