There’s a new Mac Trojan dropper that uses a silent installation process and it also has the ability to establish backdoor access to infected machines. Security researchers at Intego found samples of the OSX/Crisis malware on the Virus Total website, but it has not yet been found in the wild.
Affecting Snow Leopard and Lion (versions 10.6 and 10.7), OSX/Crisis has a built in mechanism that protects itself from reboots, meaning the trojan will stay on infected Macs until it is actively removed, Intego’s Lysa Meyers writes.
Crisis will impact machines differently depending on user rights. For individuals with administrative permissions, it is dropping a rootkit to conceal itself as well as a number of files and folders to carry out its various functions. OSX/Crisis creates 17 files for users with admin-permissions and 14 for those without. The files are random for the most part, however, Meyers writes that ‘/Library/ScriptingAdditions/appleHID/’ is a folder found in all infected machines with admin-permissions and ‘/System/Library/Frameworks/Foundation.framework/XPCServices/’ is being found in all infected machines without admin permissions.
The backdoor-component is phoning home to IP address 220.127.116.11 every five minutes and awaiting instructions. Intego claims that the file is constructed in a way to make it difficult for analysis by reverse engineering tools. This is a relatively old trick for Windows malware but Intego says they haven’t seen these sorts of anti-analysis techniques widely used on Mac malware yet.
OSX/Crisis shouldn’t be nearly as troubling to Mac users as the new versions of the Macdefender malware that popped up last year or the 500,000-strong flashback botnet that hit headlines in April. Despite that, OSX/Crisis’s appearance illustrates a continued upward trend in the prevelance of Mac-based malware, and, perhaps more concerning, an increase in the adoption of infection techniques that malware-writers have employed for years in their attacks on Windows machines.