Crisis, a previously detected trojan, has turned out to be much more sophisticated malware than originally described.
Instead of just infecting Macs, Crisis also infects Windows PCs as well as Windows Mobile devices and, for the first time, a VMware virtual machine. Security researchers originally believed that the malware was limited to simply monitoring the applications Adium, Firefox, Skype and MSN Messenger.
Crisis is distributed via social engineering and tricks a user into running a Java applet Flash installer. The malware then identifies the operating system and uses the respective executable file. The trojan is carried in a JAR (Java ARchive) file, which is based on the ZIP format and usually includes Java class files, metadata and resources in one file to distribute a Java application or Java libraries.
What makes Crisis interesting is that it appears to be specifically looking for virtualized environments and is therefore believed to be the first malware to spread onto a virtual machine. "The threat uses three methods to spread itself: One is to copy itself and an autorun.inf file to a removable disk drive, another is to sneak onto a VMware virtual machine, and the final method is to drop modules onto a Windows Mobile device," Symantec wrote on its blog.
In the case of the virtualized scenario, "the threat searches for a VMware virtual machine image on the compromised computer and, if it finds an image, it mounts the image and then copies itself onto the image by using a VMware Player tool." Symantec stressed that Crisis does not take advantage of a vulnerability in VMware, but exploits a characteristic of virtualization in general and the fact that "the virtual machine is simply a file or series of files on the disk of the host machine."
It runs on Crysis.
Excellent question... I expect we'll here more about this in a couple months (after it does some real damage). Just cuz they found one variant doesn't mean the threat is over... Just means they've identified one new family of threats to keep an eye one.
So you keep most of your machines from the net because things are "distributed via social engineering and tricks a user into running a Java applet Flash installer."? I take it you don't have a phone either because someone keeps tricking you into sending money to a prince in india? You can turn off windows updates btw. Though you should keep installing the security patches.
Did you read the article?
"Crisis is distributed via social engineering and tricks a user into running a Java applet Flash installer."
Java is a security risk, and Flash is even worse. It's not a matter of "hating Java", it's a matter of caring about security when you connect to the internet.
And so are the new breeds of malware...
Now, don't put java and flash in the same bracket.
Many people seems to confuse java with javascript, which are two completely separate things.
For example, when it is said that the chrome browser is really fast for java, it is really implicated to mean that it is fast for javascript, not Java the language.
Most security risks come from javascript, the java language isn't nearly as common as javascript on the web.
And the so often nagging "update java" from oracle that have you update java manually has nothing to do with the javascript that many people really think is java.
And in this exploit there is a third thing, java-applet, which is based on java the language, not javascript.
Somebody else talked about using "noscript" to block java. I don't use noscript, but isn't that blocking javascript and not java? Or is it blocking both?
I did not, thank you for the answer.
That said I hate all the Java & Flash exploits.