Skip to comments.
New Apple Mac Trojan Called OSX/Crisis Discovered (Possibly not in wild)
Intego ^
| July 24, 2012
| Lysa Myers
Posted on 07/26/2012 10:34:10 AM PDT by zeugma
Update – July 25, 2012 10:30AM PDT
This threat may run on Leopard 10.5, but it has a tendency to crash. It does not run on the new Mountain Lion 10.8.
_______
Intego has discovered a new Trojan called OSX/Crisis. This threat is a dropper which creates a backdoor when it’s run. It installs silently, without requiring a password, and works only in OSX versions 10.6 and 10.7 – Snow Leopard and Lion.
The Trojan preserves itself against reboots, so it will continue to run until it’s removed. Depending on whether or not the dropper runs on a user account with Admin permissions, it will install different components. We have not yet seen if or how this threat is installed on a user’s system; it may be that an installer component will try to establish Admin permissions.
If the dropper runs on a system with Admin permissions, it will drop a rootkit to hide itself. In either case, it creates a number of files and folders to complete its tasks. It creates 17 files when it’s run with Admin permissions, 14 files when it’s run without. Many of these are randomly named, but there are some that are consistent.
With or without Admin permissions, this folder is created:
- /Library/ScriptingAdditions/appleHID/
Only with Admin permissions, this folder is created:
- /System/Library/Frameworks/Foundation.framework/XPCServices/
The backdoor component calls home to the IP address 176.58.100.37 every 5 minutes, awaiting instructions. The file is created in a way that is intended to make reverse engineering tools more difficult to use when analyzing the file. This sort of anti-analysis technique is common in Windows malware, but is relatively uncommon for OS X malware.
It uses low-level system calls to hide its activities, as shown in the following images:
Intego found samples of this malware on the VirusTotal website, a site used by security companies to share malware samples. This threat has not yet been found in the wild, and so far there is no indication that this Trojan has infected users so right now the threat is considered to be a low risk. Nonetheless, Intego VirusBarrier X6 detects and removes this malware using today’s definitions. It detects the dropper component as OSX/Crisis, and the backdoor component as Backdoor:OSX/Crisis. It will also block connections with the IP address the backdoor component seeks to connect with.
Intego VirusBarrier X6 users need to update as soon as possible to get protection from this threat.
We are still analyzing the threat at this time. We will post a more in-depth analysis as we have more details.
TOPICS: Business/Economy; Crime/Corruption
KEYWORDS: apple; mac; trojan
At this time, it doesn't appear that this particular trojan is out there in the wild, but it
may be. Those of you with Macs should probably check for the existence of the directories mentioned in the article. I've yet to see the mechanism that it is using to allegedly install without a password.
Note, that this article is from a company that makes anti-virus software, so histronics should be taken with a grain of salt. I'm sure there will be more details later.
1
posted on
07/26/2012 10:34:19 AM PDT
by
zeugma
To: zeugma; ~Kim4VRWC's~; 1234; Abundy; Action-America; acoulterfan; AFreeBird; Airwinger; Aliska; ...
New Trojan spotted NOT IN THE WILD, only in testing labs —PING!
Apple OSX security Ping!
Please, No Flame Wars!
Discuss technical issues, software, and hardware.
Don't attack people!
Don't respond to the Anti-Apple Thread Trolls!
PLEASE IGNORE THEM!!!
If you want on or off the Mac Ping List, Freepmail me.
2
posted on
07/26/2012 10:57:13 AM PDT
by
Swordmaker
(This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
To: Swordmaker
Thanks. I was just about to ping you
3
posted on
07/26/2012 11:02:01 AM PDT
by
zeugma
(Those of us who work for a living are outnumbered by those who vote for a living.)
To: zeugma
Please walk me through the process to check for this virus.
I am not a regular Mac user until recent when I retired and had to turn in my work (Windows) laptop.
Now using wife’s Mac (Mac OS X Lion 10.7.4).
This computer freezes and crashes all the time.
Took to Mac store and they said looks fine and when I asked about viruses they said they don’t check for viruses because Macs don’t get viruses.
So, please walk me through click-by-click so I can check because my computer sounds like it has the problem described.
Thanks.
4
posted on
07/26/2012 11:45:52 AM PDT
by
Hulka
To: zeugma
5
posted on
07/26/2012 11:56:41 AM PDT
by
Sergio
(An object at rest cannot be stopped! - The Evil Midnight Bomber What Bombs at Midnight)
To: Hulka
The few times my Mac has frozen, is when it’s running a Flash video.
6
posted on
07/26/2012 11:59:37 AM PDT
by
dfwgator
(FUJR (not you, Jim))
To: Hulka
Start by looking for the two folders mentioned in the article. (The first one should be
~/Library/ScriptingAdditions/appleHID/, equivalent to /Users/<you>/Library/ScriptingAdditions/appleHID/.)
