Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Tech News > Cross-platform 'Crisis' malware hits Windows, OS X, VMWare

Cross-platform 'Crisis' malware hits Windows, OS X, VMWare
Thread Tools
NewsPoster
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Aug 22, 2012, 07:41 PM
 
Researchers from Kaspersky Lab have released a description of a new malware delivery platform capable of spreading itself and its payload to Windows, Mac OS X, VMWare virtual machines, and Windows Mobile devices. The "Crisis" trojan is capable of intercepting emails and instant messages, with a module to keep track of websites visited by the infected computer.

The application masquerades as a Java Flash installer and persuades the user to install it through social engineering. Once executed, the trojan detects the operating system, and executes the appropriate installer through a JAR file embedded in the malware. Originally, the malware was thought to be OS X specific, but further research by Symantec have discovered it can copy itself and create a autorun file to a removable disk drive or a VMware virtual machine. Symantec claims that the VMWare images aren't infected through software exploitation; instead, the Crisis package infects the virtual machine disk image just like any other file, and doesn't require the contained virtual machine to be running. Researcher Takashi Katsuki, in the analysis on the Symantec security blog says that "Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMWare, to avoid being analyzed, so this may be the next leap forward for malware authors." Windows Mobile devices are also threatened by Crisis, and in turn, infect computers that the device comes in contact with during the synchronization process. Android and the iOS are not susceptible to that line of attack, as Crisis uses the incompatible Remote Application Programming Interface to propagate. Anti-malware software detects the JAR file payload as Trojan.Maljava, the OS X executable as OSX.Crisis, and the Windows threat as W32.Crisis. Mac security firm Intego postulates that Crisis has its genesis in a trojan licensed to law enforcement and other investigative authorities for surveillance uses. At this time, Symantec believes less than 60 devices have been infected by this trojan.
     
Zanziboy
Forum Regular
Join Date: Aug 2008
Status: Offline
Reply With Quote
Aug 22, 2012, 08:43 PM
 
Another vote for sandboxing and the App Store!
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Aug 22, 2012, 10:51 PM
 
Originally Posted by Zanziboy View Post
Another vote for sandboxing and the App Store!
Except, speaking of VMWare, tools like VMWare wouldn't even be possible App Store apps.


Apple needs to come up with some sort of middle ground, perhaps simply some level of certification for app store apps, proper warnings and caveats for other apps, and recognizing and acknowledging the limitations of the sandboxing requirement.
     
Spheric Harlot
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Offline
Reply With Quote
Aug 22, 2012, 11:44 PM
 
Besson: I agree. Maybe they should copy Gatekeeper. That seems to be exactly what you're asking for.
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Aug 23, 2012, 01:36 AM
 
Originally Posted by Spheric Harlot View Post
Besson: I agree. Maybe they should copy Gatekeeper. That seems to be exactly what you're asking for.
No, not at all, but thanks for the snide remark.

I'm talking about app store eligibility, the warnings that I was referring to would be in app-store prior to purchase, not running from within OS X, and the certification likewise indicated within the store somewhere.

You can't protect users from everything, but you can minimize security issues with proper, non-intrusive warnings. Those that want apps that aren't in the app store will get them the old fashioned way anyway, so what I'm proposing seems like an improvement to all of this.
     
prl99
Senior User
Join Date: Mar 2009
Location: pacific northwest
Status: Offline
Reply With Quote
Aug 23, 2012, 07:28 AM
 
Without sounding too cynical, does anyone else find it interesting that Kaspersky seems to be the main anti-virus/anti-malware vendor finding all these Mac problems? Are they all coming from that part of the world Kaspersky calls home so they know about them before everyone else does? I'll stop there.
     
Spheric Harlot
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Offline
Reply With Quote
Aug 23, 2012, 12:03 PM
 
Originally Posted by besson3c View Post
[QUOTE name="Spheric Harlot" url="/t/491570/cross-platform-crisis-malware-hits-windows-os-x-vmware#post_4185694"]
Besson: I agree. Maybe they should copy Gatekeeper. That seems to be exactly what you're asking for.
No, not at all, but thanks for the snide remark.[/quote]

Sorry.

