It is a popular belief that Apple's mac is virus free but now again today, Mac security firm Intego announced that it had discovered a new Mac OS X trojan called OSX/Crisis. The malware installs itself without user intervention and hides itself well if installed with root permission.
While the risk has been identified as low — the malware has not yet been found in the wild — it’s alarming that OSX/Crisis exhibits a number of stealthing qualities rarely seen in OS X malware. For one, OSX/Crisis is what’s formally known as a Trojan dropper, which means it can cloak itself behind the guise of a music file, a game or a screen saver.
Luckily, there are ways to check if your Mac has been infected. If OSX/Crisis is installed on a Mac running in root or administrator mode, the following files will turn up:
- /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/MacOS/com.apple.mdworker_server
- /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/Resources/
- /Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r
However, without root access, only the last file will be present:
- /Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r
OSX/Crisis routinely calls home to the IP address 176.58.100.37 every 5 minutes, awaiting instructions. However, it’s worth noting that this IP address could change over time.
Additionally, the backdoor file with this functionality has been coded in such a way that reverse engineering tools won’t work as well when analyzing the file — a technique called anti-analysis which is commonly seen in Windows malware, yet almost unheard of in OS X malware.
OSX/Crisis is only threatening to the two latest versions of Mac OS X, Snow Leopard and Lion.
On the bright side, if you already use Intego VirusBarrier X6, all you need to do is update to get the latest protection from this threat. Otherwise, users with malware anxiety can check out the relevant Mac protection software from Intego here.


 
 
.jpg?imgmax=800) 
 
 
 
 11:33 AM
11:33 AM
 Unknown
Unknown
 

 Posted in:
 Posted in:   
 
 
0 comments:
Post a Comment