If you don't find either, and you probably won't, then the cause of the freezes is something else. If you do, then google for removal instructions or set up a Genius Bar appointment.
7
posted on
07/26/2012 12:16:07 PM PDT
by
cynwoody
To: Hulka
I should add, the easiest way to check whether a folder exists is to type Cmd-Shift-G in a Finder window, then paste in the path to the supposed folder. That will either navigate to the folder or give an error message.
8
posted on
07/26/2012 12:21:15 PM PDT
by
cynwoody
To: cynwoody
Thanks. . .but, seriously, how do I go to "~/Library/ScriptingAdditions/appleHID/, equivalent to /Users//Library/ScriptingAdditions/appleHID"? I don't know how to search for files. . .something along the lines of "Finder"? Please help with click-by-click instructions. Thanks. (Yes, I really am not that familiar with Macs).
9
posted on
07/26/2012 12:26:10 PM PDT
by
Hulka
To: cynwoody
Went to “Finder” and opened “Go to Folder” and pasted in “/Library/ScriptingAdditions/appleHID/”
Clicked and got the “chirp” and nothing.
Can I get a step-by-step, click by click, tutorial never-before-did-this sort of walk-through?
Thanks.
Have to run off to teach class.
I’ll check back later.
Cheers.
10
posted on
07/26/2012 12:33:11 PM PDT
by
Hulka
To: cynwoody
Went to “Finder” and opened “Go to Folder” and pasted in “/Library/ScriptingAdditions/appleHID/”
Clicked and got the “chirp” and nothing.
Went and found the library file and went to the SriptingAdditions file and clicked on it and it shows the file is empty.
Is this normal?
Am I not seeing something I should?
Thanks.
Have to run off to teach class.
I’ll check back later.
Cheers.
11
posted on
07/26/2012 12:40:55 PM PDT
by
Hulka
To: Swordmaker
I like the big red apple.
Looks like I may have downloaded Mountain Lion just in time. ;>)
But damn, it took about 6 hours to download. I don’t know if I like it yet.
12
posted on
07/26/2012 1:12:02 PM PDT
by
Gator113
(***YOU GAVE it to Obama. I would have voted for NEWT.~Just livin' life, my way~)
To: Hulka
Went to “Finder” and opened “Go to Folder” and pasted in “/Library/ScriptingAdditions/appleHID/” So far, so good. Except the correct path starts with a tilde: “~/Library/ScriptingAdditions/appleHID/” (the article is quoted incorrectly). The tilde means the path is relative to your home directory. The system will substitute "/Users/[your userid]" for it, resulting in an absolute path.
The other path mentioned, "/System/Library/Frameworks/Foundation.framework/XPCServices/", is absolute, so you can paste it in as is. It's also protected, so you won't find anything there unless you got tricked into entering your password.
Clicked and got the “chirp” and nothing.
That means the folder wasn't found. However, since the tilde was missing, it also doesn't prove anything. If you try it again with the tilde in place, and it does the same thing, you are clear, at least for that folder.
You can also use Terminal for this type of checking. To open a Terminal window, enter Cmd-Space and type Terminal into the Spotlight window. Select the Terminal application and hit Enter. In the Terminal window, type 'ls ', paste in the path you want to check, and hit Enter. It should look something like this:
cynwoody:~$ ls /System/Library/Frameworks/Foundation.framework/XPCServices/
ls: /System/Library/Frameworks/Foundation.framework/XPCServices/: No such file or directory
cynwoody:~$ ls ~/Library/ScriptingAdditions/appleHID/
ls: /Users/cynwoody/Library/ScriptingAdditions/appleHID/: No such file or directory
cynwoody:~$
Note in the second case how it expanded the tilde in the response.
If the folder exists, it will show the contents. E.g., here's an example of a positive response:
cynwoody:~$ ls /System/Library/Frameworks/Foundation.framework/
CodeResources Foundation Headers Resources Versions
cynwoody:~$
It prints out the files and folders actually contained in the folder that supposedly contains XPCServices.
13
posted on
07/26/2012 1:28:35 PM PDT
by
cynwoody
To: cynwoody
Thanks for helping on this. Hadn’t been able to check back on this thread. You did much better than I would have anyway, as I’m a Linux guy, not a Mac head because I just haven’t had the time to do much of anything on a Mac. I’m fine once I get the terminal window open though. :-)
14
posted on
07/26/2012 1:41:42 PM PDT
by
zeugma
(Those of us who work for a living are outnumbered by those who vote for a living.)
To: cynwoody
Thanks.
“If you try it again with the tilde in place, and it does the same thing, you are clear, at least for that folder. “
I am clear.
Appreciate the assist.
15
posted on
07/27/2012 6:57:47 AM PDT
by
Hulka
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson