New Mac Malware: OSX/Crisis!
A growing number of Mac users have developed a twitch. Though we certainly don’t have the problems inherent to Windows, nowhere near that level anxiety, malware is increasingly a problem and the OSX/Crisis trojan is just latest malevolent cloud to appear on the horizon.
Those bellwethers of bane at Intego have discovered new Mac malware, the OSX/Crisis trojan. The punchline with this malware is that it can infect without any user interaction and inherits whatever privileges the user has.
For example, if OSX/Crisis infects a Mac running in admin mode, it gains those privileges. It’s believed that this trojan affects the two most commonly used versions of OS X, Snow Leopard (10.6) and Lion (10.7).
“Overall while this is a new threat for OS X with some unique features, unlike others it has not been found on any OS X machines,” writes MacFixIt’s Topher Kessler. “Its distribution is therefore very low if nonexistant at the moment, and malware definitions for it should soon be available to malware scanning tools so be sure to keep them updated if you have one installed.”
That’s right, as of now, neither Intego nor anyone else has discovered the Crisis trojan in the wild, which is another way of saying no one’s ever been infected let alone affected.
How do I detect the Crisis trojan?
With or without Admin permissions, this folder is created:
Only with Admin permissions, this folder is created:
Once a system is infected, OSX/Crisis opens a backdoor, contacts a C&C (command and control) server and awaits instructions. Again, this trojan hasn’t been spotted in the wild, so transmission method(s) and payload (i.e. what it does) aren’t known.
For what it’s worth, Intego has updated its Mac antivirus app, VirusBarrier X6, to detect and remove Crisis.
One expects that other third-party antivirus vendors, as well as Apple and its Xprotect trojan blocker, will soon be updated to detect, block and remove Crisis.