New Mac Trojan installs silently, no password required

New Mac Trojan installs silently, no password required

Summary: A new Mac OS X Trojan referred to as OSX/Crisis silently infects OS X 10.6 Snow Leopard and OS X 10.7 Lion. The threat was created in a way that is intended to make reverse engineering more difficult, an added extra that is more common with Windows malware than it is with Mac malware.

SHARE:

Update on July 26 - New Mac malware spies on you via Adium, Firefox, Safari, Skype

New Mac Trojan installs silently, no password required

A new Mac OS X Trojan has been discovered that drops different components depending on whether or not it is executed on a user account with Admin permissions. The threat installs itself silently (no user interaction required) and also does not need your user password to infect your Apple Mac. The backdoor component calls home to the IP address 176.58.100.37 every five minutes, awaiting instructions.

Intego, which had to update its anti-malware signatures upon discovering the threat, refers to it as "OSX/Crisis." The good news is that the security firm has yet to find OSX/Crisis in the wild; the company only stumbled upon it over at VirusTotal, a service for analyzing suspicious files and URLs.

This Trojan is like most: when run, it installs silently to create a backdoor. What makes this threat particularly worrying is that depending on whether or not it runs on a user account with Admin permissions, it will install different components, which use low-level system calls to hide their activities. Either way, it will always create a number of files and folders to complete its tasks.

If the dropper runs on a system with Admin permissions, it will drop a rootkit to hide itself. The malware creates 17 files when it's run with Admin permissions, 14 files when it's run without. Many of these are randomly named, but there are some that are consistent. With or without Admin permissions, this folder is created:

/Library/ScriptingAdditions/appleHID/

Only with Admin permissions, this folder is created:

/System/Library/Frameworks/Foundation.framework/XPCServices/

Here's where it gets interesting. "The file is created in a way that is intended to make reverse engineering tools more difficult to use when analyzing the file," an Intego spokesperson said in a statement. "This sort of anti-analysis technique is common in Windows malware, but is relatively uncommon for OS X malware."

Curiously, this particular malware only affects OS X 10.6 Snow Leopard and OS X 10.7 Lion. The latest threat further underlines the importance of protecting Macs against malware with an updated antivirus program as well as the latest security updates. That means you should start by getting OS X 10.8 Mountain Lion when it comes out Wednesday (although it's currently unclear whether OSX/Crisis or Mac security software will work on it).

Update on July 26 - New Mac malware spies on you via Adium, Firefox, Safari, Skype

See also:

Topics: Security, Apple, Malware, Operating Systems

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

98 comments
Log in or register to join the discussion
  • So where's the website(s) these trojans are located at?

    So they can be tested (or avoided)?



    ~

    (dead silence in the air...)
    CaviarBlack
    • dead silence

      Mainly because those with more than an agenda for trolling are amazed at your utter ignorance maybe?
      MrCaddy
      • Don't mind her

        She thinks Mac's can't "catch viruses"
        milo ducillo
        • That's not all that they can't catch, milo dickillo

          They've got YOU.

          lol...
          CaviarBlack
          • Brilliant

            I always have a lot more confidence in what people say when they have to resort to name calling to make their point. Clearly you are an expert who knows what you are talking about and we should all respect your opinions.

            Rick
            rick@...
          • Absolutely it's brilliant

            And since "name calling" works both ways, dumb ass...
            CaviarBlack
          • She never has a point to make

            She's here to deal with her inferiority complex
            milo ducillo
          • While you deal with SJVN's beard

            lol...

            :D
            CaviarBlack
          • What does that even mean?

            While I ... deal with his beard....yeah....

            Hey, you just deal with Barney the purple wolf, know what I'm sayin'?

            You know.
            milo ducillo
          • Aww, you sound annoyed

            Did I annoy you, little girl?

            Go pout to Lovie Dovie's mommy. She's nearby ya know.

            lol...
            CaviarBlack
          • Not defending CB

            But I have yet to see you post a valid point.
            non-biased
          • Nice try CB

            milo ducillo
      • Or maybe Caddy Daddy can't come up with one

        Where is it, you pimp?
        CaviarBlack
        • Under 13?

          I didn't think kids under the age of 13 were supposed to be posting in these forums. Why don't you come back when you are a little more grown up?

          Rick
          rick@...
          • Well mommy let me out

            Ever since she found out Lovie Dovie could come here.

            :p

            lol...
            CaviarBlack
          • Another 15 years should do it

            milo ducillo
          • You won't be around in 15 years

            You'll be in a jail cell for molesting little kids like me.
            CaviarBlack
          • Little kids like you are already ruined by Catholic priests

            milo ducillo
          • But I'm not Catholic

            So EPIC FAIL for you.
            CaviarBlack
          • If you say you're not Catholic

            we believe you.


            :)
            milo ducillo