toggle

New OS X trojan identified, bypasses user permissions

updated 07:07 pm EDT, Tue July 24, 2012

 

Crisis Trojan yet to appear in the wild


Security firm Intego's virus team has identified a new trojan horse malware targeting the Mac platform. The trojan, called Crisis, has yet to be seen in the wild, but Intego says it is engineered to make analysis of the malware difficult for security experts. Intego has stressed alertness regarding the new malware, as it appears to be able to bypass OS X security features and install itself with no user interaction.

Crisis has been traced back to the IP address 176.58.100.37, which it calls back to every five minutes for instructions. Only OS X versions 10.6 and 10.7 are said to be susceptible to the malware, which can install and run itself without the need for the user to enter a password. Since the malware is resistant to reboots, it will run until it is detected and removed. If the program is installed on a user account with root permissions, it will install additional programs to hide itself.

With or without root access, Crisis installs the following file: /Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r

When Crisis has root access, it installs two files: /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/MacOS/com.apple.mdworker_server and /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/Resources/

Intego says that the malware was created in a way that makes reverse engineering tools more difficult when analyzing it. Anti-analysis measures of this sort are said to be more common for Windows malware but relatively uncommon for programs targeting Macs. Intego has updated its VirusBarrier X6 software to guard against this malware and other definitions dated July 24, 2012 or later.


By Electronista Staff

Post tools:

TAGS :  

security, Mac, OS X, Intego, Crisis

Related Articles

Recent Articles

toggle

Comments

  1. tonton

    Senior User

    Joined: 03-05-01

    07-24-12 03:18 pm

    Of course. New malware never seen in the wild has been "discovered" by an anti-virus company, whose product has been updated to detect it.

    It's like a home alarm company representative "coincidentally" calls you the day after a rock gets thrown through your window.

  1. mgpalma

    Fresh-Faced Recruit

    Joined: 09-27-00

    07-24-12 04:25 pm

    I've always wondered about malware and viruses NOT in the wild, that have been discovered...hmmm.

  1. wrenchy

    Forum Regular

    Joined: 11-03-09

    07-24-12 05:31 pm

    Someone should sue Apple for all that false advertising. "Oh the Mac does not get viruses...." Riiiiight. If someone thinks this is a rare occurrence, this is only the beginning for Mac bases malware, trojans and viruses. Welcome to the +10% club!

  1. Mr. Strat

    Junior Member

    Joined: 01-23-02

    07-24-12 07:31 pm

    We hear this crap all the time from companies that coincidentally sell anti-virus software.

    It's called FUD.

  1. besson3c

    Clinically Insane

    Joined: 03-03-01

    07-24-12 07:33 pm

    Originally Posted by tontonView Post


    Of course. New malware never seen in the wild has been "discovered" by an anti-virus company, whose product has been updated to detect it.
    It's like a home alarm company representative "coincidentally" calls you the day after a rock gets thrown through your window.


    I'm fine with any non-malicious entity that helps Apple find and patch security flaws, and I don't mind them making money selling anti-virus software, although I agree their tactics are rather manipulative.

  1. exca1ibur

    Mac Elite

    Joined: 10-06-00

    07-24-12 08:38 pm

    I would just find these 'security experts' to be more helpful to send this stuff to Apple to fix, than posting how-to's to the public.

  1. chefpastry

    Mac Enthusiast

    Joined: 11-14-05

    07-24-12 11:17 pm

    To protect yourself from this, you can do the following:

    1. Block IP address 176.58.100.37 with a firewall.
    2. Create locked dummy files with the same filenames and put them it the appropriate folders.

  1. besson3c

    Clinically Insane

    Joined: 03-03-01

    07-25-12 01:48 am

    Originally Posted by exca1iburView Post


    I would just find these 'security experts' to be more helpful to send this stuff to Apple to fix, than posting how-to's to the public.


    Some times making these public inspires much quicker action. In a way I don't mind some profit being made either. Why would anybody spend so much time finding security flaws like this just because they want to be nice to Apple?

  1. besson3c

    Clinically Insane

    Joined: 03-03-01

    07-25-12 01:48 am

    Originally Posted by chefpastryView Post


    To protect yourself from this, you can do the following:
    1. Block IP address 176.58.100.37 with a firewall.
    2. Create locked dummy files with the same filenames and put them it the appropriate folders.


    Wouldn't it be wise to assume that there are variants of this that use different IP addresses?

  1. airmanchairman

    Fresh-Faced Recruit

    Joined: 12-08-11

    07-25-12 04:11 am

    "The trojan, called Crisis, ... appears to be able to bypass OS X security features and install itself with no user interaction."

    A contradiction in terms there that reveals some highly likely self-advertising using scare-mongering tactics.

    Technically, if it installs with no user interaction it's a virus, not a Trojan. There's something about this malware's delivery method that they have kept out of this announcement.

    Add to that discrepancy the fact that "it hasn't been seen in the wild", and it begins to unravel as a vendor's laboratory product that coincidentally it has "updated its VirusBarrier X6 software to guard against".

    Pull the other leg, Intego, it's got bells on it...

Login Here

Not a member of the MacNN forums? Register now for free.

 
close
Photo
toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

MaxUpgrades MaxConnect for 2006-2008 Mac Pro

Nobody outside of Cupertino's privileged bunch knows the future of the Mac Pro line for sure. Despite Apple's reluctance to tell us wh ...

Brother HL-3170CDW LED Printer

We've mentioned before that we are far from a paperless society. For now, at least, there are tasks that require a piece of paper for ...

HTC One

It is hard to overstate just how critically important the HTC One is to the Taiwanese company’s fortunes. Despite its alarming decline ...

Sponsor

 
toggle

Popular News