The folks at Intego, the Apple security specialist, say they’ve discovered a new Mac trojan called OSX/Crisis.
So far Intego says the risk is low as this malware has not yet been found “in the wild.” However, it installs itself without user permission, and hides itself well if installed with root permission, they say.
What’s more, Intego says it’s discovered a new Trojan horse, Crisis, which is a Trojan dropper. This Trojan horse hasn’t been found in the wild, but it exhibits some anti-analysis and stealthing techniques that are uncommon among OS X malware, the company adds..
Here’s Intego’s description: “This threat works only in OSX versions 10.6 and 10.7 — Snow Leopard and Lion. It installs without need of any user interaction; no password is required for it to run. The Trojan preserves itself against reboots, so it will continue to run until it’s removed. Depending on whether or not the dropper runs on a user account with root permissions, it will install different components. It remains to be seen if or how this threat is installed on a user’s system; it may be that an installer component will try to establish root permissions.
“If the dropper runs on a system with root access, it will drop a rootkit to hide itself. In either case, it creates a number of files and folders to complete its task; 17 files when it’s run with root access, 14 files when it’s run without. Many of these are randomly named, but there are some that are consistent.
“The backdoor component calls home to the IP address 18.104.22.168 every 5 minutes, awaiting instructions. The file is created in a way that is intended to make reverse engineering tools more difficult when analyzing the file. This sort of anti-analysis technique is common in Windows malware, but is relatively uncommon for OS X malware.
Intego says to use their VirusBarrier X6 (www.intego.com/virusbarrier/) product as it protects users from this malware with malware definitions dated July 24, 2012 or later. VirusBarrier X6’s real-time scanner will detect the file when it’s downloaded, and its anti-spyware protection will block any connections to remote servers if a user has installed the Trojan horse, they add.