New Mac backdoor Trojan spotted
A new Mac Trojan – dubbed Crisis or Morcut – has been spotted but, luckily, not in the wild.
Security firms Intego and Sophos have picked up samples from Virus Total, which shares the samples submitted to it with AV developers, and the fact that it could be found only there shows that the threat is extremely low risk.
Nevertheless, the malware itself is far from harmless.
It can compromise the last two version of Apple’s OS X (10.6 and 10.7) and it doesn’t require a password to be entered to do it.
“The Trojan preserves itself against reboots, so it will continue to run until it’s removed,” Intego researchers explained. “Depending on whether or not the dropper runs on a user account with Admin permissions, it will install different components.”
The ultimate goal of the Trojan is to open a backdoor into the system, and then “call home” to the IP address 184.108.40.206 for further instructions every five minutes.
“The file is created in a way that is intended to make reverse engineering tools more difficult to use when analyzing the file. This sort of anti-analysis technique is common in Windows malware, but is relatively uncommon for OS X malware,” they pointed out.
They also noted that they are not aware of the actual way that the threat is installed on a targeted system, but Sophos’ experts have been able to shed more light on the matter.
They noticed that the malware package arrived in a file named AdobeFlashPlayer.jar, and that inside the file is a .class file named WebEnhancer, and two files named win and mac.
“WebEnhancer is implemented as an applet: a special sort of Java program that runs inside a Java-enabled browser,” Paul Ducklin explains. “The author’s inventiveness obviously ran out at this point: win is an installer for Windows malware, whilst mac is an installer for the Crisis, or Morcut, malware for OS X.”
It is still unknown as what the threat poses when delivered, but the good news is that it at east triggers the “digital signature cannot be verified” alert that can warn users about the malicious nature of the application.
Ducklin also points out that the Trojan can be delivered in other types of files – not only JAR ones.
Both firms have already issued signatures for detecting the malware. Still, it is impossible at this point to tell whether the Trojan will also affect OS X 10.8 (Mountain Lion) whose release is scheduled for today.