Security researchers at Intego have discovered a new Trojan affecting Macs. The malware, called OSX/Crisis, only affects OS X Snow Leopard or Lion, and has a number of built-in features to help it hide from the system (and from anti-malware tools).
From the Intego Blog:
Intego has discovered a new Trojan, called OSX/Crisis. […] It installs without need of any user interaction; no password is required for it to run. The Trojan preserves itself against reboots, so it will continue to run until it’s removed. Depending on whether or not the dropper runs on a user account with root permissions, it will install different components. As we have not yet seen if or how this threat is installed on a user’s system, it may be that an installer component would try to establish root permissions.
Fortunately, the malware is rated as very low-risk, and hasn’t actually been spotted in the wild yet. Interestingly, it’s also unclear exactly how the trojan would affect a system. It creates a number of files and calls home to a remote server, but it’s actual method of attack remains unknown.
Apple is usually pretty fast to target and remove new malware, so I anticipate the built-in malware removal tool in OS X will be updated to address the new threat in the very near future. The full Intego security bulletin can be found below:
INTEGO SECURITY MEMO – July 24, 2012
New Apple Mac Trojan Called OSX/Crisis Discovered by Intego Virus Team
Malware: OSX/Crisis
Risk: Low; this malware has not yet been found in the wild. It does install itself without user permission, and hides itself well if installed with root permission.
Description: Intego has discovered a new Trojan horse, Crisis, which is a Trojan dropper. This Trojan horse has not been found in the wild, but it exhibits some anti-analysis and stealthing techniques that are uncommon among OS X malware.
This threat works only in OSX versions 10.6 and 10.7 – Snow Leopard and Lion. It installs without need of any user interaction; no password is required for it to run. The Trojan preserves itself against reboots, so it will continue to run until it’s removed. Depending on whether or not the dropper runs on a user account with root permissions, it will install different components. It remains to be seen if or how this threat is installed on a user’s system; it may be that an installer component will try to establish root permissions.
If the dropper runs on a system with root access, it will drop a rootkit to hide itself. In either case, it creates a number of files and folders to complete its task; 17 files when it’s run with root access, 14 files when it’s run without. Many of these are randomly named, but there are some that are consistent.
With or without root access, this file is installed:
Only with root access, these files are installed:
The backdoor component calls home to the IP address 176.58.100.37 every 5 minutes, awaiting instructions. The file is created in a way that is intended to make reverse engineering tools more difficult when analyzing the file. This sort of anti-analysis technique is common in Windows malware, but is relatively uncommon for OS X malware.
Means of protection: VirusBarrier X6 (www.intego.com/virusbarrier/) protects users from this malware with malware definitions dated July 24, 2012 or later. VirusBarrier X6’s real-time scanner will detect the file when it is downloaded, and its Anti-Spyware protection will block any connections to remote servers if a user has installed the Trojan horse. VirusBarrier Express and VirusBarrier Plus, available exclusively from the Mac App Store, detect this malware with malware definitions dated July 24, 2012 or later, but these programs do not have a real-time scanner due to limitations imposed by the Mac App Store; users should scan their Macs after they have updated to the latest malware definitions, or manually scan any installer packages they have downloaded if they seem suspicious.