Mac users, be on your guard.Security researchers at both Intego and Sophos are warning users about a new backdoor Trojan named OSX/Crisis (aka OSX/Morcut-A to Sophos users).
The Targets
OSX/Crisis is said to install silently, without the need of a password, and only works on computers running OS X 10.6 (Snow Leopard) and 10.7 (Lion).
It doesn't run on the newly-released 10.8 (Mountain Lion), and has the tendency to crash on 10.5 (Leopard).
Infection Method
Good news is that the Crisis Trojan has not been spotted “in-the-wild.”
Intego stated that they came across samples of the malware on VirusTotal (a site that is used to scan suspicious files and URLs, and share malware samples between security companies), and there was no mention of origin on the sample that Sophos got ahold of.
Sophos' malware sample came packaged in file deceptively named “AdobeFlashPlayer.jar” that contained a .class file named WebEnhancer along with "two unassuming-looking files named win and mac."
Given the archive name, one wouldn’t really think anything of these files; however, the “mac” file is actually the installer for OSX/Crisis Trojan while “win” serves as an installer for Windows malware identified as Mal/Swizzor-D. No need to leave Windows out of the fun, right?
Had this file been used in an actual attack, the user would get SOME kind of notification since the WebEnhancer applet triggers a digital signature alert warning stating that the applet is from an untrusted publisher.
Screenshot Credit: Sophos
Should that screen be ignored and the applet allowed to run, the malware will be installed without any further warnings to the user.
This is only one example of how OSX/Crisis can be delivered, though. Other methods may not cause alerts that throw red flags to the user.
Installation Process
While it’s true that OSX/Crisis doesn’t require a password to install, the user account permissions play a slight role in the Trojan’s installation process.
If OSX/Crisis runs on a user account with Admin permissions, it will drop a rootkit to hide itself and create 17 files. A user account without Admin privileges will result in 14 files being created.
Although majority of the files created are randomly named, they tend to fall under the following folders, which are also created by OSX/Crisis:
- /Library/ScriptingAdditions/appleHID/
- /System/Library/Frameworks/Foundation.framework/XPCServices/
Note: The “XPCSerivces” folder is only created if the user account has Admin permissions; the “appleHID” folder is created with or without Admin permissions.
After OSX/Crisis has been successfully installed, it will remain active – even if the system is restarted – and check-in with a remote server (IP address 176.58.100.37) every 5 minutes.
OSX/Crisis is said to be created in a way that makes reverse-engineering more difficult and uses low-level system calls to hide its activities. These techniques are common in Windows malware, but not OS X malware.
Protecting Your Mac
Now that you’re aware of the threat, what can you do to protect your Mac?
- Keep your OS up-to-date to make sure there aren’t any vulnerabilities that an attacker may exploit to plant OSX/Crisis on your system.
- Consider disabling Java plug-ins on your browser or removing Java altogether. Cybercriminals love exploiting Java vulnerabilities to spread malware, and researchers warn that Java-based attacks are on the rise.
- Always run antivirus software on your Mac. Most antivirus vendors offer security products for both Windows and Mac. Sophos even offers a free Mac antivirus solution, so you really have no excuse. ;) Both Sophos and Intego's antivirus apps detect and remove OSX/Crisis.
- Be careful what files you download. That means no downloading files attached to emails from unknown or untrusted sources.
Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.
No comments:
Post a Comment