Security 10809 Published by

Intego has discovered a new Apple Mac Trojan called OSX/Crisis



A new Apple Mac Trojan called OSX/Crisis has been discovered by Intego, the Apple security specialist. This Trojan horse has not been found in the wild, but it exhibits some anti-analysis and stealthing techniques that are uncommon among OS X malware. This threat works in OSX versions 10.6 and 10.7 - Snow Leopard and Lion and installs without need of any user interaction; no password is required for it to run. VirusBarrier X6 protects users from this malware.


Bellevue, Washington - Intego Security Memo - A new Apple Mac Trojan called, OSX/Crisis, has been discovered by the Intego Virus Team.

Malware:
OSX/Crisis

Risk:
Low; this malware has not yet been found in the wild. It does install itself without user permission, and hides itself well if installed with root permission.

Description:
Intego has discovered a new Trojan horse, Crisis, which is a Trojan dropper. This Trojan horse has not been found in the wild, but it exhibits some anti-analysis and stealthing techniques that are uncommon among OS X malware.

This threat works only in OSX versions 10.6 and 10.7 - Snow Leopard and Lion. It installs without need of any user interaction; no password is required for it to run. The Trojan preserves itself against reboots, so it will continue to run until it's removed. Depending on whether or not the dropper runs on a user account with root permissions, it will install different components. It remains to be seen if or how this threat is installed on a user's system; it may be that an installer component will try to establish root permissions.

If the dropper runs on a system with root access, it will drop a rootkit to hide itself. In either case, it creates a number of files and folders to complete its task; 17 files when it's run with root access, 14 files when it's run without. Many of these are randomly named, but there are some that are consistent.

With or without root access, this file is installed:
*/Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r

Only with root access, these files are installed:
*/System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/MacOS/com.apple.mdworker_server

*/System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/Resources/

The backdoor component calls home to the IP address 176.58.100.37 every 5 minutes, awaiting instructions. The file is created in a way that is intended to make reverse engineering tools more difficult when analyzing the file. This sort of anti-analysis technique is common in Windows malware, but is relatively uncommon for OS X malware.

Means of protection:
VirusBarrier X6 protects users from this malware with malware definitions dated July 24, 2012 or later. VirusBarrier X6's real-time scanner will detect the file when it is downloaded, and its Anti-Spyware protection will block any connections to remote servers if a user has installed the Trojan horse. VirusBarrier Express and VirusBarrier Plus, available exclusively from the Mac App Store, detect this malware with malware definitions dated July 24, 2012 or later, but these programs do not have a real-time scanner due to limitations imposed by the Mac App Store; users should scan their Macs after they have updated to the latest malware definitions, or manually scan any installer packages they have downloaded if they seem suspicious.

Intego: http://www.intego.com
VirusBarrier X6: http://www.intego.com/products
Download VirusBarrier X6: http://www.intego.com/demo
Purchase VirusBarrier X6: http://www.intego.com/buynow
Screenshot: http://www.intego.com/mac-security-blog/wp-content/uploads/2012/07/Crisis3.png
The Mac Security Blog: http://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/