New Mac Trojan Installs Silently, No Password Required 300
An anonymous reader writes "A new Mac OS X Trojan referred to as OSX/Crisis silently infects OS X 10.6 Snow Leopard and OS X 10.7 Lion. The backdoor component calls home to the IP address 176.58.100.37 every five minutes, awaiting instructions. The threat was created in a way that is intended to make reverse engineering more difficult, an added extra that is more common with Windows malware than it is with Mac malware."
Re:Macs don't get viruses. (Score:5, Informative)
And trojans aren't viruses unless you're going to show how this is self-replicating.
Comment removed (Score:5, Informative)
Re:But Macs Don't Get Viruses (Score:5, Informative)
It's not a virus.
Re:But Macs Don't Get Viruses (Score:4, Informative)
This is not a Virus, this is a Trojan. At least try to read the summary, I bet even your kids can do that.
but it's never been seen in the wild (Score:5, Informative)
if you actually read the article this is just some bullshit proof of concept made by a anti-virus company to shake down mac users. it's never actually been seen outside of a security website.
Re:but what about mountain lion (Score:5, Informative)
There's a big difference between merely getting it on their machine and actually executing it. Gatekeeper is a new Mountain Lion feature that, by default, prevents any apps that are not from the Mac App Store and are not otherwise signed with an Apple-provided certificate from executing. While inflammatory, the AC's point still stands.
Re:cool ... good that I use OS 10.5 (Score:2, Informative)
how about an article on every windows- or android-based trojan.
Android and windows are not being sold as a safe heaven for troyan and viruses, Mac OS is.
Re:Macs don't get viruses. (Score:5, Informative)
Maybe ya'lls need to install "Little Snitch". [obdev.at]
That is, if you slipped into Slashdot under false geek creds, and don't know how to configure and monitor pf. [blogspot.com]
Re:but it's never been seen in the wild (Score:3, Informative)
Maybe you should?
Intego, which had to update its anti-malware signatures upon discovering the threat, refers to it as "OSX/Crisis." The good news is that the security firm has yet to find OSX/Crisis in the wild; the company only stumbled upon it over at VirusTotal, a service for analyzing suspicious files and URLs.
So there is no proof of it being in the wild and was only found on a website for analyzing files. So how exactly were they wrong?
Re:but what about mountain lion (Score:5, Informative)
Gatekeeper is a new Mountain Lion feature
RTFS; Mountain Lion is not the distro being compromised.
Re:cool ... good that I use OS 10.5 (Score:5, Informative)
http://www.redmondpie.com/apple-removes-its-virus-immunity-claim-for-mac-from-official-website-not-so-safe-from-viruses-after-all-huh/
http://www.forbes.com/sites/timworstall/2012/06/26/yes-apples-machines-really-can-get-viruses/
Another name, more details (Score:3, Informative)
It's called "Morcut" by Sophos [sophos.com] and they offer a free anti-virus product for Mac OS X.
They claim it's designed to access these things: mouse coordinates, instant messengers (for instance, Skype [including call data], Adium and MSN Messenger), location, internal webcam, clipboard contents, key presses, running applications, web URLs, screenshots, internal microphone, calendar data & alerts, device information, address book contents
Re:but what about mountain lion (Score:5, Informative)
This threat may run on Leopard 10.5, but it has a tendency to crash. It does not run on the new Mountain Lion 10.8.
Also...
This threat has not yet been found in the wild, and so far there is no indication that this Trojan has infected users
You're right to imply that Mountain Lion users shouldn't get too cocky, but in this particular case, according to this antivirus vendor, the malware hasn't even been found in the wild—and even if it had, it doesn't run on Mountain Lion.
Re:How can reverse engineering be difficult? (Score:4, Informative)
"The code detects the debugger and changes it's behavior or disables the debugger."
Code can't detect being disassembled because its not being run.
"Ultimately these tools decrypt their payload so you can't just dump the raw binary. You have to get them to run and decrypt the payload without detecting that you're using a debugger. That's actually pretty damn hard and where most of the time is spent."
Understood, but if you have the assembler code that does the initial decryption on hand then you just rip out the decryption part and run it on the payload.
Ultimately you can always single step through each instruction and the program simply won't have a chance to wipe debugger information because you'll see it about to do it before it happens and can break at that point.
Re:but what about mountain lion (Score:5, Informative)
Your guess is completely wrong.
First, the way Gatekeeper works is by interposing the mechanism used for quarantining downloads. A binary compiled on your computer was never downloaded, so code you build yourself should be unaffected by Gatekeeper unless you upload and re-download it or manually set the quarantine flags for testing purposes.
Second, because Gatekeeper is tied into the quarantine system, the check occurs only the first time that you launch an application. Any application that you installed under previous releases of the OS continues to work as it always did because again, it was not just downloaded.
When a Gatekeeper check does occur, however, the behavior depends on which mode Gatekeeper is in (set in System Preferences). There are three modes: "Mac App Store" (the default), in which only apps downloaded from the Mac App Store are allowed to launch, "App Store and identified developers", in which apps downloaded from the Mac App Store or from other sites are allowed, but only if signed by a cert obtained from Apple's developer program, or "Anywhere" (essentially turning Gatekeeper off).
In that middle mode, the app is not signed by Apple at all, but by a third-party developer. That third-party developer's cert is signed by Apple, of course, but the app itself isn't.
And in all cases, you can override Gatekeeper's behavior by control-clicking the app and choosing "Open" instead of double-clicking it. This will give you the traditional set of prompts from previous OS releases in which it asks you if you want to launch this app that you've never launched before. Alternatively, you can turn Gatekeeper into "Anywhere" mode, launch the app, then change it back. Either way, once you have launched and un-quarantined a given app, Gatekeeper should never bother you again.
Re:Macs don't get viruses. (Score:2, Informative)
The claim that "Macs don't get viruses" is not made by, nor directed at, people who uderstand the differenc. I know it's all great fun to be maximally pedantic here and all, but really: Macs get malware now. They're not immune to what most people understand as "viruses". And while that's not geek news (or shouldn't be), it's interesting to see the long-made prediction that as soon as Macs became a big enough target they'd get their share of malware come true.