itb-nz logo
Story image

OSX.crisis has security vendors rubbing hands in glee

The days of Mac users sneering at the insecurity of their Windows counterparts are rapidly coming to an end.

With global market share for OS-X estimated at a little over 10% (and growing), it has grabbed more than the attention of hipsters, graphic designers and terminally cool people on television. That’s because the underground malware industry appears to be stepping up efforts to target Apple machines; more than that, proving that nothing is sacred, malware also appears to be sneaking into previously unmolested virtual machines, creating more headaches for sysadmins and more opportunity for security software vendors.

All this comes along with news that Symantec has reported a new Mac  malware, dubbed OSX.Crisis. Likely not a crisis for Symantec, since like other security vendors it earns much of its crust owing to the venerable efforts of malware writers, OSX.Crisis is a multiplatform malcontent.

That’s right, it evidently has the ability to not only worm your Apple, but break your Windows and inveigle its way onto your virtual machines, too. Somewhat perplexingly, it even affects Windows Phone devices.

Peter Sparkes, director of Managed Security Services at Symantec confirms that the growing popularity of OSX makes it an increasingly viable target for cybercrims.

“We’ve seen a number of threats come to OSX; that’s a reflection of the increase in user numbers,” he says.

This logic extends to virtual machines.

“[The nature of new attacks] reflect how people are using the various systems available; this is an advanced method of attack.”

Just why Windows Phone is part of that is as perplexing for Sparkes as it is for us, given the platform’s obscurity, though he does venture that OSX.Crisis may be something of a ‘test run’. It looks like at least some naughty coders have faith in Microsoft’s mobile strategy.

As to why virtual machines haven’t yet come under fire, Sparkes says most malware simply terminated when it hit a VM, to avoid analysis.

“It’s just the way it’s worked in the past; this one is designed to spread,” he notes.

The million dollar question (actually a lot more, Symantec enjoyed revenues of over US$6-billion in 2011) is ‘who is behind all this good old malware’?

“It’s a whole underground economy and network, often linked with organised crime,” says Sparkes; while this industry employs methods, people and facilities like legitimate companies, he adds that a lot of its products aren’t terribly impressive.

“It’s ‘smash and grab’ stuff, typically not written particularly well, but designed to get money. However, this one is more advanced and indicates a shift in approach.”

More on OSX.Crisis:

• Infects four different environments: Mac, Windows, virtual machines, and Windows Mobile.• Uses three methods to spread: copies itself and an autorun.inf file to a removable disk drive• Sneaks onto a VMware virtual machines• Drops modules onto a Windows Mobile device.

In virtual environments, the threat searches for a VMware image, and mounts the image and copies itself by using a VMware Player tool.

Symantec says OSX.Crisis may be the first malware that attempts to spread onto a virtual machine.