New Mac Trojan installs silently, no password required

[Open Minded]

A new Mac OS X Trojan has been discovered that drops different components depending on whether or not it is executed on a user account with Admin permissions. The threat installs itself silently (no user interaction required) and also does not need your user password to infect your Apple Mac. The backdoor component calls home to the IP address 176.58.100.37 every five minutes, awaiting instructions.

Intego, which had to update its anti-malware signatures upon discovering the threat, refers to it as "OSX/Crisis." The good news is that the security firm has yet to find OSX/Crisis in the wild; the company only stumbled upon it over at VirusTotal, a service for analyzing suspicious files and URLs.

This Trojan is like most: when run, it installs silently to create a backdoor. What makes this threat particularly worrying is that depending on whether or not it runs on a user account with Admin permissions, it will install different components, which use low-level system calls to hide their activities. Either way, it will always create a number of files and folders to complete its tasks.

If the dropper runs on a system with Admin permissions, it will drop a rootkit to hide itself. The malware creates 17 files when it's run with Admin permissions, 14 files when it's run without. Many of these are randomly named, but there are some that are consistent.

With or without Admin permissions, this folder is created: /Library/ScriptingAdditions/appleHID/

Only with Admin permissions, this folder is created: /System/Library/Frameworks/Foundation.framework/XPCServices/

Here's where it gets interesting. "The file is created in a way that is intended to make reverse engineering tools more difficult to use when analyzing the file," an Intego spokesperson said in a statement. "This sort of anti-analysis technique is common in Windows malware, but is relatively uncommon for OS X malware."

Curiously, this particular malware only affects OS X 10.6 Snow Leopard and OS X 10.7 Lion. The latest threat further underlines the importance of protecting Macs against malware with an updated antivirus program as well as the latest security updates. That means you should start by getting OS X 10.8 Mountain Lion when it comes out Wednesday (although it's currently unclear whether OSX/Crisis or Mac security software will work on it).

Source:

http://www.zdnet.com/new-mac-trojan-installs-silently-no-password-required-7000001519/

[Hum]

... installs silently, no password required.

Wow -- everything is easier on a Mac. :D

[Argi]

Curious if Gatekeeper plays any role.

[Kami-]

Unless of course you're running GateKeeper settings to only allow app store and identified developer installs; keeps it off your system ;)

[Argi]

Unless of course you're running GateKeeper settings to only allow app store and identified developer installs; keeps it off your system ;)

Where does it say that? Gatekeeper isn't going to prevent exploits in signed software. I don't see how it's being installed detailed.

[SuperKid]

Curious if Gatekeeper plays any role.

Well it would definitely block it because it won't be signed :)

[Hell-In-A-Handbasket]

I just Have to LoL, all the people "But Mac's Dont Get Viri"

Its an OS built by Humans, it will get hit, just a matter if time

edit - Stupid iPad and these Text box's

On Topic - I do feel that Very Few people run OSX as a Non-Admin User account, and surprised the infection doesn't need credentials at all

[Obi-Wan Kenobi]

>ouch< cue the arguments in 3...2...1....... :argue:

[game_over]

I just Have to LoL, all the people "But Mac's Dont Get Viri"

Its an OS built by Humans, it will get hit, just a matter if time

edit - Stupid iPad and these Text box's

On Topic - I do feel that Very Few people run OSX as a Non-Admin User account, and surprised the infection doesn't need credentials at all

What people? i don't think anyone says that these days, maybe before, but back then it was pretty much the case.. it didn't have viruses, and even now it's hardly anything to worry about. Anyone with half a brain can prevent or easily spot changes in the system. I didn't run a virus scanner for all the years of running Windows and never got a virus, malware, or trojans so i wont be needing it for the Mac either, for those that do worry have virus software available to them.

I don't know why windows use get so giddy when this sort of news appears.

[n_K]

Just FYI if gatekeeper has a 'only run signed packages' option then it's also got an equilivent in windows for XP and newer, via the GPO you can set it to only run signed executables using the certificates you provide, though I've never actually seen anyone/any company use it.

And yes exploits can/will be discovered but the more protection you have, the more % of people that'd give up before getting it cracked.

[John S. Veteran]

I don't know why windows use get so giddy when this sort of news appears.

I don't either but they've been wetting their pants for 10 years now since I switched....it's coming, it's coming....yeah...here I am unbitten.

[Praetor]

What people? i don't think anyone says that these days, maybe before, but back then it was pretty much the case.. it didn't have viruses, and even now it's hardly anything to worry about. Anyone with half a brain can prevent or easily spot changes in the system. I didn't run a virus scanner for all the years of running Windows and never got a virus, malware, or trojans so i wont be needing it for the Mac either, for those that do worry have virus software available to them.

I don't know why windows use get so giddy when this sort of news appears.

because the reality distortion field is getting weaker...

[Rudy]

Where does it say that? Gatekeeper isn't going to prevent exploits in signed software. I don't see how it's being installed detailed.

