Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New SuperMalware


  • Please log in to reply
6 replies to this topic

#1 589661

589661

  • Members
  • 185 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Toms River, NJ
  • Local time:08:18 AM

Posted 22 August 2012 - 01:08 PM

This morning i have read about a new piece of malware that infects both OSX and Windows, as well as Virtual Machines.

"Security researchers have discovered a single piece of malware that is capable of spreading to four different platform environments, including Windows, Mac OSX, VMware virtual machines, and Windows Mobile devices. "

Supposedly it is called the Crisis Malware and it uses social engineering to get people to download it in the form of a JAR file.

Has anyone had a run in with this one yet? Any Tips or tricks with the removal of this one.

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,416 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:18 PM

Posted 22 August 2012 - 02:22 PM

I haven't heard about it, but before believing its claim I'd want to see it for myself. Do you have a link to the source of this news?

In order to be multi-platform compatible you'll need completely different droppers/installation methods. Malware can only be multiplatform compatible if it has a version for each OS variant, which technically is possible but practically isn't very profitable.

As for VM-compatible, I'm glad most malware is, it makes researching malware so much easier. :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#3 589661

589661
  • Topic Starter

  • Members
  • 185 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Toms River, NJ
  • Local time:08:18 AM

Posted 22 August 2012 - 04:36 PM

http://news.cnet.com/8301-1009_3-57497852-83/crisis-malware-targets-vmware-virtual-machines/

'Crisis' malware targets VMware virtual machines

Security researchers have discovered a single piece of malware that is capable of spreading to four different platform environments, including Windows, Mac OSX, VMware virtual machines, and Windows Mobile devices.

First uncovered last month by security company Integro, Crisis was originally described as a Mac Trojan capable of intercepting e-mails and instant messages and tracking Web sites visited. Additional scrutiny by Symantec has found that the malware targets both OSX and Windows users with executable files for both operating systems.

Crisis is distributed using social engineering techniques designed to trick users into installing a JAR, or Java archive, file masquerading as an Adobe Flash installer. The malware then identifies the computer's OS and installs the corresponding executable (see diagram below).

(Credit: Symantec)

"This may be the first malware that attempts to spread onto a virtual machine," Takashi Katsuki, a researcher with antivirus provider Symantec, wrote in a blog post Monday. "Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed, so this may be the next leap forward for malware authors."

Crisis spreads by searching for a VMware virtual machine image on the compromised computer. When it finds such an image, the malware copies itself onto the image using the VMware Player tool, which allows multiple operating systems to run on the same computer.

"It does not use a vulnerability in the VMware software itself," Katsuki wrote. "It takes advantage of an attribute of all virtualization software: namely that the virtual machine is simply a file or series of files on the disk of the host machine. These files can usually be directly manipulated or mounted, even when the virtual machines is not running."

The Windows version of Crisis can also spread to Windows Mobile devices connected to compromised computers by installing a module on the device. However, because it uses the Remote Application Programming Interface, it does not affect Android or iOS devices.

"We currently do not have copies of these modules and hence we are looking for them so we can analyze them in greater detail," Katsuki wrote.

Symantec said the malware has infected fewer than 50 machines.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:18 AM

Posted 22 August 2012 - 10:16 PM

Another news article on this.. Crisis Trojan

When it was first discovered last month, researchers indicated the Crisis Trojan was a unique piece of malware in the way it can infiltrate both Windows- and Mac-based systems. It turns out that was only the beginning.

Symantec Corp. researchers said they have now discovered the Windows version of the Crisis Trojan can spread to Windows Mobile devices aindicating a possible new advance for malware writers.
nd VMware virtual machines. It's believed to be the first such instance of malware that can spread to a virtual machine in this way,


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,416 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:18 PM

Posted 23 August 2012 - 01:57 AM

Thanks for the links!
I haven't seen it yet in the wild, but from what I read the most dangerous thing is the fact that it can spread from computer to mobile device. Today many have both and use them together and if this sort of malware becomes popular it may account for a large number of infected users.

As for the VM spreading, that seems a bit pointless; when I test malware I do that on VM, not on the host running VMware. I would even go as far as saying that often a computer that has VM software running, belongs to a user who will know how to avoid getting infected. The other way around would make more sense (infect host from guest OS), however that would require a software vulnerability (or badly configured sharing options between guest and host) to work with.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#6 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:08:18 AM

Posted 03 September 2012 - 09:05 PM

It has infected fewer than 50 machines? It doesn't look like a malware but more like a hacking tool.

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,416 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:18 PM

Posted 04 September 2012 - 01:00 AM

I haven't seen it either. While it has the potential to do a lot of harm, it is quite possible that it is indeed as targeted tool and not "mass production" (this simply to avoid detection).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users