SafeGroup

Za InfoWorldi Symantec
Laboratorium Symantec poinformowało, że odpowiednik na Windows odkrytej ok. miesiąc temu infekcji na Mac o nazwie Crisis ma możliwość infekowania maszyn wirtualnych VMware, urządzeń Windows Mobile i przenośnych napędów USB.

Cytat: Crisis is a computer Trojan program that targets Mac OS and Windows users. The malware was discovered by antivirus vendor Intego on July 24 and can record Skype conversations, capture traffic from instant messaging programs like Adium and Microsoft Messenger for Mac and track websites visited in Firefox or Safari.
Crisis is distributed via social engineering attacks that trick users into running a malicious Java applet. The applet identifies the user''s OS -- Windows or Mac OS X -- and executes the corresponding installer.

"The threat searches for a VMware virtual machine image on the compromised computer and, if it finds an image, it mounts the image and then copies itself onto the image by using a VMware Player tool," said Symantec researcher Takashi Katsuki in a blog post on Monday. [i] "This may be the first malware that attempts to spread onto a virtual machine."
[/i]
Security researchers from antivirus vendor Kaspersky Lab, whose products detect the Crisis malware as Morcut, have confirmed the existence of this functionality in the Trojan program.

Cytat: Symantec reported new malware for Mac last month that we called OSX.Crisis. Kaspersky then reported that it arrives on the compromised computer through a JAR file by using social engineering techniques.

The JAR file contains two executable files for both Mac and Windows. It checks the compromised computer’s OS and drops the suitable executable file. Both these executable files open a back door on the compromised computer. However, we found two special functions in the Windows version of the threat that Symantec detects as W32.Crisis.

[Aby zobaczyć linki, zarejestruj się tutaj]

Czyli co?...mamy przełom chyba i wygląda, że nawet maszyny wirtualne nie dają już pewności do samego końca...i jakby coraz mniej pola manewru na bezpieczne testowanie infekcji Wink

Źródło informacji na InfoWorld

[Aby zobaczyć linki, zarejestruj się tutaj]

Artykuł źródłowy na blogu Symanteca

[Aby zobaczyć linki, zarejestruj się tutaj]

ichito napisał(a):Czyli co?...mamy przełom chyba i wygląda, że nawet maszyny wirtualne nie dają już pewności do samego końca...i jakby coraz mniej pola manewru na bezpieczne testowanie infekcji

No ale czy to działa teżw drugą stronę (VM->Host) bo nic tam raczej o tym nie piszą.

Czekaj Marsellus...a to?

Cytat: Security researchers from antivirus vendor Kaspersky Lab, whose products detect the Crisis malware as Morcut, have confirmed the existence of this functionality in the Trojan program.

"This function allows Morcut to steal and intercept data from virtual machines including financial information used for online shopping," said Kaspersky Lab malware expert Sergey Golovanov via email on Tuesday.

Malware authors are putting significant efforts into making sure that new variants of their Trojan programs are not detected by antivirus products when they are released.

In response, some security conscious users are performing online banking, online shopping and other potentially sensitive activities from virtual machines. This allows them to use an OS installation that''s unlikely to be altered by malware every time they need to perform such tasks.

Many malware threats contain routines that prevent their own execution inside virtual machines. This is done in order to prevent analysis by security researchers, who commonly use virtualized environments to observe what malicious programs do.

Morcut doesn''t do this, Golovanov said. " [Its]aim is to get inside as many systems it can to steal the maximum amount of information. "

" This may be the next leap forward for malware authors, " Katsuki said.

Linux+VMware i na to wirtualnego windowsa Smile

Ale to jest cały czas o tym że może "wejść" w wirtualny system z rzeczywistego, a nie na odwrót Smile

No to i tak nie wejdzie, bo póki co działa jeśli hostem jest windows (PE executable).

Cytat: The threat searches for a VMware virtual machine image on the compromised computer and, if it finds an image, it mounts the image and then copies itself onto the image by using a VMware Player tool.
It does not use a vulnerability in the VMware software itself. It takes advantage of an attribute of all virtualization software: namely that the virtual machine is simply a file or series of files on the disk of the host machine. These files can usually be directly manipulated or mounted, even when the virtual machine is not running as is the case above.
(...)
Finally, Crisis malware has functionality to spread to four different environments: Mac, Windows, virtual machines, and Windows Mobile. It is an advanced threat not only in function, but also in the way it spreads.

Chodzi wg mnie o to, że przenikając do maszyny wirtualnej, która jest często wykorzystywana nie tylko jako środowisko testowe, stwarza realne zagrożenie dla użytkowników, którzy korzystali z maszyn do wykonywania operacji na swoich wrażliwych danych np. bankowość online, komunikatory, itp. Poza tym, jak podkreślają, jego funkcjonalność w różnych środowiskach jest raczej spektakularna i w pewnym sensie rola jako "prekursora" dla nowych rodzin malware.

MD5:

Kod:
9d381840254a1f0d19286721c85bdcbb

cd7e38ec91714899a44bf7f00fcd2213

7687938b9e54f8d2ea8f9932fd5df396

VT:
1.

[Aby zobaczyć linki, zarejestruj się tutaj]

ichito

marsellus

ichito

tommyklab

marsellus

tommyklab

ichito

Waves

Flash999