After OSX/Crisis has been successfully installed on a machine, it will inject itself into a number of programs to spy on the infected user’s activity. These applications include popular ones like:
- MSN Messenger
In addition to tracking all activity within the programs listed above, OSX/Crisis allows an attacker to monitor and/or control the following operations:
- Mouse position
- Internal Webcam & Microphone
- Clipboard Contents
- Key strokes
- Running applications
- Web addresses
- Calendar Data & Alerts
- Device Information
- Address Book Contact Information
As you can tell, with OSX/Crisis on your system, you will have no sense of privacy. Everything you do is subject to being recorded – including any audio conversations held via Skype – and all of the data collected by OSX/Crisis will be sent to a remote server controlled by the attackers.
On a side note, Intego Security researchers found that there are sections of the Crisis Trojan’s code that suggests that it was a part of a commercial malware tool called “Remote Control System” (or RCS) that’s geared towards government surveillance and mainly sold in the US and Europe.
RCS, which was created by a company called HackingTeam, usually carries a hefty price tag of €200,000 ($245,664), leading Intego to believe that it’s likely only being used in targeted attacks.
Dr. Web’s write-up of OSX/Crisis, which they identify as BackDoor.DaVinci.1, appears to draw up the same conclusion.
Although this new Trojan is often referred to as the “Crisis” Trojan, it does have other names:
- OSX/Morcut (Sophos)
- BackDoor.DaVinci.1 (Dr. Web)
- Backdoor:MacOS_X/Flosax.A (Microsoft)
Graham Cluley of Sophos stated that the “Crisis” name is a result of the name appearing within the malware’s code. Instead of adopting the suggested name, Sophos opted to name the Trojan OSX/Morcut.
Dr. Web’s name seems to be derived from the name of the man who started HackingTeam, David Vincenzetti.
Microsoft stated on Facebook that they detect this threat as MacOS_X/Flosax.A.
Detecting & Removing OSX/Crisis
It’s important to note that OSX/Crisis has still NOT been spotted in-the-wild, so the risk of being infected is relatively low. However, Intego, Sophos and Dr. Web all offer antivirus solutions that are capable of detecting and removing the OSX/Crisis in the event that the day where it is actively being spread comes.
For more information on OSX/Crisis, including what versions of OS X it runs on, check out my previous post.
[via Intego][via Sophos][via Dr. Web]
Note: This article was updated on 7/30/12 to add Microsoft's alias for OSX/Crisis.
Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+