New Apple Mac Trojan "OSX/Crisis" Discovered

  • MORE

Contrary to popular belief, your Apple computer isn't impervious to all forms of malware and viruses. Today, Mac security firm Intego announced that it had discovered a new Mac OS X trojan called OSX/Crisis. The malware installs itself without user intervention and hides itself well if installed with root permission.

While the risk has been identified as low -- the malware has not yet been found in the wild -- it's alarming that OSX/Crisis exhibits a number of stealthing qualities rarely seen in OS X malware. For one, OSX/Crisis is what's formally known as a Trojan dropper, which means it can cloak itself behind the guise of a music file, a game or a screen saver.

Luckily, there are ways to check if your Mac has been infected. If OSX/Crisis is installed on a Mac running in root or administrator mode, the following files will turn up:

  • /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/MacOS/com.apple.mdworker_server
  • /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/Resources/
  • /Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r

However, without root access, only the last file will be present:

  • /Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r

OSX/Crisis routinely calls home to the IP address 176.58.100.37 every 5 minutes, awaiting instructions. However, it's worth noting that this IP address could change over time.

Additionally, the backdoor file with this functionality has been coded in such a way that reverse engineering tools won't work as well when analyzing the file -- a technique called anti-analysis which is commonly seen in Windows malware, yet almost unheard of in OS X malware. 

OSX/Crisis is only threatening to the two latest versions of Mac OS X, Snow Leopard and Lion.

On the bright side, if you already use Intego VirusBarrier X6, all you need to do is update to get the latest protection from this threat. Otherwise, users with malware anxiety can check out the relevant Mac protection software from Intego here.

via Intego

Add a comment