Thursday, July 26, 2012

More Information on OSX/Crisis Trojan Released: What Can It DO?

New Apple Trojan DetailsMore details about the newly-discovered Crisis Trojan targeting Apple users have emerged, and let me just say: OSX/Crisis (aka OSX/Morcut) is jam-packed with some extra creepy functionality.


After OSX/Crisis has been successfully installed on a machine, it will inject itself into a number of programs to spy on the infected user’s activity.  These applications include popular ones like:

  • Skype

  • MSN Messenger

  • Adium

  • Firefox

In addition to tracking all activity within the programs listed above, OSX/Crisis allows an attacker to monitor and/or control the following operations:

  • Mouse position

  • Location

  • Internal Webcam & Microphone

  • Clipboard Contents

  • Key strokes

  • Running applications

  • Web addresses

  • Screenshots

  • Calendar Data & Alerts

  • Device Information

  • Address Book Contact Information

As you can tell, with OSX/Crisis on your system, you will have no sense of privacy. Everything you do is subject to being recorded – including any audio conversations held via Skype – and all of the data collected by OSX/Crisis will be sent to a remote server controlled by the attackers.

On a side note, Intego Security researchers found that there are sections of the Crisis Trojan’s code that suggests that it was a part of a commercial malware tool called “Remote Control System” (or RCS) that’s geared towards government surveillance and mainly sold in the US and Europe.

RCS, which was created by a company called HackingTeam, usually carries a hefty price tag of €200,000 ($245,664), leading Intego to believe that it’s likely only being used in targeted attacks.

Dr. Web’s write-up of OSX/Crisis, which they identify as BackDoor.DaVinci.1, appears to draw up the same conclusion.

Known Aliases

Although this new Trojan is often referred to as the “Crisis” Trojan, it does have other names:

  • OSX/Morcut (Sophos)

  • BackDoor.DaVinci.1 (Dr. Web)

  • Backdoor:MacOS_X/Flosax.A (Microsoft)

Graham Cluley of Sophos stated that the “Crisis” name is a result of the name appearing within the malware’s code. Instead of adopting the suggested name, Sophos opted to name the Trojan OSX/Morcut.

Dr. Web’s name seems to be derived from the name of the man who started HackingTeam, David Vincenzetti.

Microsoft stated on Facebook that they detect this threat as MacOS_X/Flosax.A.

Detecting & Removing OSX/Crisis

It’s important to note that OSX/Crisis has still NOT been spotted in-the-wild, so the risk of being infected is relatively low. However, Intego, Sophos and Dr. Web all offer antivirus solutions that are capable of detecting and removing the OSX/Crisis in the event that the day where it is actively being spread comes.

For more information on OSX/Crisis, including what versions of OS X it runs on, check out my previous post.

[via Intego][via Sophos][via Dr. Web]

Note: This article was updated on 7/30/12 to add Microsoft's alias for OSX/Crisis.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+

No comments:

Post a Comment