New Mac Malware 'OSX/Crisis' Discovered
Contrary to popular belief, your Apple computer isn't impervious to all forms of malware and viruses.
Yesterday (July 24), Mac security firm Intego announced that it had discovered a new Mac OS X Trojan horse called OSX/Crisis. The malware installs itself without user intervention and hides itself if installed with administrator permission.
While the risk has been identified as low — the malware has not yet been found in the wild — it's alarming that OSX/Crisis exhibits a number of stealthy qualities rarely seen in OS X malware.
For one, OSX/Crisis is what's formally known as a Trojan dropper, which means it can cloak itself behind the guise of a music file, a game or a screen saver.
Luckily, there are ways to check if your Mac has been infected. If OSX/Crisis is installed on a Mac running in root or administrator mode, the following files will turn up:
However, without root access, only the last file will be present:
OSX/Crisis routinely calls home to the IP address 184.108.40.206 every 5 minutes, awaiting instructions. This IP address could change over time.
Additionally, the backdoor file with this functionality has been coded in such a way that reverse engineering tools won't work as well when analyzing the file. OSX/Crisis's creators used a technique called anti-analysis which is commonly seen in Windows malware, yet almost unheard of in OS X malware.
OSX/Crisis is only threatening to the two latest versions of Mac OS X, Snow Leopard 10.6 and Lion 10.7.
On the bright side, if you already use Intego VirusBarrier X6, all you need to do is update to get the latest protection from this threat. Otherwise, users with malware anxiety can check out the relevant Mac protection software from Intego here.