Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Crisis for Mac

Created: 27 Jul 2012 02:44:51 GMT • Updated: 23 Jan 2014 18:13:45 GMT • Translations available: 日本語
Symantec Security Response's picture
+2 2 Votes
Login to vote

A new Macintosh malware is making the rounds.

For the first half of 2012, we have seen an increase in the number of Mac-based threats: variant OSX.Flashback.K appeared, newly discovered OSX.Sabpab, and OSX.Macontrol with a new variant.

As we begin the second half of 2012, we would like to introduce you to a new instance of Mac malware: OSX.Crisis.

OSX.Crisis is a Trojan that installs a back door on compromised OSX systems. At the time of writing, we are not seeing this threat in the wild. We believe that the infection vector may rely primarily on social engineering to be installed and at this point in time there is no reason to believe there is a vulnerability being used in conjunction with the threat. One possible method of installation is through brand recognition like popular trademarks to compel users to install the malware.

When this back door is installed, it can monitor the following programs:

  • Adium
  • Mozilla Firefox
  • MSN Messenger (for Mac)
  • Skype

 

Figure 1. Adium monitoring example

 

Figure 2. Mozilla Firefox monitoring example

 

Figure 3. Skype monitoring example

 

Figure 4. Keylogging functionality

 

The malware can perform the following actions:

  • Record traffic on MSN Messenger (for Mac) and Adium
  • Record Internet usage on Safari or Mozilla Firefox
  • Capture or record Skype sessions
  • Send confidential information to a command-and-control (C&C) server through a back door (176.58.100.3x) and receive commands

It also creates the following directories and files:

  • /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/MacOS/com.apple.mdworker_server
  • /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/Resources/
  • /Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r

It definitely appears to be an advanced threat in function but, because we do not see the infection vector in the wild at the time of this blog, the spread is low at the moment. Symantec has protection in place for OSX.Crisis with Norton 360 Everywhere, Norton One, and Norton Internet Security for Mac. Our Symantec Endpoint Protection and Symantec Endpoint Protection Small Business Edition products also offer the necessary protection. Users of our Norton AV products are encouraged to update their definitions.

Thanks to Intego who shared these samples with us.