X

New OSX/Crisis malware found for OS X 10.6 and 10.7

While the mode of infection is currently unknown, this new threat has uniquenesses over past malware for OS X.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
2 min read

A new script-based malware threat for OS X has been uncovered by security company Intego. The malware, called OSX/Crisis, has so far not been found "in the wild," but it has the potential to do harm.

Apparently the threat only runs on OS X 10.6 and 10.7 machines, and while it does not require a password to install, if a password is provided then the mode of infection changes. Most of the installed files are randomly named, though in all cases the malware appears to install a file called "appleHID" in the /Library/ScriptingAdditions/ directory. If a password is supplied and the installer gets root permissions, then the malware will additionally locate the system's Foundation framework and install a malware package called "com.apple.mdworker_server.xpc" within it.

The parent directories where these files are installed are the following:

Macintosh HD/Library/ScriptingAdditions/
Macintosh HD/System/Library/Frameworks/Foundation.framework/XPCServices/

Intego provides no information about what the malware looks like when it is first encountered -- whether it is a fake installer posing as a legitimate program, or a drive-by-download similar to later variants of the Flashback malware. However, once installed, the malware will continuously run even when the system is rebooted, and contact a remote server every 5 minutes, which presumably could be used to send instructions to the infected machine.

Unlike prior OS X malware, this new threat is created in ways to make reverse engineering and identification more difficult, and uses low-level system calls to help disguise its activity.

Overall while this is a new threat for OS X with some unique features, unlike others it has not been found on any OS X machines. Its distribution is therefore very low if nonexistant at the moment, and malware definitions for it should soon be available to malware scanning tools so be sure to keep them updated if you have one installed.



Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.