Feeds

Superworm Crisis eats Macs, VMware and - shock - Windows

Don't panic, don't panic - OK, panic! Panic!

Protecting against web application threats using SSL

Security watchers have discovered a virus strain that compromises VMware virtual machines as well as infecting Mac OS X and Windows computers and Windows Mobile devices. It demonstrates previously unseen capabilities in the process.

The Crisis malware typically arrives in a Java archive file (.jar) and is typically installed by posing as a Flash Player Java applet to trick a victim into opening it.

The archive contains executable files targeting Apple and Microsoft operating systems; the malware is able to detect which platform it is running on and serve up the correct variant.

Once launched, the worm puts in place a rootkit to hide itself from view; installs spyware to record the user's every move on the computer; and opens a backdoor to the IP address 176.58.100.37, allowing miscreants to gain further access to the machine, according to a write-up of the threat by Kaspersky Lab. The malicious code also, unsurprisingly, survives across reboots.

The Windows variant can kill off antivirus programs, log keypresses, download and upload files, take screengrabs, lift the contents of the user's clipboard, record from the computer's webcam and mic, and snoop on these applications: Firefox, Internet Explorer, Chrome, Microsoft Messenger, Skype, Google Talk and Yahoo! Messenger.

The Apple-targeting variant is more or less the same: it monitors Adium, Mozilla, Firefox, MSN Messenger (for Mac) and Skype, and records keystrokes. On Mac OS X, at least, the user does not need administrative privileges to install the software although its functionality is affected if the logged-in punter has insufficient rights: with admin-level access, the virus can slot in the rootkit, for instance.

Subsequent analysis of the malware by researchers at Symantec uncovered elaborate techniques in the Windows variants that allow it to spread onto virtual machines and Microsoft-powered smartphones.

Crisis uses three methods to spread itself from Windows desktops: it can copy itself and an autorun.inf file to a removable drive in order to infect the next machine the storage stick is plugged into; it can sneak onto virtual machines; and it can drop modules onto a Windows Mobile device.

The threat searches for VMware virtual machine images on a compromised Windows PC and attempts to copy itself onto the system using a VMware Player tool. It does not use a vulnerability in the VMware software, but rather relies on a feature that allows the virtual machine's files to be manipulated even when the virty system is not running.

Virtualisation technology is widely used by security vendors - it allows them to create a sandbox in which they can probe and toy with captured wild software nasties without (ideally) infecting their host workstations. As a result many strains of malware are programmed to stop running once they find themselves in a virtualised environment to avoid being examined.

OSX-Crisis seems to be a proof-of-concept code designed to probe virtualised environments for weaknesses, according to Symantec.

"This may be the first malware that attempts to spread onto a virtual machine. Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed, so this may be the next leap forward for malware authors," Symantec researcher Takashi Katsuki concludes.

Crisis also spreads from compromised Windows boxes by dropping modules onto Windows Mobile devices once they are connected to infected computers. The malware uses Microsoft's Remote Application Programming Interface (RAPI), so it only affects Windows Mobile devices and not Android or iPhone devices, neither of which support the technology.

A full write-up of the latest analysis on the potent malware can be found in a blog post by Symantec here. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.