Printed from http://www.electronista.com

Cross-platform 'Crisis' malware hits Windows, OS X, VMWare

updated 11:29 pm EDT, Wed August 22, 2012

Windows Mobile devices possible vector of Java-based infection

Researchers from Kaspersky Lab have released a description of a new malware delivery platform capable of spreading itself and its payload to Windows, Mac OS X, VMWare virtual machines, and Windows Mobile devices. The "Crisis" trojan is capable of intercepting emails and instant messages, with a module to keep track of websites visited by the infected computer.

The application masquerades as a Java Flash installer and persuades the user to install it through social engineering. Once executed, the trojan detects the operating system, and executes the appropriate installer through a JAR file embedded in the malware. Originally, the malware was thought to be OS X specific, but further research by Symantec have discovered it can copy itself and create a autorun file to a removable disk drive or a VMware virtual machine.

Symantec claims that the VMWare images aren't infected through software exploitation; instead, the Crisis package infects the virtual machine disk image just like any other file, and doesn't require the contained virtual machine to be running. Researcher Takashi Katsuki, in the analysis on the Symantec security blog says that "Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMWare, to avoid being analyzed, so this may be the next leap forward for malware authors."

Windows Mobile devices are also threatened by Crisis, and in turn, infect computers that the device comes in contact with during the synchronization process. Android and the iOS are not susceptible to that line of attack, as Crisis uses the incompatible Remote Application Programming Interface to propagate.

Anti-malware software detects the JAR file payload as Trojan.Maljava, the OS X executable as OSX.Crisis, and the Windows threat as W32.Crisis. Mac security firm Intego postulates that Crisis has its genesis in a trojan licensed to law enforcement and other investigative authorities for surveillance uses. At this time, Symantec believes less than 60 devices have been infected by this trojan.



By Electronista Staff
Post tools:

TAGS :

toggle

Comments

  1. Zanziboy

    Forum Regular

    Joined: 08-27-08

    Another vote for sandboxing and the App Store! :thumbsup:

  1. besson3c

    Clinically Insane

    Joined: 03-03-01

    Originally Posted by ZanziboyView Post


    Another vote for sandboxing and the App Store! :thumbsup:


    Except, speaking of VMWare, tools like VMWare wouldn't even be possible App Store apps.


    Apple needs to come up with some sort of middle ground, perhaps simply some level of certification for app store apps, proper warnings and caveats for other apps, and recognizing and acknowledging the limitations of the sandboxing requirement.

  1. Spheric Harlot

    Clinically Insane

    Joined: 11-07-99

    Besson: I agree. Maybe they should copy Gatekeeper. That seems to be exactly what you're asking for.

  1. besson3c

    Clinically Insane

    Joined: 03-03-01

    Originally Posted by Spheric HarlotView Post


    Besson: I agree. Maybe they should copy Gatekeeper. That seems to be exactly what you're asking for.


    No, not at all, but thanks for the snide remark.

    I'm talking about app store eligibility, the warnings that I was referring to would be in app-store prior to purchase, not running from within OS X, and the certification likewise indicated within the store somewhere.

    You can't protect users from everything, but you can minimize security issues with proper, non-intrusive warnings. Those that want apps that aren't in the app store will get them the old fashioned way anyway, so what I'm proposing seems like an improvement to all of this.

  1. prl99

    Dedicated MacNNer

    Joined: 03-24-09

    Without sounding too cynical, does anyone else find it interesting that Kaspersky seems to be the main anti-virus/anti-malware vendor finding all these Mac problems? Are they all coming from that part of the world Kaspersky calls home so they know about them before everyone else does? I'll stop there.

  1. Spheric Harlot

    Clinically Insane

    Joined: 11-07-99

    Originally Posted by besson3cView Post

    [QUOTE name="Spheric Harlot" url="/t/491570/cross-platform-crisis-malware-hits-windows-os-x-vmware#post_4185694"]
    Besson: I agree. Maybe they should copy Gatekeeper. That seems to be exactly what you're asking for.



    No, not at all, but thanks for the snide remark.[/quote]

    Sorry. :)

    Originally Posted by besson3cView Post

    I'm talking about app store eligibility, the warnings that I was referring to would be in app-store prior to purchase, not running from within OS X, and the certification likewise indicated within the store somewhere.

    You can't protect users from everything, but you can minimize security issues with proper, non-intrusive warnings. Those that want apps that aren't in the app store will get them the old fashioned way anyway, so what I'm proposing seems like an improvement to all of this.