Originally Posted by besson3c View Post
I'm talking about app store eligibility, the warnings that I was referring to would be in app-store prior to purchase, not running from within OS X, and the certification likewise indicated within the store somewhere.

You can't protect users from everything, but you can minimize security issues with proper, non-intrusive warnings. Those that want apps that aren't in the app store will get them the old fashioned way anyway, so what I'm proposing seems like an improvement to all of this.
Apps distributed via the App Store are already vetted and checked.

Apps that aren't distributed via the App Store require a personally accountable vendor by default (since an ID for code signing requires legitimate registration with Apple).

What scenarios would additional warnings prior to purchasing apply to?

I'm not grokking your point, I'm afraid.
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Aug 23, 2012, 12:32 PM
 
Originally Posted by Spheric Harlot View Post

Sorry.
Apps distributed via the App Store are already vetted and checked.
Apps that aren't distributed via the App Store require a personally accountable vendor by default (since an ID for code signing requires legitimate registration with Apple).
What scenarios would additional warnings prior to purchasing apply to?
I'm not grokking your point, I'm afraid.
Apps that aren't distributed by the app store require an ID for code signing for Gatekeeper, right? What is the eligibility here? Will Apple sign code that installs and starts kernel modules?
     
Spheric Harlot
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Offline
Reply With Quote
Aug 23, 2012, 01:23 PM
 
Originally Posted by besson3c View Post
Apps that aren't distributed by the app store require an ID for code signing for Gatekeeper, right? What is the eligibility here? Will Apple sign code that installs and starts kernel modules?
The developer signs that code.

But the developer has to register with Apple to receive that ID, and is personally held responsible for any shenanigans that his software might cause.

So theoretically, a registered developer could sign malware, but it would be pretty stupid to knowingly include anything nefarious, since his identity is known and verified.
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Aug 23, 2012, 02:01 PM
 
Originally Posted by Spheric Harlot View Post

The developer signs that code.
But the developer has to register with Apple to receive that ID, and is personally held responsible for any shenanigans that his software might cause.
So theoretically, a registered developer could sign malware, but it would be pretty stupid to knowingly include anything nefarious, since his identity is known and verified.
So what would it take for Apple to accept signed apps into their store that do useful things that will not, and will likely never work sandboxed? I really like the idea of the Mac app store, but I'm afraid on the Mac side of things it is destined to limited success.

On the iOS side users are programmed to scavenge through the app store to find stuff, it is the only place they can find stuff, this whole experience has sort of an addictive quality to it, it is simple, easy, etc.

On the Mac side not only are there many apps not available through the store, but there are a ton of things that the store won't do that developers want/need: product demos, discounted upgrades, etc. The whole simplicity of "just go to the app store" is lost on the Mac side with this sort of fragmentation. New Mac users have to be told that there are many apps they won't be able to find there. Security conscious Mac users have to be told that there is risk of running apps not in the app store, even though there are many apps they'll likely want outside of the app store.

It is understandable to expect that it will take some amount of time to make apps available in the app store, but given that there is a fairly significant range of apps that will probably never make it there until Apple changes their tune, this seems like a fragmented mess to me.

So, to Zaniboy's response voting for the sandboxing approach, this is not an ideological thing, this approach is unfortunately limited.
     
Spheric Harlot
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Offline
Reply With Quote
Aug 23, 2012, 09:32 PM
 
The primary advantage of The Mac over iOS will probably always be that it is an architecture more open to different sources of software.

Users ARE warned when trying to run unsigned software; by default, it will not launch at all.

If code has been signed, the security risks are minimal IMO due to the personal accountability of the developer.

So the difference between Mac App Store and non-Mac App Store boils down to whether the software will be able to affect your system.

The lack of demos/discounted upgrades is the same situation on iOS, and is solved through free apps with in-app purchases or "lite" versions for the former, and new pricing models for the latter. Logic Pro has moved exclusively to the App Store and now costs LESS as a full version than the upgrade alone cost before. I'm willing to bet that sales have doubled, if not tripled, as a result.

