Bill, Here is what I found, what does the last sentence mean? Those that are the real pros, what do you think? I still have one machine still using Snow Leopard due to Quicken, but it's networked to other Mac's running Mt. Lion. Anything to worry about?
John The Crisis/Morcut OS X malware recentlydiscovered via samples submitted to VirusTotal is more than just a backdoor Trojan, Sophos researchers say after analyzing it. Its ultimate goal is to spy on the user, and it does so by monitoring mouse coordinates, instant messenger apps, the built-in webcam and microphone, clipboard contents, pressed keys, calendar data and alerts, address book contents, URLs visited by the user, and more - in short, it is a very thorough spying tool. The Trojan also persists after reboots, and keeps in touch with a remote servers for instructions and likely for the exfiltration of the collected information. The Trojan was known to affect the 10.6 and 10.7 versions of OS X, but it's still unknown whether the newly released OS X Mountain Lion is susceptible, too. Luckily for all Mac users, it is yet to be spotted in the wild, and the signatures for detecting it are already incorporated in most Mac AV solutions. Here is another: Mac security firm Intego has discovered a new Mac OS X Trojan, OS/X Crisis. The malware installs itself without user intervention and hides well if installed as root, but it has not yet been discovered on Mac users’ computers. The threat is only in the last two versions of Mac OS X: Snow Leopard and Lion. Intego describes OS/X Crisis as a Trojan dropper, which is a class of malware that is disguised as a game, screen saver, or a music file. It installs itself without users even being aware and then attempts to cover its tracks and mask its existence. “It makes a lot of effort to hide itself, which is not very common in Mac Trojans,” Lysa Myers, a security researcher with Intego, told VentureBeat. ”[That effort] is much more common in Windows Trojans.” Most of the files that the Trojan creates are randomly named in order to avoid easy detection and removal, but a number of names appear consistently, and users can search for them to check if they are infected. If the Trojan is installed on a Mac running in root or administrator mode, these files will be present on the system: /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/MacOS/com.apple.mdworker_server /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/Resources/ /Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r If you’re a bit more of a suspicious person, however, and don’t run your system as root or admin, only this file will be present: /Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r Once installed, OS/X Crisis calls home to IP address 176.58.100.37 every five minutes, presumably to await instructions. That IP address may change over time, as malware authors often build in features resistant to simple blocking. One question you might be asking: If it’s not “in the wild” yet, how did Intego find it? I asked Myers that question, and she said that, as security researchers, Intego personnel spend a lot of time in the dark, nasty recesses of the web. In addition, malware writers often upload their wares to forums and security sites to test if their software is detectable by security software. And I'll stop with this one: New Mac Trojan installs silently, no password required Summary: A new Mac OS X Trojan referred to as OSX/Crisis silently infects OS X 10.6 Snow Leopard and OS X 10.7 Lion. The threat was created in a way that is intended to make reverse engineering more difficult, an added extra that is more common with Windows malware than it is with Mac malware. By Emil Protalinski for Zero Day | July 24, 2012 -- 23:00 GMT (16:00 PDT) A new Mac OS X Trojan has been discovered that drops different components depending on whether or not it is executed on a user account with Admin permissions. The threat installs itself silently (no user interaction required) and also does not need your user password to infect your Apple Mac. The backdoor component calls home to the IP address 176.58.100.37 every five minutes, awaiting instructions. Intego, which had to update its anti-malware signatures upon discovering the threat, refers to it as "OSX/Crisis." The good news is that the security firm has yet to find OSX/Crisis in the wild; the company only stumbled upon it over at VirusTotal, a service for analyzing suspicious files and URLs. This Trojan is like most: when run, it installs silently to create a backdoor. What makes this threat particularly worrying is that depending on whether or not it runs on a user account with Admin permissions, it will install different components, which use low-level system calls to hide their activities. Either way, it will always create a number of files and folders to complete its tasks. If the dropper runs on a system with Admin permissions, it will drop a rootkit to hide itself. The malware creates 17 files when it's run with Admin permissions, 14 files when it's run without. Many of these are randomly named, but there are some that are consistent. With or without Admin permissions, this folder is created: Read more at http://venturebeat.com/2012/07/24/osx-crisis-new-mac-trojan-discovered-in-the-wild/#7cryKSIsRDXO7Z1R.99 On Aug 18, 2012, at 9:36 PM, Bill Micou wrote: > This comes from my wife's office IT guy, based on what he heard from his > higher ups. I haven't heard this on any of the Mac sites, so take it as you > will, thought I'd pass it on. > > > I tried to send this just to those of you whom I was aware had a Mac > Operating System Computer at home. This come through on our monthly > security bulletin and I thought it was worth sharing. > > Crisis OS X Trojan Is an Effective Spy Tool > > VirusTotal has reported a new trojan designed for Mac OS X 10. The trojan, > known as Crisis or Morcut, > when downloaded, monitors users’ usages, including instant messaging apps, > web cam, and calendar > data. The trojan also can contact remote servers for instructions and > probably to upload the data > obtained. > > News Source:http://www.net-security.org/malware_news.php?id=2200 > > > > _______________________________________________ > MacGroup mailing list > [email protected] > http://www.math.louisville.edu/mailman/listinfo/macgroup
_______________________________________________ MacGroup mailing list [email protected] http://www.math.louisville.edu/mailman/listinfo/macgroup
