New Mac Trojan installs silently, no password required

By Open Minded
in Back Page News

 Share

Recommended Posts

Grand Master

Open Minded

Posted
Posted

A new Mac OS X Trojan has been discovered that drops different components depending on whether or not it is executed on a user account with Admin permissions. The threat installs itself silently (no user interaction required) and also does not need your user password to infect your Apple Mac. The backdoor component calls home to the IP address 176.58.100.37 every five minutes, awaiting instructions.

Intego, which had to update its anti-malware signatures upon discovering the threat, refers to it as "OSX/Crisis." The good news is that the security firm has yet to find OSX/Crisis in the wild; the company only stumbled upon it over at VirusTotal, a service for analyzing suspicious files and URLs.

This Trojan is like most: when run, it installs silently to create a backdoor. What makes this threat particularly worrying is that depending on whether or not it runs on a user account with Admin permissions, it will install different components, which use low-level system calls to hide their activities. Either way, it will always create a number of files and folders to complete its tasks.

If the dropper runs on a system with Admin permissions, it will drop a rootkit to hide itself. The malware creates 17 files when it's run with Admin permissions, 14 files when it's run without. Many of these are randomly named, but there are some that are consistent.

With or without Admin permissions, this folder is created: /Library/ScriptingAdditions/appleHID/

Only with Admin permissions, this folder is created: /System/Library/Frameworks/Foundation.framework/XPCServices/

Here's where it gets interesting. "The file is created in a way that is intended to make reverse engineering tools more difficult to use when analyzing the file," an Intego spokesperson said in a statement. "This sort of anti-analysis technique is common in Windows malware, but is relatively uncommon for OS X malware."

Curiously, this particular malware only affects OS X 10.6 Snow Leopard and OS X 10.7 Lion. The latest threat further underlines the importance of protecting Macs against malware with an updated antivirus program as well as the latest security updates. That means you should start by getting OS X 10.8 Mountain Lion when it comes out Wednesday (although it's currently unclear whether OSX/Crisis or Mac security software will work on it).

Source:

http://www.zdnet.com/new-mac-trojan-installs-silently-no-password-required-7000001519/

Grand Master

Argi

Posted
Posted

Unless of course you're running GateKeeper settings to only allow app store and identified developer installs; keeps it off your system ;)

Where does it say that? Gatekeeper isn't going to prevent exploits in signed software. I don't see how it's being installed detailed.

Grand Master

Hell-In-A-Handbasket

Posted
Posted

I just Have to LoL, all the people "But Mac's Dont Get Viri"

Its an OS built by Humans, it will get hit, just a matter if time

edit - Stupid iPad and these Text box's

On Topic - I do feel that Very Few people run OSX as a Non-Admin User account, and surprised the infection doesn't need credentials at all

Grand Master

game_over

Posted
Posted

I just Have to LoL, all the people "But Mac's Dont Get Viri"

Its an OS built by Humans, it will get hit, just a matter if time

edit - Stupid iPad and these Text box's

On Topic - I do feel that Very Few people run OSX as a Non-Admin User account, and surprised the infection doesn't need credentials at all

What people? i don't think anyone says that these days, maybe before, but back then it was pretty much the case.. it didn't have viruses, and even now it's hardly anything to worry about. Anyone with half a brain can prevent or easily spot changes in the system. I didn't run a virus scanner for all the years of running Windows and never got a virus, malware, or trojans so i wont be needing it for the Mac either, for those that do worry have virus software available to them.

I don't know why windows use get so giddy when this sort of news appears.

Grand Master

n_K

Posted
Posted

Just FYI if gatekeeper has a 'only run signed packages' option then it's also got an equilivent in windows for XP and newer, via the GPO you can set it to only run signed executables using the certificates you provide, though I've never actually seen anyone/any company use it.

And yes exploits can/will be discovered but the more protection you have, the more % of people that'd give up before getting it cracked.

Grand Master

John S. Veteran

Posted
  • Veteran
Posted
I don't know why windows use get so giddy when this sort of news appears.

I don't either but they've been wetting their pants for 10 years now since I switched....it's coming, it's coming....yeah...here I am unbitten.

  • Aaron Olive and Glassed Silver
  • Like 2
Grand Master

Praetor

Posted
Posted

What people? i don't think anyone says that these days, maybe before, but back then it was pretty much the case.. it didn't have viruses, and even now it's hardly anything to worry about. Anyone with half a brain can prevent or easily spot changes in the system. I didn't run a virus scanner for all the years of running Windows and never got a virus, malware, or trojans so i wont be needing it for the Mac either, for those that do worry have virus software available to them.

I don't know why windows use get so giddy when this sort of news appears.

because the reality distortion field is getting weaker...

Grand Master

Rudy

Posted
Posted

Where does it say that? Gatekeeper isn't going to prevent exploits in signed software. I don't see how it's being installed detailed.