Also, you vastly overestimate the need for anything beyond the App Store’s limitations. Most users will never need to leave the fully curated sandbox. Long-term, this also means that most users will never need a Mac, of course, since iOS will grow to fill their needs.
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Aug 23, 2012, 09:55 PM
 
Originally Posted by Spheric Harlot View Post
The primary advantage of The Mac over iOS will probably always be that it is an architecture more open to different sources of software.
Users ARE warned when trying to run unsigned software; by default, it will not launch at all.
If code has been signed, the security risks are minimal IMO due to the personal accountability of the developer.
So the difference between Mac App Store and non-Mac App Store boils down to whether the software will be able to affect your system.
The lack of demos/discounted upgrades is the same situation on iOS, and is solved through free apps with in-app purchases or "lite" versions for the former, and new pricing models for the latter. Logic Pro has moved exclusively to the App Store and now costs LESS as a full version than the upgrade alone cost before. I'm willing to bet that sales have doubled, if not tripled, as a result.
Also, you vastly overestimate the need for anything beyond the App Store’s limitations. Most users will never need to leave the fully curated sandbox. Long-term, this also means that most users will never need a Mac, of course, since iOS will grow to fill their needs.
What about Notification Center support, isn't the sandboxing approach required for that?

For discounts and promotions and stuff, handling them with in-app purchases, can these purchases purchase some sort of hidden Mac App store app or something so that users can get upgrades from that point onwards via the app store?

I'm not sure if I vastly overestimate the limitations or not, but I'm starting to compile a mental list of apps that will never make the app store for technical reasons:

- anything that requires a kernel module, e.g. all VM hypervisors
- possibly a number of VPN clients
- anything that provides integrations with other apps
- anything that uses external dependencies

these applicable titles might be insignificant enough in the grand scheme for Apple to not bother, but why would you say that Mac App Store adoption hasn't been through the roof?
     
Spheric Harlot
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Offline
Reply With Quote
Aug 23, 2012, 11:06 PM
 
Do you have numbers?
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Aug 23, 2012, 11:54 PM
 
Originally Posted by Spheric Harlot View Post

Do you have numbers?
I doubt Apple would release anything, but how many of your apps are not in the store? Most of the apps in my dock right now aren't:

- iTerm
- Chrome
- Firefox
- Adium
- Postbox
- a VPN connect app
- Github
- Virtualbox
- XQuartz (made by Apple)
- Microsoft Remote Desktop
- Spotify
- Photoshop
- Microsoft Excel
- Microsoft Word
- Textmate
- VLC
- Skype


To the best of my knowledge, adoption rates are relatively low.
     
Zanziboy
Forum Regular
Join Date: Aug 2008
Status: Offline
Reply With Quote
Aug 24, 2012, 07:28 AM
 
App Store adoption rates will increase with each iteration of the operating system. Smaller developers do not desire to have to implement their own portals to distribute their wares. The next generation of software will be developed by smaller developers. The apps will begin to grow within the store until it is the "normal" place to buy apps.

The MacOS needs to be implemented for novice to advanced users. Therefore, novice users need to feel safe using the Mac without the fear of downloading a trojan. Advanced users will always be able to download apps which need to be installed from 3rd party sites. Sandboxing feasibility (or not), the model with the most security is for all apps to be downloaded from the App Store or from certified 3rd parties using certificates.
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Aug 24, 2012, 12:17 PM
 
Originally Posted by Zanziboy View Post
App Store adoption rates will increase with each iteration of the operating system. Smaller developers do not desire to have to implement their own portals to distribute their wares. The next generation of software will be developed by smaller developers. The apps will begin to grow within the store until it is the "normal" place to buy apps.
The MacOS needs to be implemented for novice to advanced users. Therefore, novice users need to feel safe using the Mac without the fear of downloading a trojan. Advanced users will always be able to download apps which need to be installed from 3rd party sites. Sandboxing feasibility (or not), the model with the most security is for all apps to be downloaded from the App Store or from certified 3rd parties using certificates.
I agree, but I also think that its success and training users to understand that stuff they download through the app store is safe depends on its adoption, and if there are apps that will never ever make the app store due to what they are designed to do, this might be somewhat of a bottleneck, no?

I'm also not sure about your statement about the next generation of software being developed by smaller developers. I think this is true for where there are opportunities and niches to be filled, but unfortunately I don't see Microsoft Office going away as long as what it does is useful to people. MS Office would be a fairly significant piece to add to the app store (as well as Adobe CS).
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 03:07 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,