    Apps distributed via the App Store are already vetted and checked.

    Apps that aren't distributed via the App Store require a personally accountable vendor by default (since an ID for code signing requires legitimate registration with Apple).

    What scenarios would additional warnings prior to purchasing apply to?

    I'm not grokking your point, I'm afraid.

  1. besson3c

    Clinically Insane

    Joined: 03-03-01

    Originally Posted by Spheric HarlotView Post



    Sorry. :)
    Apps distributed via the App Store are already vetted and checked.
    Apps that aren't distributed via the App Store require a personally accountable vendor by default (since an ID for code signing requires legitimate registration with Apple).
    What scenarios would additional warnings prior to purchasing apply to?
    I'm not grokking your point, I'm afraid.


    Apps that aren't distributed by the app store require an ID for code signing for Gatekeeper, right? What is the eligibility here? Will Apple sign code that installs and starts kernel modules?

  1. Spheric Harlot

    Clinically Insane

    Joined: 11-07-99

    Originally Posted by besson3cView Post

    Apps that aren't distributed by the app store require an ID for code signing for Gatekeeper, right? What is the eligibility here? Will Apple sign code that installs and starts kernel modules?



    The developer signs that code.

    But the developer has to register with Apple to receive that ID, and is personally held responsible for any shenanigans that his software might cause.

    So theoretically, a registered developer could sign malware, but it would be pretty stupid to knowingly include anything nefarious, since his identity is known and verified.

  1. besson3c

    Clinically Insane

    Joined: 03-03-01

    Originally Posted by Spheric HarlotView Post



    The developer signs that code.
    But the developer has to register with Apple to receive that ID, and is personally held responsible for any shenanigans that his software might cause.
    So theoretically, a registered developer could sign malware, but it would be pretty stupid to knowingly include anything nefarious, since his identity is known and verified.


    So what would it take for Apple to accept signed apps into their store that do useful things that will not, and will likely never work sandboxed? I really like the idea of the Mac app store, but I'm afraid on the Mac side of things it is destined to limited success.

    On the iOS side users are programmed to scavenge through the app store to find stuff, it is the only place they can find stuff, this whole experience has sort of an addictive quality to it, it is simple, easy, etc.

    On the Mac side not only are there many apps not available through the store, but there are a ton of things that the store won't do that developers want/need: product demos, discounted upgrades, etc. The whole simplicity of "just go to the app store" is lost on the Mac side with this sort of fragmentation. New Mac users have to be told that there are many apps they won't be able to find there. Security conscious Mac users have to be told that there is risk of running apps not in the app store, even though there are many apps they'll likely want outside of the app store.

    It is understandable to expect that it will take some amount of time to make apps available in the app store, but given that there is a fairly significant range of apps that will probably never make it there until Apple changes their tune, this seems like a fragmented mess to me.

    So, to Zaniboy's response voting for the sandboxing approach, this is not an ideological thing, this approach is unfortunately limited.

  1. Spheric Harlot

    Clinically Insane

    Joined: 11-07-99

    The primary advantage of The Mac over iOS will probably always be that it is an architecture more open to different sources of software.

    Users ARE warned when trying to run unsigned software; by default, it will not launch at all.

    If code has been signed, the security risks are minimal IMO due to the personal accountability of the developer.

    So the difference between Mac App Store and non-Mac App Store boils down to whether the software will be able to affect your system.

    The lack of demos/discounted upgrades is the same situation on iOS, and is solved through free apps with in-app purchases or "lite" versions for the former, and new pricing models for the latter. Logic Pro has moved exclusively to the App Store and now costs LESS as a full version than the upgrade alone cost before. I'm willing to bet that sales have doubled, if not tripled, as a result.

    Also, you vastly overestimate the need for anything beyond the App Store’s limitations. Most users will never need to leave the fully curated sandbox. Long-term, this also means that most users will never need a Mac, of course, since iOS will grow to fill their needs.