IF it is signed, Apple can revoke the certificate and ALL macs running gatekeeper will stop executing the file (plus in ML they beefed up their built in AV so they could delete it from your system very quickly too)
Grand Master

Hell-In-A-Handbasket

Posted
Posted

What people? i don't think anyone says that these days, maybe before, but back then it was pretty much the case...

I get alot of people in the repair shop talking about switching to a mac after their computer got hit with an infection, thinking they wont have problems..

Grand Master

techbeck

Posted
Posted

I don't either but they've been wetting their pants for 10 years now since I switched....it's coming, it's coming....yeah...here I am unbitten.

I always said, if market share for Macs gets to big, then they will start getting attacked more. Right now, Mac users are safe but I still advise work and others that I know who have Macs to have proper protection.

This will probably be patched soon so no big deal.

I don't know why windows use get so giddy when this sort of news appears.

I'm not giddy...tho I have no sympathy for people who think they are untouchable and do not have the proper protection in place. Especially when its people who I warn and recommend products to to keep them safe.

Grand Master

nukenorman

Posted
Posted

Im so glad that macs have increased in popularity so much that they now have to worry about viruses, spyware and trojans just like the rest of us :-). Now the days of the snobby mac user attitue of saying how they dont need antivirus those days are now over :-). Plus this will create many new jobs as tech companies can now make and sell antivirus/spyware products or mac users now. As the popularity of apple becomes more and more its OS will have so many viruses and junked up just like Windows lol.

This new trojan installs silently. I laugh when all the mac users I see in person say how they cant get viruses or how secure the OS is. This proves how blinded they are.

At least Linux is still fairly free from all of this :-)

Grand Master

Noir Angel

Posted
Posted

It personally makes me laugh because Mac advocates like to constantly remind us of how much better a mac is, when in reality they're just as easy if not more so than Windows computers to exploit.

Grand Master

Shadrack

Posted
Posted

What people? i don't think anyone says that these days, maybe before, but back then it was pretty much the case.. it didn't have viruses, and even now it's hardly anything to worry about. Anyone with half a brain can prevent or easily spot changes in the system. I didn't run a virus scanner for all the years of running Windows and never got a virus, malware, or trojans so i wont be needing it for the Mac either, for those that do worry have virus software available to them.

I don't know why windows use get so giddy when this sort of news appears.

You are correct when it comes to the users here... but out in the real world the attitude "macs don't get viruses" is still very prevalent.

I have ML which to my understanding GateKeeper is an anti-virus of sorts... That said I think that the FUD is starting to get to me because I feel the need to get an anti-virus program. idk... I think the anti-virus software makers the ones that get the giddiest about this news because they want nothing more than to tap into the Mac market.

Grand Master

.Neo

Posted
Posted

It personally makes me laugh because Mac advocates like to constantly remind us of how much better a mac is, when in reality they're just as easy if not more so than Windows computers to exploit.

What really makes me laugh is PC advocates like to pretend the lack of viruses is the soul reason. That while in reality many Mac users have vastly different reasons for having made the switch.

Grand Master

Obi-Wan Kenobi

Posted
Posted

Funny, I've been unbitten on windows for almost 20...

Let me send a BIG...HUGE happy birthday shout out to my fellow neowinian, HawkMan! Happy birthday, HAWK-MAN....(sings the HB song) (Y)

Community Regular

Gocom

Posted
Posted

IF it is signed, Apple can revoke the certificate and ALL macs running gatekeeper will stop executing the file (plus in ML they beefed up their built in AV so they could delete it from your system very quickly too)

While Gatekeeper is indeed good feature to have, it doesn't make you free from exploits, attacks and vulnerabilities. It's not its purpose, I would say. If it was, it's a **** poor job. Getekeeper's whole point is to prevent you (as in you and your mouse pointer) running bad things, and to whitelist the good stuff from the bad. It's literally just signing, you (and the developer) knowing that the file isn't altered.

Let's start from the fact that Gatekeeper and code signing as a whole (i.e. from system) only applies to executable files. It doesn't prevent you from running malicious code on the system, just opening executables (as in application packages and installers). Also note that Gatekeeper only quarantines executables downloaded using applications that support and flag the files as downloaded. It doesn't care about drive-bys or files coming from applications that do not specifically mark files as downloaded. For instance file coming via file sharing protocol, syncing service or drive-by are handled as other seemingly existing, old files.

Also its up to the caller of the executable to decide whether they validate or require signatures. For instance a platform installed on the system can run the platform specific plugins, scripts etc. without verifying any signatures.

Grand Master

Noir Angel

Posted
Posted

What really makes me laugh is PC advocates like to pretend the lack of viruses is the soul reason. That while in reality many Mac users have vastly different reasons for having made the switch.

I don't care what makes people switch. Apple fans seem to make out that OSX is immune to being hacked or virused, when in fact evidence suggests that if anything it's easier than Windows to exploit (Vista onwards anyway, with XP it's about a draw)

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.