New Mac Trojan Installs Silently, No Password Required

An anonymous reader writes "A new Mac OS X Trojan referred to as OSX/Crisis silently infects OS X 10.6 Snow Leopard and OS X 10.7 Lion. The backdoor component calls home to the IP address 176.58.100.37 every five minutes, awaiting instructions. The threat was created in a way that is intended to make reverse engineering more difficult, an added extra that is more common with Windows malware than it is with Mac malware."

Macs don't get viruses.

[Anonymous Coward]

Yeah, right.

Re:Macs don't get viruses.

[Anonymous Coward]

Your are just holding it wrong.

Re:Macs don't get viruses.

[Pieroxy]

You've got to give credit to Apple though: No Password Required. It's all in the ease of use for the user and not bother them with useless questions and controls onscreen.

Those stupid trojans ask for passwords on Windows ! Can you imagine the hassle for the user !??!!

Re:Macs don't get viruses.

[Anonymous Coward]

Exactly. Mac malware Just Works (tm).

Re:Macs don't get viruses.

[ceoyoyo]

They emphasize that point because previous trojans on OS X have required a password to install. It's very rare to run a Mac under an account with superuser rights (it's disabled by default), so installing anything system related requires a sudo. I'm under the impression that trojans generally do not ask for passwords on Windows.

Re:Macs don't get viruses.

[Hatta]

It's very rare to run a Mac under an account with superuser rights (it's disabled by default), so installing anything system related requires a sudo.

Since Vista Windows has largely been the same. It should be very rare to run a Windows 7 machine under an account with super user rights.

I'm under the impression that trojans generally do not ask for passwords on Windows.

On both Windows and Mac you can do a lot from a user account. e.g. DDOS, scan the users email, etc. If the trojan wants admin rights it will have to do a sudo on either platform.

Re:

[ceoyoyo]

Ah, so it's just another non-story with a Timothy headline.

Re:

[KagatoLNX]

Right. You also get logging of the commands executed which can be nice, or can itself be a security problem.

However, unless you carefully restrict the commands, you can do what I do: "sudo bash" (or, if you prefer, "sudo -i")

Re:

[VGPowerlord]

Of course they don't.

Instead, you get this [wikimedia.org].

Which many people just click right on through.

Re:Macs don't get viruses.

[BigFire]

I still get a kick out of the Open Source Virus, auto-self compilation across ALL platform.

Re:Macs don't get viruses.

[Desler]

And trojans aren't viruses unless you're going to show how this is self-replicating.

Re:Macs don't get viruses.

[Jeremiah Cornelius]

Maybe ya'lls need to install "Little Snitch". [obdev.at]

That is, if you slipped into Slashdot under false geek creds, and don't know how to configure and monitor pf. [blogspot.com]

Re:Macs don't get viruses.

[Khyber]

My geek cred is with regards to optoelectronic horticulture tech, not Linux.

Slashdot ain't all computer geeks, yanno. Some of us keep you fed for cheap.

Re:

[sociocapitalist]

My geek cred is with regards to optoelectronic horticulture tech, not Linux.

Slashdot ain't all computer geeks, yanno. Some of us keep you fed for cheap.

Optoelectronic horticulture...so you sit and watch the grass grow on the TV?

Re:

[interval1066]

And trojans aren't viruses...

Bitter is the fruit of proud assumption proven false.

Re:

[interval1066]

"Macs don't get viruses", keep chanting that as you work on unrooting that trojan...

Re:

[interval1066]

I completely understand the distinction, I simply to choose to ignore it since it really doesn't matter. Macs have vulnerabiliies. To harp on the type of disease is just an attempt to deflect from the main point.

Re:Macs don't get viruses.

[mcgrew]

I've heard a lot of boasting on this site about how secure Linux is.

Linux and Macs and BSD only seem secure... when compared to Windows.

Re:Macs don't get viruses.

[courteaudotbiz]

Anonymous Coward? Or Anonymous Canadian? Eh?

cool ... good that I use OS 10.5

[acidfast7]

how about an article on every windows- or android-based trojan.