IF it is signed, Apple can revoke the certificate and ALL macs running gatekeeper will stop executing the file (plus in ML they beefed up their built in AV so they could delete it from your system very quickly too)

[Hell-In-A-Handbasket]

What people? i don't think anyone says that these days, maybe before, but back then it was pretty much the case...

I get alot of people in the repair shop talking about switching to a mac after their computer got hit with an infection, thinking they wont have problems..

[techbeck]

I don't either but they've been wetting their pants for 10 years now since I switched....it's coming, it's coming....yeah...here I am unbitten.

I always said, if market share for Macs gets to big, then they will start getting attacked more. Right now, Mac users are safe but I still advise work and others that I know who have Macs to have proper protection.

This will probably be patched soon so no big deal.

I don't know why windows use get so giddy when this sort of news appears.

I'm not giddy...tho I have no sympathy for people who think they are untouchable and do not have the proper protection in place. Especially when its people who I warn and recommend products to to keep them safe.

[nukenorman]

Im so glad that macs have increased in popularity so much that they now have to worry about viruses, spyware and trojans just like the rest of us :-). Now the days of the snobby mac user attitue of saying how they dont need antivirus those days are now over :-). Plus this will create many new jobs as tech companies can now make and sell antivirus/spyware products or mac users now. As the popularity of apple becomes more and more its OS will have so many viruses and junked up just like Windows lol.

This new trojan installs silently. I laugh when all the mac users I see in person say how they cant get viruses or how secure the OS is. This proves how blinded they are.

At least Linux is still fairly free from all of this :-)

[Noir Angel]

It personally makes me laugh because Mac advocates like to constantly remind us of how much better a mac is, when in reality they're just as easy if not more so than Windows computers to exploit.

[Shadrack]

What people? i don't think anyone says that these days, maybe before, but back then it was pretty much the case.. it didn't have viruses, and even now it's hardly anything to worry about. Anyone with half a brain can prevent or easily spot changes in the system. I didn't run a virus scanner for all the years of running Windows and never got a virus, malware, or trojans so i wont be needing it for the Mac either, for those that do worry have virus software available to them.

I don't know why windows use get so giddy when this sort of news appears.

You are correct when it comes to the users here... but out in the real world the attitude "macs don't get viruses" is still very prevalent.

I have ML which to my understanding GateKeeper is an anti-virus of sorts... That said I think that the FUD is starting to get to me because I feel the need to get an anti-virus program. idk... I think the anti-virus software makers the ones that get the giddiest about this news because they want nothing more than to tap into the Mac market.

[bandit_liberty_rumble]

Yay! Mac users suck!

:rolleyes:

[HawkMan]

I don't either but they've been wetting their pants for 10 years now since I switched....it's coming, it's coming....yeah...here I am unbitten.

Funny, I've been unbitten on windows for almost 20...

[Growled Member]

I think most of the problems is with dumb users and not the OS.

[.Neo]

It personally makes me laugh because Mac advocates like to constantly remind us of how much better a mac is, when in reality they're just as easy if not more so than Windows computers to exploit.

What really makes me laugh is PC advocates like to pretend the lack of viruses is the soul reason. That while in reality many Mac users have vastly different reasons for having made the switch.

[Obi-Wan Kenobi]

Funny, I've been unbitten on windows for almost 20...

Let me send a BIG...HUGE happy birthday shout out to my fellow neowinian, HawkMan! Happy birthday, HAWK-MAN....(sings the HB song) (Y)

[Gocom]

IF it is signed, Apple can revoke the certificate and ALL macs running gatekeeper will stop executing the file (plus in ML they beefed up their built in AV so they could delete it from your system very quickly too)

While Gatekeeper is indeed good feature to have, it doesn't make you free from exploits, attacks and vulnerabilities. It's not its purpose, I would say. If it was, it's a **** poor job. Getekeeper's whole point is to prevent you (as in you and your mouse pointer) running bad things, and to whitelist the good stuff from the bad. It's literally just signing, you (and the developer) knowing that the file isn't altered.

Let's start from the fact that Gatekeeper and code signing as a whole (i.e. from system) only applies to executable files. It doesn't prevent you from running malicious code on the system, just opening executables (as in application packages and installers). Also note that Gatekeeper only quarantines executables downloaded using applications that support and flag the files as downloaded. It doesn't care about drive-bys or files coming from applications that do not specifically mark files as downloaded. For instance file coming via file sharing protocol, syncing service or drive-by are handled as other seemingly existing, old files.

Also its up to the caller of the executable to decide whether they validate or require signatures. For instance a platform installed on the system can run the platform specific plugins, scripts etc. without verifying any signatures.

[Noir Angel]

What really makes me laugh is PC advocates like to pretend the lack of viruses is the soul reason. That while in reality many Mac users have vastly different reasons for having made the switch.

I don't care what makes people switch. Apple fans seem to make out that OSX is immune to being hacked or virused, when in fact evidence suggests that if anything it's easier than Windows to exploit (Vista onwards anyway, with XP it's about a draw)