updated 11:29 pm EDT, Wed August 22, 2012
Windows Mobile devices possible vector of Java-based infection
Researchers from Kaspersky Lab have released a description of a new malware delivery platform capable of spreading itself and its payload to Windows, Mac OS X, VMWare virtual machines, and Windows Mobile devices. The "Crisis" trojan is capable of intercepting emails and instant messages, with a module to keep track of websites visited by the infected computer.
The application masquerades as a Java Flash installer and persuades the user to install it through social engineering. Once executed, the trojan detects the operating system, and executes the appropriate installer through a JAR file embedded in the malware. Originally, the malware was thought to be OS X specific, but further research by Symantec have discovered it can copy itself and create a autorun file to a removable disk drive or a VMware virtual machine.
Symantec claims that the VMWare images aren't infected through software exploitation; instead, the Crisis package infects the virtual machine disk image just like any other file, and doesn't require the contained virtual machine to be running. Researcher Takashi Katsuki, in the analysis on the Symantec security blog says that "Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMWare, to avoid being analyzed, so this may be the next leap forward for malware authors."
Windows Mobile devices are also threatened by Crisis, and in turn, infect computers that the device comes in contact with during the synchronization process. Android and the iOS are not susceptible to that line of attack, as Crisis uses the incompatible Remote Application Programming Interface to propagate.
Anti-malware software detects the JAR file payload as Trojan.Maljava, the OS X executable as OSX.Crisis, and the Windows threat as W32.Crisis. Mac security firm Intego postulates that Crisis has its genesis in a trojan licensed to law enforcement and other investigative authorities for surveillance uses. At this time, Symantec believes less than 60 devices have been infected by this trojan.