Re:

[Anonymous Coward]

how about an article on every windows- or android-based trojan.

Android and windows are not being sold as a safe heaven for troyan and viruses, Mac OS is.

Re:

[acidfast7]

show me where on the Apple webpage that OS 10.8 is "a safe haven" from trojans and viruses?

Re:cool ... good that I use OS 10.5

[rhsanborn]

They pulled that comment just a few months ago. Earlier this spring you would have found a claim that it doesn't get PC viruses (Don't be pedantic and claim that it doesn't get PC viruses because PC refers to windows viruses, that's a specious argument and it's a deliberate ploy to claim Macs don't get viruses). So yes, almost every currently deployed Mac was sold with the claim that Macs don't get viruses, directly from Apple.

http://www.redmondpie.com/apple-removes-its-virus-immunity-claim-for-mac-from-official-website-not-so-safe-from-viruses-after-all-huh/

http://www.forbes.com/sites/timworstall/2012/06/26/yes-apples-machines-really-can-get-viruses/

Re:

[Dunbal]

because PC refers to windows viruses

PC means personal computer and makes no reference whatsoever to the operating system running on it. Now we could argue that Mac machines are not, in fact, personal computers, but that is another point entirely. But you're wasting your time. Apple "Can Do No Wrong" in the eyes of its cultists. I ask myself, however, what exactly is it they are paying all that extra money for... Are their computers faster? No. Are their computers more secure? No. Are their computers able to do something that non Apple compute

Re:cool ... good that I use OS 10.5

[courteaudotbiz]

because PC refers to windows viruses

PC means personal computer and makes no reference whatsoever to the operating system running on it.

Wrong. When apple did their "I'm a PC, I'm a Mac" marketing campaing, it was perfectly clear they referred to Windows against OSX. They specifically insisted that a Mac and a PC are different, but the geeks we are know that PCs and Macs are almost the same on their hardware base. So what they referred to was about the OS they run.

AND I AM NOT AN APPLE FANBOY! I have no Mac computers, no iPods, no iPhone

Re:

[acidfast7]

That's a US-based advertising issue. I NEVER saw those comments on the Swedish and German versions of the pages, becuase you're not blatantly state incorrect facts ... for example, the US-based I'm and Mac and I'm a PC adverts aren't legal in Germany/Sweden (I saw them while watching illegal NFL feeds and my German/Swedish colleagues laughed at what can be advertised in the US).

Re:

[cpu6502]

Apple's never made that claim for 10.8, because they know they would get sued for false advertising. But they made the "Macs don't get viruses" claim to OS 10.5, 10.6, and 10.7 (which has been shown to be false).

I like Macs. But not the pricetag (see my signature). I used them faithfully throughout college, but not anymore. I wish Commodore & Atari were still in business. They sold computers at prices normal people could afford ($150 for a C64, $500 for an Amiga or ST) (versus $2-3000 for IBM PC or

Re:

[gtall]

Yes, because a decent OS gui, associated software, and integration is priceless.

Re:

[cpu6502]

That's the same logic people use to justify buying Honda's $35,000 Acura that has automatic everything and can even park itself. Personally I'd rather buy a Honda Civic for $15,000, do my own parking, and give myself $20,000 worth of time off (3 months) to spend it with my wife & kids & friends.

Ditto with PC v. Mac. Admittedly $600 saved isn't a lot, but it does eliminate the need to work overtime on Saturday to pay the Mac's extra cost.

Re:

[Nerdfest]

No, thanks to Linux, a decent OS gui, associated software, and integration is free. Apple lock-in is the priceless part.

Re:

[Krojack]

Wait what? $2k-$3k for a Windows/Linux computer?

Sure if you want the biggest and baddest machine currently out. You can easily build a Window/Linux machine for $900-$1500 tops that is pretty powerful.

Re:

[realityimpaired]

You can easily build a Window/Linux machine for $900-$1500 tops that is pretty powerful.

In 1985? The GP was talking about comparable systems that were out at the same time as an Atari ST or C64....

