Mac Security firm, Intego, has discovered a new Mac OS X Trojan referred to as OSX/Crisis. The malware installs itself without user interaction and also does not need your user password to infect your Apple Mac.
The threat works only in the two latest versions of Mac OS X – Snow Leopard and Lion.
The Trojan preserves itself against reboots, so it will continue to run until it’s removed. Depending on whether or not the dropper runs on a user account with Admin permissions, it will install different components.
If the dropper runs on a system with Admin permissions, it will drop a rootkit to hide itself. In either case, it creates a number of files and folders to complete its tasks. It creates 17 files when it’s run with Admin permissions, 14 files when it’s run without. Many of these are randomly named, but there are some that are consistent.
- With or without Admin permissions, this folder is created:
- /Library/ScriptingAdditions/appleHID/
- Only with Admin permissions, this folder is created:
- /System/Library/Frameworks/Foundation.framework/XPCServices/
Once installed, OS/X Crisis calls home to IP address 176.58.100.37 every five minutes, presumably to await instructions.
Here's where it gets interesting. "The file is created in a way that is intended to make reverse engineering tools more difficult to use when analyzing the file," an Intego spokesperson said in a statement. "This sort of anti-analysis technique is common in Windows malware, but is relatively uncommon for OS X malware."