|
|
New OS X trojan identified, bypasses user permissions
|
|
|
|
MacNN Staff
Join Date: Jul 2012
Status:
Offline
|
|
Security firm Intego's virus team has identified a new trojan horse malware targeting the Mac platform. The trojan, called Crisis, has yet to be seen in the wild, but Intego says it is engineered to make analysis of the malware difficult for security experts. Intego has stressed alertness regarding the new malware, as it appears to be able to bypass OS X security features and install itself with no user interaction. Crisis has been traced back to the IP address 176.58.100.37, which it calls back to every five minutes for instructions. Only OS X versions 10.6 and 10.7 are said to be susceptible to the malware, which can install and run itself without the need for the user to enter a password. Since the malware is resistant to reboots, it will run until it is detected and removed. If the program is installed on a user account with root permissions, it will install additional programs to hide itself.
With or without root access, Crisis installs the following file: /Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r
When Crisis has root access, it installs two files: /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/MacOS/com.apple.mdworker_server and /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/Resources/
Intego says that the malware was created in a way that makes reverse engineering tools more difficult when analyzing it. Anti-analysis measures of this sort are said to be more common for Windows malware but relatively uncommon for programs targeting Macs. Intego has updated its VirusBarrier X6 software to guard against this malware and other definitions dated July 24, 2012 or later.
|
|
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Mar 2001
Location: Hong Kong
Status:
Offline
|
|
Of course. New malware never seen in the wild has been "discovered" by an anti-virus company, whose product has been updated to detect it.
It's like a home alarm company representative "coincidentally" calls you the day after a rock gets thrown through your window.
|
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Sep 2000
Location: OR, USA
Status:
Offline
|
|
I've always wondered about malware and viruses NOT in the wild, that have been discovered...hmmm.
|
-
Michael
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Nov 2009
Status:
Offline
|
|
Someone should sue Apple for all that false advertising. "Oh the Mac does not get viruses...." Riiiiight. If someone thinks this is a rare occurrence, this is only the beginning for Mac bases malware, trojans and viruses. Welcome to the +10% club!
|
|
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Jan 2002
Location: State of WA
Status:
Offline
|
|
We hear this crap all the time from companies that coincidentally sell anti-virus software.
It's called FUD.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally Posted by tonton
Of course. New malware never seen in the wild has been "discovered" by an anti-virus company, whose product has been updated to detect it.
It's like a home alarm company representative "coincidentally" calls you the day after a rock gets thrown through your window.
I'm fine with any non-malicious entity that helps Apple find and patch security flaws, and I don't mind them making money selling anti-virus software, although I agree their tactics are rather manipulative.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Oct 2000
Location: Oakland, CA
Status:
Offline
|
|
I would just find these 'security experts' to be more helpful to send this stuff to Apple to fix, than posting how-to's to the public.
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Nov 2005
Location: New York City
Status:
Offline
|
|
To protect yourself from this, you can do the following:
1. Block IP address 176.58.100.37 with a firewall.
2. Create locked dummy files with the same filenames and put them it the appropriate folders.
|
Mac Pro 3.2x8 - 48GB - EVGA GTX 680 - Apple Remote - Dell 3007WFP-HC
MacBook 2GHz - C2D - 8GB - GF 9400M
Mac mini 2.33GHz C2D - 4GB - GMA950 - 2 Drobos - SS4200 (unRAID)
iPhone 5 + iPhone 4 S⃣
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally Posted by exca1ibur
I would just find these 'security experts' to be more helpful to send this stuff to Apple to fix, than posting how-to's to the public.
Some times making these public inspires much quicker action. In a way I don't mind some profit being made either. Why would anybody spend so much time finding security flaws like this just because they want to be nice to Apple?
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally Posted by chefpastry
To protect yourself from this, you can do the following:
1. Block IP address 176.58.100.37 with a firewall.
2. Create locked dummy files with the same filenames and put them it the appropriate folders.
Wouldn't it be wise to assume that there are variants of this that use different IP addresses?
|
|
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Dec 2011
Status:
Offline
|
|
"The trojan, called Crisis, ... appears to be able to bypass OS X security features and install itself with no user interaction."
A contradiction in terms there that reveals some highly likely self-advertising using scare-mongering tactics.
Technically, if it installs with no user interaction it's a virus, not a Trojan. There's something about this malware's delivery method that they have kept out of this announcement.
Add to that discrepancy the fact that "it hasn't been seen in the wild", and it begins to unravel as a vendor's laboratory product that coincidentally it has "updated its VirusBarrier X6 software to guard against".
Pull the other leg, Intego, it's got bells on it...
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|