Re:

[hcs_$reboot]

how about an article on every windows- or android-based trojan

Mac OS Trojans are still pretty exceptional.

Re:

[LodCrappo]

how about an article about Mac malware that doesn't feel compelled to mention Windows?

Re:cool ... good that I use OS 10.5

[plover]

Things constantly improve on all sides, including the quality and sophistication of attacks. But people naturally want to hang onto the old ideas in their heads, partly because they're not close to the "other" system, and partly because they don't like having their old decisions questioned or their assumptions challenged. The "Macs are perfect" idea is again proven faulty, but so are the Mac and Unix people who assign the same amount of failure to Windows 7 that they saw with Windows XP a decade ago.

It's not that Macs are "equally guilty as Windows" or that "Windows 7 is now perfect". It's just a perception thing. Human nature means that we can expect a ton of gloating and "I told you so!" kinds of responses. And while that doesn't mean a PR department is necessarily behind it, I can understand why a PR department would latch onto this and amplify it.

but it's never been seen in the wild

[Anonymous Coward]

if you actually read the article this is just some bullshit proof of concept made by a anti-virus company to shake down mac users. it's never actually been seen outside of a security website.

Re:

[Desler]

Maybe you should?

Intego, which had to update its anti-malware signatures upon discovering the threat, refers to it as "OSX/Crisis." The good news is that the security firm has yet to find OSX/Crisis in the wild; the company only stumbled upon it over at VirusTotal, a service for analyzing suspicious files and URLs.

So there is no proof of it being in the wild and was only found on a website for analyzing files. So how exactly were they wrong?

Re:

[inject_hotmail.com]

So there is no proof of it being in the wild and was only found on a website for analyzing files. So how exactly were they wrong?

Where do you think the "suspicious files" come from?

Little Snitch should catch it, tho, right?

[jbeach]

Hopefully LIttle Snitch [obdev.at] alerts about this, and can block it?

How convenient

[bugs2squash]

that a new version of OSX has just become available to purchase, better rush out and buy it.

Re:

[repetty]

that a new version of OSX has just become available to purchase, better rush out and buy it.

Yeah, and it's a total rip-off at $20!

Horrible, horrible threat...

[mrdogi]

The backdoor component calls home to the IP address 176.58.100.37 every five minutes, awaiting instructions. The threat was created in a way that is intended to make reverse engineering more difficult...

However, blocking the threat is as simple as an ACL on your router...

Re:

[hcs_$reboot]

The address seems to be located in the UK. Try to arrange a chat at this address, and you get yourself a way to learn the 9 yo UK English :-)

Re:

[ColdWetDog]

However, blocking the threat is as simple as an ACL on your router...

This time. Next week it's a different address. So now you're playing Wack-a-mole?

Sounds like a vaguely familiar strategy....

Re:

[CanHasDIY]

The backdoor component calls home to the IP address 176.58.100.37 every five minutes, awaiting instructions. The threat was created in a way that is intended to make reverse engineering more difficult... However, blocking the threat is as simple as an ACL on your router...

Assuming the only access your machine has to the internet is via said router...

Re:

[hcs_$reboot]

Nope. The hosts file is used to resolve a host name locally (e.g. not via a DNS server).

Re:

[SJHillman]

No, but it can be done with wire cutters.

Mac Trojan Installs Silently, No Password Required

[Anonymous Coward]

That's not a trojan, that's Mountain Lion.

Little Snitch Works!

[BoRegardless]

To catch outgoing calls.

naming conventions

[slashmydots]

So they just assign these viruses an arbitrary nickname, right? I think "Crisis" was a pretty funny shot at Apple, seeing as how they refuse to admit the last month or two has been one for them because of viruses. But if anyone can just randomly assign it a name, why not go all the way and name it Lol@Apple then the next one Lol@Apple2 etc?

How can reverse engineering be difficult?

[Viol8]

Disassemble it and follow the code. Even if some of the code is encrypted something in the virus will have to decrypt it before it can be run and you'll have that on hand too.

I'm not saying its easy but its not protected by some magic ward.

