Symantec has reported a new malware for Mac called OSX.Crisis.
This malware works by arriving on the compromised computer by a JAR file that contains two executable files for both Mac and Windows. It then checks that particular computer’s OS and drops the suitable executable file. Both executable files then open a back door on that computer.
Symantec has discovered two special functions in the Windows version of the threat that they detect as W32.Crisis. The threat uses three methods to spread itself: one is to copy itself and an autorun.inf file to a removable disk drive, another is to sneak onto a VMware virtual machine, and the final method is to drop modules onto a Windows Mobile device. The threat then searches for a VMware virtual machine image on the compromised computer and, if it finds an image, it mounts the image and then copies itself onto the image by using a VMware Player tool.
This may be the first malware that attempts to spread onto a virtual machine and the next leap forward for malware authors. Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed. The malware has functionality to spread to four different environments: Mac, Windows, virtual machines, and Windows Mobile. It is an advanced threat not only in function, but also in the way it spreads.
For more details, you can read Symantec’s Security Response blog post here. Symantec is recommending customers to use Intrusion Prevention System or network threat protection to stop threats such as this from infiltrating a machine. Users are also advised to update their virus definitions.