  1. besson3c

    Clinically Insane

    Joined: 03-03-01

    Originally Posted by Spheric HarlotView Post


    The primary advantage of The Mac over iOS will probably always be that it is an architecture more open to different sources of software.
    Users ARE warned when trying to run unsigned software; by default, it will not launch at all.
    If code has been signed, the security risks are minimal IMO due to the personal accountability of the developer.
    So the difference between Mac App Store and non-Mac App Store boils down to whether the software will be able to affect your system.
    The lack of demos/discounted upgrades is the same situation on iOS, and is solved through free apps with in-app purchases or "lite" versions for the former, and new pricing models for the latter. Logic Pro has moved exclusively to the App Store and now costs LESS as a full version than the upgrade alone cost before. I'm willing to bet that sales have doubled, if not tripled, as a result.
    Also, you vastly overestimate the need for anything beyond the App Store’s limitations. Most users will never need to leave the fully curated sandbox. Long-term, this also means that most users will never need a Mac, of course, since iOS will grow to fill their needs.


    What about Notification Center support, isn't the sandboxing approach required for that?

    For discounts and promotions and stuff, handling them with in-app purchases, can these purchases purchase some sort of hidden Mac App store app or something so that users can get upgrades from that point onwards via the app store?

    I'm not sure if I vastly overestimate the limitations or not, but I'm starting to compile a mental list of apps that will never make the app store for technical reasons:

    - anything that requires a kernel module, e.g. all VM hypervisors
    - possibly a number of VPN clients
    - anything that provides integrations with other apps
    - anything that uses external dependencies

    these applicable titles might be insignificant enough in the grand scheme for Apple to not bother, but why would you say that Mac App Store adoption hasn't been through the roof?

  1. Spheric Harlot

    Clinically Insane

    Joined: 11-07-99

    Do you have numbers?

  1. besson3c

    Clinically Insane

    Joined: 03-03-01

    Originally Posted by Spheric HarlotView Post



    Do you have numbers?


    I doubt Apple would release anything, but how many of your apps are not in the store? Most of the apps in my dock right now aren't:

    - iTerm
    - Chrome
    - Firefox
    - Adium
    - Postbox
    - a VPN connect app
    - Github
    - Virtualbox
    - XQuartz (made by Apple)
    - Microsoft Remote Desktop
    - Spotify
    - Photoshop
    - Microsoft Excel
    - Microsoft Word
    - Textmate
    - VLC
    - Skype


    To the best of my knowledge, adoption rates are relatively low.

  1. Zanziboy

    Forum Regular

    Joined: 08-27-08

    App Store adoption rates will increase with each iteration of the operating system. Smaller developers do not desire to have to implement their own portals to distribute their wares. The next generation of software will be developed by smaller developers. The apps will begin to grow within the store until it is the "normal" place to buy apps.

    The MacOS needs to be implemented for novice to advanced users. Therefore, novice users need to feel safe using the Mac without the fear of downloading a trojan. Advanced users will always be able to download apps which need to be installed from 3rd party sites. Sandboxing feasibility (or not), the model with the most security is for all apps to be downloaded from the App Store or from certified 3rd parties using certificates.

  1. besson3c

    Clinically Insane

    Joined: 03-03-01

    Originally Posted by ZanziboyView Post


    App Store adoption rates will increase with each iteration of the operating system. Smaller developers do not desire to have to implement their own portals to distribute their wares. The next generation of software will be developed by smaller developers. The apps will begin to grow within the store until it is the "normal" place to buy apps.
    The MacOS needs to be implemented for novice to advanced users. Therefore, novice users need to feel safe using the Mac without the fear of downloading a trojan. Advanced users will always be able to download apps which need to be installed from 3rd party sites. Sandboxing feasibility (or not), the model with the most security is for all apps to be downloaded from the App Store or from certified 3rd parties using certificates.


    I agree, but I also think that its success and training users to understand that stuff they download through the app store is safe depends on its adoption, and if there are apps that will never ever make the app store due to what they are designed to do, this might be somewhat of a bottleneck, no?

    I'm also not sure about your statement about the next generation of software being developed by smaller developers. I think this is true for where there are opportunities and niches to be filled, but unfortunately I don't see Microsoft Office going away as long as what it does is useful to people. MS Office would be a fairly significant piece to add to the app store (as well as Adobe CS).

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Dell AD211 Bluetooth speaker

For all of the high-priced, over-engineered Bluetooth speakers in the electronics market, there is still room for mass-market solution ...

VisionTek 128GB USB Pocket SSD

USB flash drives dealt the death blow to both the floppy and Zip drives. While still faster than either of the old removable media, sp ...

Kodak PixPro SL10 Smart Lens Camera

Smartphone imagery still widely varies. Large Megapixel counts don't make for a good image, and the optics in some devices are lacking ...

Sponsor

toggle

Most Commented

 
toggle

Popular News