Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Tech News > New OS X trojan identified, bypasses user permissions

New OS X trojan identified, bypasses user permissions
Thread Tools
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Jul 24, 2012, 04:09 PM
 
Security firm Intego's virus team has identified a new trojan horse malware targeting the Mac platform. The trojan, called Crisis, has yet to be seen in the wild, but Intego says it is engineered to make analysis of the malware difficult for security experts. Intego has stressed alertness regarding the new malware, as it appears to be able to bypass OS X security features and install itself with no user interaction.

Crisis has been traced back to the IP address 176.58.100.37, which it calls back to every five minutes for instructions. Only OS X versions 10.6 and 10.7 are said to be susceptible to the malware, which can install and run itself without the need for the user to enter a password. Since the malware is resistant to reboots, it will run until it is detected and removed. If the program is installed on a user account with root permissions, it will install additional programs to hide itself. With or without root access, Crisis installs the following file: /Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r When Crisis has root access, it installs two files: /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/MacOS/com.apple.mdworker_server and /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/Resources/ Intego says that the malware was created in a way that makes reverse engineering tools more difficult when analyzing it. Anti-analysis measures of this sort are said to be more common for Windows malware but relatively uncommon for programs targeting Macs. Intego has updated its VirusBarrier X6 software to guard against this malware and other definitions dated July 24, 2012 or later.
     
Grizzled Veteran
Join Date: Mar 2001
Location: Hong Kong
Status: Offline
Reply With Quote
Jul 24, 2012, 04:18 PM
 
Of course. New malware never seen in the wild has been "discovered" by an anti-virus company, whose product has been updated to detect it.

It's like a home alarm company representative "coincidentally" calls you the day after a rock gets thrown through your window.
n+N

Got Vurt? Jeff Noon
     
Forum Regular
Join Date: Sep 2000
Location: OR, USA
Status: Offline
Reply With Quote
Jul 24, 2012, 05:25 PM
 
I've always wondered about malware and viruses NOT in the wild, that have been discovered...hmmm.
-
Michael
     
Forum Regular
Join Date: Nov 2009
Status: Offline
Reply With Quote
Jul 24, 2012, 06:31 PM
 
Someone should sue Apple for all that false advertising. "Oh the Mac does not get viruses...." Riiiiight. If someone thinks this is a rare occurrence, this is only the beginning for Mac bases malware, trojans and viruses. Welcome to the +10% club!
     
Dedicated MacNNer
Join Date: Jan 2002
Location: State of WA
Status: Offline
Reply With Quote
Jul 24, 2012, 08:31 PM
 
We hear this crap all the time from companies that coincidentally sell anti-virus software.

It's called FUD.
     
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jul 24, 2012, 08:33 PM
 
Originally Posted by tonton View Post
Of course. New malware never seen in the wild has been "discovered" by an anti-virus company, whose product has been updated to detect it.
It's like a home alarm company representative "coincidentally" calls you the day after a rock gets thrown through your window.
I'm fine with any non-malicious entity that helps Apple find and patch security flaws, and I don't mind them making money selling anti-virus software, although I agree their tactics are rather manipulative.
     
Mac Elite
Join Date: Oct 2000
Location: Oakland, CA
Status: Offline
Reply With Quote
Jul 24, 2012, 09:38 PM
 
I would just find these 'security experts' to be more helpful to send this stuff to Apple to fix, than posting how-to's to the public.
     
Mac Enthusiast
Join Date: Nov 2005
Location: New York City
Status: Offline
Reply With Quote
Jul 25, 2012, 12:17 AM
 
To protect yourself from this, you can do the following:

1. Block IP address 176.58.100.37 with a firewall.
2. Create locked dummy files with the same filenames and put them it the appropriate folders.
Mac Pro 3.2x8 - 48GB - EVGA GTX 680 - Apple Remote - Dell 3007WFP-HC
MacBook 2GHz - C2D - 8GB - GF 9400M
Mac mini 2.33GHz C2D - 4GB - GMA950 - 2 Drobos - SS4200 (unRAID)
iPhone 5 + iPhone 4 S⃣
     
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jul 25, 2012, 02:48 AM
 
Originally Posted by exca1ibur View Post
I would just find these 'security experts' to be more helpful to send this stuff to Apple to fix, than posting how-to's to the public.
Some times making these public inspires much quicker action. In a way I don't mind some profit being made either. Why would anybody spend so much time finding security flaws like this just because they want to be nice to Apple?
     
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jul 25, 2012, 02:48 AM
 
Originally Posted by chefpastry View Post
To protect yourself from this, you can do the following:
1. Block IP address 176.58.100.37 with a firewall.
2. Create locked dummy files with the same filenames and put them it the appropriate folders.
Wouldn't it be wise to assume that there are variants of this that use different IP addresses?
     
Fresh-Faced Recruit
Join Date: Dec 2011
Status: Offline
Reply With Quote
Jul 25, 2012, 05:11 AM
 
"The trojan, called Crisis, ... appears to be able to bypass OS X security features and install itself with no user interaction."

A contradiction in terms there that reveals some highly likely self-advertising using scare-mongering tactics.

Technically, if it installs with no user interaction it's a virus, not a Trojan. There's something about this malware's delivery method that they have kept out of this announcement.

Add to that discrepancy the fact that "it hasn't been seen in the wild", and it begins to unravel as a vendor's laboratory product that coincidentally it has "updated its VirusBarrier X6 software to guard against".

Pull the other leg, Intego, it's got bells on it...
     
   
Thread Tools
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Top
Privacy Policy
All times are GMT -4. The time now is 05:28 AM.
All contents of these forums © 1995-2015 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2015, Jelsoft Enterprises Ltd., Content Relevant URLs by vBSEO 3.3.2