Bellevue, Washington – Intego Security Memo – A new Apple Mac Trojan called, OSX/Crisis, has been discovered by the Intego Virus Team.
Low; this malware has not yet been found in the wild. It does install itself without user permission, and hides itself well if installed with root permission.
Intego has discovered a new Trojan horse, Crisis, which is a Trojan dropper. This Trojan horse has not been found in the wild, but it exhibits some anti-analysis and stealthing techniques that are uncommon among OS X malware.
This threat works only in OSX versions 10.6 and 10.7 – Snow Leopard and Lion. It installs without need of any user interaction; no password is required for it to run. The Trojan preserves itself against reboots, so it will continue to run until it’s removed. Depending on whether or not the dropper runs on a user account with root permissions, it will install different components. It remains to be seen if or how this threat is installed on a user’s system; it may be that an installer component will try to establish root permissions.
If the dropper runs on a system with root access, it will drop a rootkit to hide itself. In either case, it creates a number of files and folders to complete its task; 17 files when it’s run with root access, 14 files when it’s run without. Many of these are randomly named, but there are some that are consistent.
With or without root access, this file is installed:
Only with root access, these files are installed:
The backdoor component calls home to the IP address 220.127.116.11 every 5 minutes, awaiting instructions. The file is created in a way that is intended to make reverse engineering tools more difficult when analyzing the file. This sort of anti-analysis technique is common in Windows malware, but is relatively uncommon for OS X malware.
Means of protection:
VirusBarrier X6 protects users from this malware with malware definitions dated July 24, 2012 or later. VirusBarrier X6’s real-time scanner will detect the file when it is downloaded, and its Anti-Spyware protection will block any connections to remote servers if a user has installed the Trojan horse. VirusBarrier Express and VirusBarrier Plus, available exclusively from the Mac App Store, detect this malware with malware definitions dated July 24, 2012 or later, but these programs do not have a real-time scanner due to limitations imposed by the Mac App Store; users should scan their Macs after they have updated to the latest malware definitions, or manually scan any installer packages they have downloaded if they seem suspicious.
Mac users have unique security needs, and Intego has been working to protect them from the dangers of the Internet for nearly 15 years. Founded in 1997, Intego is the only company focusing solely on security for Macs and other Apple products. With a full range of products to protect Macs, as well as products for iOS devices, such as the iPhone and iPad, Intego makes the Internet a safer place for Mac and Apple users. Intego’s security programs are designed so novices and security experts alike can protect their Macs optimally. Intego’s programs have received dozens of awards from Mac magazines around the world, all of which stress the quality and ease-of-use of Intego software. With its unique position as the Mac security specialist, Intego provides Mac users with full protection from all the dangers of the Internet. As the Internet evolves, Intego develops new programs and enhances its existing software to meet the growing security needs of Mac users. For more information, please visit Intego online. Copyright (C) 2012 Intego. All Rights Reserved. Apple, the Apple logo, Mac OS X, and Macintosh are registered trademarks of Apple Inc. in the U.S. and/or other countries.