Re:

[ceoyoyo]

This is an antivirus company we're talking about.

The whole thing seems a little suspicious as yet. They "found" this trojan on a website security professionals use to share suspicious files, but haven't seen it in the wild? Intego's own article (http://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/) says they "have not yet seen if or how this threat is installed on a user’s system." Really? So how do they know it doesn't ask for a password?

Re:

[wiredlogic]

They're probably acting as paid Apple shills to push adoption of ML.

Re:How can reverse engineering be difficult?

[Viol8]

"The code detects the debugger and changes it's behavior or disables the debugger."

Code can't detect being disassembled because its not being run.

"Ultimately these tools decrypt their payload so you can't just dump the raw binary. You have to get them to run and decrypt the payload without detecting that you're using a debugger. That's actually pretty damn hard and where most of the time is spent."

Understood, but if you have the assembler code that does the initial decryption on hand then you just rip out the decryption part and run it on the payload.

Ultimately you can always single step through each instruction and the program simply won't have a chance to wipe debugger information because you'll see it about to do it before it happens and can break at that point.

Re:

[swb]

Are there any tools for doing this with a hypervisor or some other 100% emulated environment, or perhaps kernel trace modules that are capable of this in a way hard or impossible for a process to detect?

I would have thought by now that there would be completely invisible debugging environments via whatever method was necessary to accomplish it, either designed specifically for the security trade or for reverse engineering markets.

Another name, more details

[Anonymous Coward]

It's called "Morcut" by Sophos [sophos.com] and they offer a free anti-virus product for Mac OS X.

They claim it's designed to access these things: mouse coordinates, instant messengers (for instance, Skype [including call data], Adium and MSN Messenger), location, internal webcam, clipboard contents, key presses, running applications, web URLs, screenshots, internal microphone, calendar data & alerts, device information, address book contents

User mode malware

[tlhIngan]

It seems more and more these days, that malware is becoming user-mode to avoid the nasty popups that comes with trying to gain administrator mode.

Which makes sense as a lot of stuff you need to do as malware can be done strictly as usermode without needing to get admin priviledges. This one apparently checks to see if it can get admin or running in a restricted user account.

So even malware these days are learning to be friendly and compatible with users who aren't admins and not requiring admin for everything.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Desler]

Sure it will. If it's not signed by Apple or an Apple developer, Gatekeeper prevents it from installing. Or do you have any proof ot can bypass Gatekeeper?

Re:

[h4rr4r]

Which means any geek has to turn that off to use fink.

Re:

[h4rr4r]

Do you then have to do that for each thing you install with fink?

Can you somehow just import another key instead?

Re:but what about mountain lion

[Anubis IV]

There's a big difference between merely getting it on their machine and actually executing it. Gatekeeper is a new Mountain Lion feature that, by default, prevents any apps that are not from the Mac App Store and are not otherwise signed with an Apple-provided certificate from executing. While inflammatory, the AC's point still stands.

Re:

[djsmiley]

When Firefox/Chrome/Safari launch a process they are still classed as being "from the app store" right?

Re:

[jonwil]

My guess is that (if Gatekeeper is enabled) every binary loaded by the system must be signed by Apple or else it wont load.

Re:but what about mountain lion

[dgatwood]

My guess is that (if Gatekeeper is enabled) every binary loaded by the system must be signed by Apple or else it wont load.

Your guess is completely wrong.

First, the way Gatekeeper works is by interposing the mechanism used for quarantining downloads. A binary compiled on your computer was never downloaded, so code you build yourself should be unaffected by Gatekeeper unless you upload and re-download it or manually set the quarantine flags for testing purposes.

Second, because Gatekeeper is tied into the quarantine system, the check occurs only the first time that you launch an application. Any application that you installed under previous releases of the OS continues to work as it always did because again, it was not just downloaded.

When a Gatekeeper check does occur, however, the behavior depends on which mode Gatekeeper is in (set in System Preferences). There are three modes: "Mac App Store" (the default), in which only apps downloaded from the Mac App Store are allowed to launch, "App Store and identified developers", in which apps downloaded from the Mac App Store or from other sites are allowed, but only if signed by a cert obtained from Apple's developer program, or "Anywhere" (essentially turning Gatekeeper off).

