New Mac malware spies on you via Adium, Firefox, Safari, Skype

New Mac malware spies on you via Adium, Firefox, Safari, Skype

Summary: A new Mac OS X Trojan referred to as OSX/Crisis silently infects OS X 10.6 Snow Leopard and OS X 10.7 Lion. It then spies on the user by monitoring Adium, Firefox, Microsoft Messenger, Safari, and Skype.

SHARE:
New Mac malware spies on you via Adium, Firefox, Safari, Skype

Earlier this week I wrote about a new Mac OS X Trojan that drops different components depending on whether or not it is executed on a user account with Admin permissions. The threat installs itself silently (no user interaction required) and does not need your user password to infect your Apple Mac. Further analysis now shows that the malware is actually set up to spy on your browsing and instant messaging activities.

Intego, which had to update its anti-malware signatures upon discovering the threat, refers to it as "OSX/Crisis." First, the malware arrives as a Java applet (adobe.jar, AdobeFlashPlayer.jar, or something else entirely) that relies on social engineering. Given that OS X 10.7 Lion doesn't include Java by default, however, it's very likely there are other ways for it to find its way onto your Mac.

Once executed, the Java applet checks to see whether it's on Windows or OS X (as you can see in the code snippet above). Recently, cross-platform Trojans have become more and more popular (one, two, three) and are probably one of the reasons Microsoft wants you update Java or kill it.

This Mac Trojan is like most: when run, it installs silently to create a backdoor. What makes this threat particularly worrying is that depending on whether or not it runs on a user account with Admin permissions, it will install different components, which use low-level system calls to hide their activities. Either way, it will always create a number of files and folders to complete its tasks; the backdoor component calls home for instructions to the IP address 176.58.100.37 every five minutes.

If the dropper runs on a system with Admin permissions, it will drop a rootkit to hide itself. The malware creates 17 files when it's run with Admin permissions, 14 files when it's run without. Many of these are randomly named, but there are some that are consistent. With or without Admin permissions, this folder is created:

/Library/ScriptingAdditions/appleHID/

Only with Admin permissions, this folder is created:

/System/Library/Frameworks/Foundation.framework/XPCServices/

We already know the file is created in a way that is intended to make reverse engineering tools more difficult to use when analyzing the file (common in Windows malware, but not so much for OS X malware). Upon closer inspection, however, it turns out the backdoor patches several applications to spy on an infected user's activities when they use those programs: Adium, Skype, Microsoft Messenger, and Firefox. It even patches the Activity Monitor to hide itself from the user.

Intego says the malware allows the person operating it to:

  • Spy on Skype audio traffic and recording all conversations and phone calls.
  • Spy on Safari or Firefox browsers to record URLs and screenshots.
  • Record IM messages in both Microsoft Messenger and Adium.
  • Send file contents to the control server.

Furthermore, there are sections of code that point to this threat being part of Remote Control System (RCS), a €200,000 commercial malware package that is sold mostly in the U.S. and Europe. Since Intego has yet to see the malware in the wild (it was discovered on VirusTotal, a service for analyzing suspicious files and URLs), and since the security firm's analysis concludes the threat is very advanced, you're unlikely to get infected by it.

Still, if you use your Mac for critical work, store classified information on it, or are in general someone of importance, this Trojan is cause for concern. It further underlines the importance of protecting Macs against malware with the latest security updates as well as an updated antivirus program.

"From a technical perspective, this is a very advanced and fully functional threat," an Intego spokesperson said in a statement. "Due to the apparent cost of this malware package, it’s unlikely that this will be more than a targeted attack. But if you are the intended target, it’s very important that you have good security measures. Most vendors now have protection for the known components, but it’s unlikely that this is the last version of this malware (or its installation packages) that we will see."

Curiously, this particular malware only affects OS X 10.6 Snow Leopard and OS X 10.7 Lion. As I'm sure you know, OS X 10.8 Mountain Lion just came out.

I have contacted Intego to ask them if the latest version of Apple's operating system is vulnerable. I will update you if and when I hear back.

Update at 2:30 PM PST - Sophos, which detects this threat as OSX/Morcut-A, has more to add. The security firm found that its code can include hooks to control and/or monitor the following operations:

  • Mouse coordinates.
  • Instant messengers.
  • Location.
  • Internal webcam.
  • Clipboard contents.
  • Key presses.
  • Running applications.
  • Web URLs.
  • Screenshots.
  • Internal microphone.
  • Calendar data & alerts.
  • Device information.
  • Address book contents.

"In short, if this malware managed to infect your Mac computer it could learn an awful lot about you, and potentially steal information which could read your private messages and conversations, and open your email and other online accounts," a Sophos spokesperson said in a statement. "By the way, if you're curious about where the name 'Crisis' came from, it's a name which appears inside the malware's code. As far as we can tell, the author appears to have wanted his malware to be called 'Crisis'."

Update at 5:00PM PST - No, OS X 10.8 is not affected by this malware.

See also:

Topics: Security, Apple, Malware, Operating Systems

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

33 comments
Log in or register to join the discussion
  • Clarification please...

    "Once executed, the Java applet checks to see whether it's on Windows or OS X (as you can see in the code snippet above). Recently, cross-platform Trojans have become more and more popular (one, two, three) and are probably one of the reasons Microsoft wants you update Java or kill it."

    So this is malware that can affect Windows as well?
    Badgered
    • yes

      If it wasn't a proof of concept sample.
      Anthony E
    • So maybe...

      the title should have been "New cross platform malware spies on you via Adium, Firefox, Safari, Skype in Windows and OS X"?
      Axsimulate
    • Post a link to an infected website

      I have a machine I can test this on. Let's find out if it's true or not.
      CaviarBlack
    • Maybe, maybe not

      Depends on how the vulnerability works. It could be something that the Windows systems have blocked in some way. Similar to how there are certain pieces of malware that won't work on one platform/OS version, but will work on the other. This explains why 10.6 and 10.7 are vulnerable, but 10.8 is not.

