Apparently, most antivirus software (AV solutions) is aware to look for this trojan, or one like it. I always wonder about warnings like this when they come from a firm selling anti-virus software. Maybe they are the ones most actively looking for a trojan, but It reminds me of the HBO series Sopranos where a business owner is offered protection of his business to prevent any possible treat that just might happen to happen. Like I said, I hadn't heard this talked about anywhere else, so it may be smoke. Bill
On Aug 18, 2012, at 10:13 PM, John Robinson wrote: > Bill, > > Here is what I found, what does the last sentence mean? Those that are the > real pros, what do you think? I still have one machine still using Snow > Leopard due to Quicken, but it's networked to other Mac's running Mt. Lion. > Anything to worry about? > > John > > > The Crisis/Morcut OS X malware recentlydiscovered via samples submitted to > VirusTotal is more than just a backdoor Trojan, Sophos researchers say after > analyzing it. > > Its ultimate goal is to spy on the user, and it does so by monitoring mouse > coordinates, instant messenger apps, the built-in webcam and microphone, > clipboard contents, pressed keys, calendar data and alerts, address book > contents, URLs visited by the user, and more - in short, it is a very > thorough spying tool. > > The Trojan also persists after reboots, and keeps in touch with a remote > servers for instructions and likely for the exfiltration of the collected > information. > > The Trojan was known to affect the 10.6 and 10.7 versions of OS X, but it's > still unknown whether the newly released OS X Mountain Lion is susceptible, > too. > > Luckily for all Mac users, it is yet to be spotted in the wild, and the > signatures for detecting it are already incorporated in most Mac AV solutions. > > > Here is another: > > > > Mac security firm Intego has discovered a new Mac OS X Trojan, OS/X Crisis. > The malware installs itself without user intervention and hides well if > installed as root, but it has not yet been discovered on Mac users’ computers. > The threat is only in the last two versions of Mac OS X: Snow Leopard and > Lion. > Intego describes OS/X Crisis as a Trojan dropper, which is a class of malware > that is disguised as a game, screen saver, or a music file. It installs > itself without users even being aware and then attempts to cover its tracks > and mask its existence. > “It makes a lot of effort to hide itself, which is not very common in Mac > Trojans,” Lysa Myers, a security researcher with Intego, told VentureBeat. > ”[That effort] is much more common in Windows Trojans.” > Most of the files that the Trojan creates are randomly named in order to > avoid easy detection and removal, but a number of names appear consistently, > and users can search for them to check if they are infected. > If the Trojan is installed on a Mac running in root or administrator mode, > these files will be present on the system: > /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/MacOS/com.apple.mdworker_server > /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/Resources/ > /Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r > If you’re a bit more of a suspicious person, however, and don’t run your > system as root or admin, only this file will be present: > /Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r > Once installed, OS/X Crisis calls home to IP address 176.58.100.37 every five > minutes, presumably to await instructions. That IP address may change over > time, as malware authors often build in features resistant to simple blocking. > One question you might be asking: If it’s not “in the wild” yet, how did > Intego find it? > I asked Myers that question, and she said that, as security researchers, > Intego personnel spend a lot of time in the dark, nasty recesses of the web. > In addition, malware writers often upload their wares to forums and security > sites to test if their software is detectable by security software. > > > And I'll stop with this one: > > > > > New Mac Trojan installs silently, no password required > > Summary: A new Mac OS X Trojan referred to as OSX/Crisis silently infects OS > X 10.6 Snow Leopard and OS X 10.7 Lion. The threat was created in a way that > is intended to make reverse engineering more difficult, an added extra that > is more common with Windows malware than it is with Mac malware. > > > > By Emil Protalinski for Zero Day | July 24, 2012 -- 23:00 GMT (16:00 PDT) > A new Mac OS X Trojan has been discovered that drops different components > depending on whether or not it is executed on a user account with Admin > permissions. The threat installs itself silently (no user interaction > required) and also does not need your user password to infect your Apple Mac. > The backdoor component calls home to the IP address 176.58.100.37 every five > minutes, awaiting instructions. > > Intego, which had to update its anti-malware signatures upon discovering the > threat, refers to it as "OSX/Crisis." The good news is that the security firm > has yet to find OSX/Crisis in the wild; the company only stumbled upon it > over at VirusTotal, a service for analyzing suspicious files and URLs. > > This Trojan is like most: when run, it installs silently to create a > backdoor. What makes this threat particularly worrying is that depending on > whether or not it runs on a user account with Admin permissions, it will > install different components, which use low-level system calls to hide their > activities. Either way, it will always create a number of files and folders > to complete its tasks. > > If the dropper runs on a system with Admin permissions, it will drop a > rootkit to hide itself. The malware creates 17 files when it's run with Admin > permissions, 14 files when it's run without. Many of these are randomly > named, but there are some that are consistent. With or without Admin > permissions, this folder is created: > > Read more at > http://venturebeat.com/2012/07/24/osx-crisis-new-mac-trojan-discovered-in-the-wild/#7cryKSIsRDXO7Z1R.99 > > > > On Aug 18, 2012, at 9:36 PM, Bill Micou wrote: > >> This comes from my wife's office IT guy, based on what he heard from his >> higher ups. I haven't heard this on any of the Mac sites, so take it as you >> will, thought I'd pass it on. >> >> >> I tried to send this just to those of you whom I was aware had a Mac >> Operating System Computer at home. This come through on our monthly >> security bulletin and I thought it was worth sharing. >> >> Crisis OS X Trojan Is an Effective Spy Tool >> >> VirusTotal has reported a new trojan designed for Mac OS X 10. The trojan, >> known as Crisis or Morcut, >> when downloaded, monitors users’ usages, including instant messaging apps, >> web cam, and calendar >> data. The trojan also can contact remote servers for instructions and >> probably to upload the data >> obtained. >> >> News Source:http://www.net-security.org/malware_news.php?id=2200 >> >> >> >> _______________________________________________ >> MacGroup mailing list >> [email protected] >> http://www.math.louisville.edu/mailman/listinfo/macgroup > > > _______________________________________________ > MacGroup mailing list > [email protected] > http://www.math.louisville.edu/mailman/listinfo/macgroup
_______________________________________________ MacGroup mailing list [email protected] http://www.math.louisville.edu/mailman/listinfo/macgroup