In that middle mode, the app is not signed by Apple at all, but by a third-party developer. That third-party developer's cert is signed by Apple, of course, but the app itself isn't.

And in all cases, you can override Gatekeeper's behavior by control-clicking the app and choosing "Open" instead of double-clicking it. This will give you the traditional set of prompts from previous OS releases in which it asks you if you want to launch this app that you've never launched before. Alternatively, you can turn Gatekeeper into "Anywhere" mode, launch the app, then change it back. Either way, once you have launched and un-quarantined a given app, Gatekeeper should never bother you again.

Re:

[iluvcapra]

Any executable that's downloaded is "tainted." Mach-O executables carry their certificates and checksums as metadata segments in the executable, and if you don't have those, or they don't resolve to a certificate with an Apple signature, Gatekeeper will stop it from running according to the user's preference setting.

Taintedness can be removed with

$ sudo xattrs -d ...

to delete it (it's stored in the filesystem extended attributes), or by launching the app from the "Open" command contextual menu. It wil

Re:

[iluvcapra]

All libraries and frameworks, including their bundled static resources, images, strings files, and so on, must also be signed [apple.com].

Re:but what about mountain lion

[CanHasDIY]

Gatekeeper is a new Mountain Lion feature

RTFS; Mountain Lion is not the distro being compromised.

Re:but what about mountain lion

[Moheeheeko]

Hmmm....

New Version of OSX drops, shortly after new malware discovered that only affects old versions.

I smell marketing ploy.

Re:

[Anubis IV]

The malware actually came out a few days ago. Slashdot is slow to report on it.

Re:

[mspohr]

And at $20.00 for all of your computers, Apple will make billions... (or, maybe, at least cover some of their costs).

Re:

[Anubis IV]

You do realize that I was responding specifically to someone who was making a claim against Mountain Lion, right? This particular comment thread is about Mountain Lion and the fact that it's unaffected. He claimed otherwise. I disputed.

Re:

[CanHasDIY]

You do realize that I was responding specifically to someone who was making a claim against Mountain Lion, right? This particular comment thread is about Mountain Lion and the fact that it's unaffected. He claimed otherwise. I disputed.

*reads post title*

...

I do now.

Re:

[Baloroth]

Not true. Read the Ars Technica review: Gatekeeper only stops the execution of apps directly from downloading them (downloaded executables are flagged). Hell, you can right-click the app after downloading it, select "run", and it will work just fine.

Re:

[jjjhs]

That didn't sound right so I looked up it up. I would not have put it past Apple to require every single program be signed by them or as an approved developer to keep out "undesirables", however, that's not what's going on. https://securosis.com/blog/os-x-10.8-gatekeeper-in-depth [securosis.com]

Re:

[Anubis IV]

The very Ars review you cite [arstechnica.com] refutes your claim. In fact, it even has a screenshot of a Gatekeeper prompt being shown for an app that has already been downloaded but had not yet been executed.

And if you're really going to point out the fact that the user can circumvent Gatekeeper by right-clicking, choosing to ignore the warnings, and launching anyway, then why not just point out that they can disable Gatekeeper entirely. Of course the user can choose to circumvent Gatekeeper. My point was that by default i

Re:

[Baloroth]

If the new malware is able to bypass the quarantine dialog in 10.7 already (TFS says "silently", so a safe assumption I think), that means Gatekeeper won't do anything: it relies on the quarantine flag on downloaded files. That's basically what it does, AFAICT: checks for the flag, block execution if it is flagged and not signed validly. I'm not sure if it will stop this malware or not: I was pointing out that it doesn't simply stop unsigned apps from executing at all, because it doesn't (and the fact that

Re:but what about mountain lion

[the JoshMeister]

From Intego, the company who first blogged about this malware (emphasis mine):

This threat may run on Leopard 10.5, but it has a tendency to crash. It does not run on the new Mountain Lion 10.8.

Also...