      Also makes you wonder if Apple knew about said hole and patched in 10.8, but has not yet for 10.6/10.7 users.
      ikissfutebol
      • Sounds different

        "Similar to how there are certain pieces of malware that won't work on one platform/OS version, but will work on the other. This explains why 10.6 and 10.7 are vulnerable, but 10.8 is not."

        Considering all the same pieces of malware out there than can infect XP, Vista and Win7 as well as their server versions at the same time.

        Still makes Micro$oft king of the cross platform infections, now doesn't it.

        ;)
        CaviarBlack
  • All you OS X users should surf with fear

    Be afraid of everything you click on, don't open emails and especially email attachments, and don't ever install any applications. Compute with fear. You are being hunted and you are ill equiped to defend yourself. Be afraid. Be very afraid.

    On the other hand, all you OS X marketshare people should cheer for joy. Since OS X has only been kept safe in the past due to its pathetically low marketshare, this is proof that OS X's marketshare is getting bigger for reals. Congrats, you can now proceed to gloat.
    toddbottom3
    • Hear hear, folks - todd's bottom the horse's mouth said so

      So that must make it so.

      All of you all do what todd's bottom wants and switch to Windoze, k?

      Right now. This second.

      lol...
      CaviarBlack
      • Windoze?

        I never heard about it. Probably you are writing from your rear end.
        Ram U
        • Lesson for the day

          http://www.urbandictionary.com/define.php?term=Windoze

          Windoze

          a shitty operating system created by a monopoly. Commonly used by idiots who are too stupid to RTFM. The only feature that Windoze has that Linux doesn't is the BSOD, commonly seen by Windoze users.
          Linux is a million times better than Windoze

          I hope that helps out, Phony Architect. It's no wonder M$ can't make a popular phone.
          CaviarBlack
      • Really?

        I do not see him actually suggest what you said he did. All he said was that Apple now has the market share to get the attention of malware writers.

        Of course, being a FUD spreader, you read into it what you want. Good job showing your true colors.
        ikissfutebol
        • He didn't have to say it

          His motives have been apparent ever since his NonZealot days. And maybe even before.

          Just because you're too dumb to see it doesn't mean everybody else is.
          CaviarBlack
  • toddbottom3 is a troll

    You are a troll. We aren't afraid to click on anything as most of us are smart enough to have our java turned off, therefore the attack vector for this is null. Most of us only install software from trusted sources. So NO, we are not ill equipped to defend ourselves. So far the only one that really got anywhere was the flashback, which was poorly crafted to begin with and I had a slew of people calling me saying it looked suspicious and didn't install it. Good thing you are a bottom.
    John Garcia
    • Oops, you just lost

      "We aren't afraid to click on anything"

      Okay, I understand. So whenever any link comes along, you click on it without even thinking twice.

      "I had a slew of people calling me saying it looked suspicious"

      And you lost. There were a slew of people terrified to click on that link because they were deathly afraid of what it might bring. This goes right against what we've been hearing from OS X fanbois for years: switch to OS X where you can compute without fear.

      100% of people who safely use OS X would also safely use Windows. 100% of people who get infected with Windows malware will get infected with OS X malware if they aren't already. Remember, Flashback infected 10% of the world's OS X installed base.

      Ouch.
      toddbottom3
      • The problem is with Java, right?

        Seems Java is the problem culprit in this and the Flashback case, so not so much OS X itself, right?

        Anyway, if it's only the amount of users that has kept OS X low on malware I wonder why there was more malware for the old ”classic” Mac OS (pre OS X) when that install base was much less than what OS X have had for years now. How can this be? Was it super-easy to write malware for the old Mac OS, or what?
        star-affinity
      • Don't think so

        I'm not afraid to click on anything because I practice safe browsing habits. I have turned off the attack vectors, like java and although I'm cautious I'm not "afraid" to click on things from the sites I visit. So I'd say...I win. And you lost because that slew of people disproves that Windoze fan boys keep saying that Mac users are naive. The only thing you got somewhat right was people who browse safely can do it on either platform.
        John Garcia
  • You lost me after the second paragraph!!

    Last sentence you wrote...

    "Given that OS X 10.7 Lion doesn't include Java by default, however, it's very likely there are other ways for it to find its way onto your Mac."

    And what other ways might that be?

    It seems you're the SJVN of security here at ZDnet.
    Arm A. Geddon
    • Interesting thing about Java

      There was a lengthy discussion recently right here on ZDNet regarding Java and Windows. There were many people who stated that Java was absolutely essential for them. Those people will get silently infected if they dare install Java on OS X.

      Also, anyone who has updated their OS X instead of doing a clean install (and most home users who aren't competent will do upgrades since it is so much simpler) will all have a very old, very vulnerable version of Java sitting on their shiny new Mountain Lion, just waiting to silently infect them when a site like ZDNet displays an infected banner ad.

      Ouch.
      toddbottom3
      • haha

        #1. Proof of concept infection
        #2. Cross platform so if 1 mac user gets infected 50 windows users get infected.
        Anthony E
        • Nah

          Flashback is the most successful outbreak in history, it infected more then 1% of the Osx population, a feat that no Windows virus or malware ever achieved. I agree that given the enormous marketshare that Windows holds, that if the virus is achieving the same successrate on both platforms, we indeed would have 1 mac infection to about 15 to 16 Windows infections.
          sjaak327