New Mac Trojan ‘OS/X Crisis’ discovered

Mac security firm Intego has discovered a new Mac OS X Trojan, OS/X Crisis. The malware installs itself without user intervention and hides well if installed as root, but it has not yet been discovered on Mac users’ computers.

The threat is only in the last two versions of Mac OS X: Snow Leopard and Lion.

Intego describes OS/X Crisis as a Trojan dropper, which is a class of malware that is disguised as a game, screen saver, or a music file. It installs itself without users even being aware and then attempts to cover its tracks and mask its existence.

“It makes a lot of effort to hide itself, which is not very common in Mac Trojans,” Lysa Myers, a security researcher with Intego, told VentureBeat. “[That effort] is much more common in Windows Trojans.”

Most of the files that the Trojan creates are randomly named in order to avoid easy detection and removal, but a number of names appear consistently, and users can search for them to check if they are infected.

If  the Trojan is installed on a Mac running in root or administrator mode, these files will be present on the system:

  • /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/MacOS/com.apple.mdworker_server
  • /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/Resources/
  • /Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r

If you’re a bit more of a suspicious person, however, and don’t run your system as root or admin, only this file will be present:

  • /Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r

Once installed, OS/X Crisis calls home to IP address 176.58.100.37 every five minutes, presumably to await instructions. That IP address may change over time, as malware authors often build in features resistant to simple blocking.

One question you might be asking: If it’s not “in the wild” yet, how did Intego find it?

I asked Myers that question, and she said that, as security researchers, Intego personnel spend a lot of time in the dark, nasty recesses of the web. In addition, malware writers often upload their wares to forums and security sites to test if their software is detectable by security software.

Image credit: MG1408/ShutterStock

0 comments