This threat has not yet been found in the wild, and so far there is no indication that this Trojan has infected users

You're right to imply that Mountain Lion users shouldn't get too cocky, but in this particular case, according to this antivirus vendor, the malware hasn't even been found in the wild—and even if it had, it doesn't run on Mountain Lion.

Re:

[Baloroth]

Maybe, maybe not. Gatekeeper is supposed to prevent unsigned downloaded programs from running, but it will only work if the executable gets properly flagged as "downloaded." It doesn't stop other executables from running, nor does it stop people from running them directly, so whether it will stop all drive-bys or not is not 100% clear (it should stop some, of course).

Re:

[gtall]

Only by default, there are two other settings, one of which will let you install anything unsigned. And it isn't clear the other two settings will stop a drive by.

Re:let's ddos it

[Anonymous Coward]

Good call. Let me fire up my trojan botnet.

Re:But Macs Don't Get Viruses

[SilverJets]

It's not a virus.

Re:But Macs Don't Get Viruses

[h4rr4r]

This is not a Virus, this is a Trojan. At least try to read the summary, I bet even your kids can do that.

Re:

[Anonymous Coward]

This is not a Kid, this is a Virus. At least try to read the summary, I bet even your Trojan can do that.

Re:But Macs Don't Get Viruses

[SJHillman]

Kids and Viruses have a lot in common. They delete all your stuff, cost tons of money in repairs. The big difference is that you usually like it more when your kids replicate.

Re:But Macs Don't Get Viruses

[Killer Instinct]

If you had a trojan you might not have kids or catch a bad virus as easily
-KI

Re:

[thePowerOfGrayskull]

::golf clap::

Re:

[kaizokuace]

the golf clap is a nasty one

Re:

[Cwix]

Pure awesome.

Re:But Macs Don't Get Viruses

[Anubis IV]

They don't, but you can't fix stupid, which is what trojans exploit.

Re:

[crashumbc]

Well, it "was", the problem is Macs and OS x are no longer "obscure" ...

Re:

[thePowerOfGrayskull]

Obscurity is just one valid tool in a security arsenal -- but it shouldn't be the only one. Ranked high above it in importance is "user education" - a feat that's nearly impossible as we continue to dumb down the computing experience.
 

Re:

[vistapwns]

I answer this question so much I should just put it on my blog and link to it. System 7.5 - Mac OS 9 had NO SECURITY whatsoever and software was shared with write-able disks, and so, many people wrote malware for fun and fame in those days. Since around Mac OS X's release, software is distributed on read-only media (CDs, DVDs. blu-ray is still a bag of hurt I hear) and the threats come from exploiting programs over the network or social engineering to trick the user to download a trojan. Exploiting a progra

Re:

[tgd]

repetitive much?

No, its not. The product is "OS X". The version is 10.5.

What else would you say? "OS X 5"? That's neither the product, nor the version.

Re:

[cpu6502]

>>>The product is "OS X". The version is 10.5.

So macs have been using the same OS since 2000? Wow. And I thought XP had a long lifespan. At least we XP users got our versions (SP0,1,2,3) for free and didn't have to pay for them.

According to ars techica the proper pronouncement of OS X 10.5 is "O.S. ten ten point five" so yeah the grandparent poster was correct. It's redundant.

Re:

[acidfast7]

thanks! maybe every on here is from the iOS generation, and doesn't know the difference :(

Re:

[Dog-Cow]

But OS isn't the name. So while it would probably be easy to tell from context what you are referring to, it's hardly redundant to call OS X 10.5 by it's designated name (and version).

In other words, you are wrong. Get over it.

Re:

[elfprince13]

In Mac land, that would imply you had some non-existent version of classic Mac OS in which development had proceeded beyond version 9. "Mac OS" is not the same as "Mac OS X"

Re:

[acidfast7]

yeah, it would take one brain cell (and a weak one at that) to know the difference ... and I say this as a long-time mac OS user.

Re:

[Anonymous Coward]

How? From all the Mac users who know how to do that?

*said while holding up "sarcasm" sign*