Symantec had previously reported about new malware that appeared on Macs called “OSX.Crisis” and it arrives on a user’s computer through a JAR executable that is launched by the end user. However it has now appeared to spread on other platforms – Windows and Windows Mobile. The appropriate executable will be used depending on whether the malware is running on Windows or running on Mac OS X. The Windows malware is referred to as “W32.Crisis”.
The malware itself, as reported by Symantec, is spread in three different ways. Because a Java executables are cross-platform, they can be run on both the Windows and Mac OS X platform. The executable file used by the JAR file is naturally determined by the operating system the malware is running on. For Mac OS X, this is a Mach-O executable file and for Windows computers, this is a PE executable file. The Windows variant also appears to be able to mount VMware Virtual Machine images (for machines that have VMware installed) and secretly copies itself onto the mounted image using a VMware Player tool. Symantec makes it clear that this is not as a result of a vulnerability with VMware software itself. Instead, the malware “takes advantage of an attribute of all virtualization software: namely that the virtual machine is simply a file or series of files on the disk of the host machine. These files can usually be directly manipulated or mounted, even when the virtual machine is not running.”
Symantec states that this may be the first malware case “that attempts to spread onto a virtual machine” as many threats will terminate themselves when they find a Virtual Machine monitoring program, such as VMware, “to avoid being analysed.”
Interestingly, the malware can also spread onto Windows Mobile devices because the malware is also able to drop modules onto phones running Windows Mobile connected to computers that have been compromised by the malware. Symantec has stated that, in respect to the malware being able to drop a module onto Windows Mobile devices, “[the malware] uses the Remote Application Programming Interface (RAPI), it only affects Windows Mobile devices and not Android or iPhone devices.” Symantec does not currently have copies of the modules to analyse them further.
If you’re concerned, don’t worry: simply make sure your antivirus software has the very latest virus definitions. For Symantec users, Norton’s antivirus products classify the JAR executable as Trojan.Maljava and the Windows executable variant as “Win32.Crisis” and the OS X executable variant as “OSX.Crisis”. It further amplifies the importance of remembering that literally any platform can be susceptible to malware; Mac OS X included.