Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Mac Trojan Installs Silently, No Password Required

Posted by timothy on from the look-ma-no-hands dept.

An anonymous reader writes "A new Mac OS X Trojan referred to as OSX/Crisis silently infects OS X 10.6 Snow Leopard and OS X 10.7 Lion. The backdoor component calls home to the IP address 176.58.100.37 every five minutes, awaiting instructions. The threat was created in a way that is intended to make reverse engineering more difficult, an added extra that is more common with Windows malware than it is with Mac malware."

35 of 300 comments (clear)

  1. Macs don't get viruses. by Anonymous Coward · · Score: 5, Funny

    Yeah, right.

    1. Re:Macs don't get viruses. by Anonymous Coward · · Score: 5, Funny

      Your are just holding it wrong.

    2. Re:Macs don't get viruses. by Desler · · Score: 5, Informative

      And trojans aren't viruses unless you're going to show how this is self-replicating.

    3. Re:Macs don't get viruses. by Jeremiah+Cornelius · · Score: 4, Informative

      Maybe ya'lls need to install "Little Snitch".

      That is, if you slipped into Slashdot under false geek creds, and don't know how to configure and monitor pf.

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    4. Re:Macs don't get viruses. by Pieroxy · · Score: 5, Funny

      You've got to give credit to Apple though: No Password Required. It's all in the ease of use for the user and not bother them with useless questions and controls onscreen.

      Those stupid trojans ask for passwords on Windows ! Can you imagine the hassle for the user !??!!

      --
      Write boring code, not shiny code!
    5. Re:Macs don't get viruses. by Anonymous Coward · · Score: 5, Funny

      Exactly. Mac malware Just Works (tm).

    6. Re:Macs don't get viruses. by ceoyoyo · · Score: 3, Insightful

      They emphasize that point because previous trojans on OS X have required a password to install. It's very rare to run a Mac under an account with superuser rights (it's disabled by default), so installing anything system related requires a sudo. I'm under the impression that trojans generally do not ask for passwords on Windows.

    7. Re:Macs don't get viruses. by BigFire · · Score: 3, Funny

      I still get a kick out of the Open Source Virus, auto-self compilation across ALL platform.

    8. Re:Macs don't get viruses. by courteaudotbiz · · Score: 4, Funny

      Anonymous Coward? Or Anonymous Canadian? Eh?

    9. Re:Macs don't get viruses. by Khyber · · Score: 4, Insightful

      My geek cred is with regards to optoelectronic horticulture tech, not Linux.

      Slashdot ain't all computer geeks, yanno. Some of us keep you fed for cheap.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    10. Re:Macs don't get viruses. by Hatta · · Score: 3, Insightful

      It's very rare to run a Mac under an account with superuser rights (it's disabled by default), so installing anything system related requires a sudo.

      Since Vista Windows has largely been the same. It should be very rare to run a Windows 7 machine under an account with super user rights.

      I'm under the impression that trojans generally do not ask for passwords on Windows.

      On both Windows and Mac you can do a lot from a user account. e.g. DDOS, scan the users email, etc. If the trojan wants admin rights it will have to do a sudo on either platform.

      --
      Give me Classic Slashdot or give me death!
    11. Re:Macs don't get viruses. by mcgrew · · Score: 3, Insightful

      I've heard a lot of boasting on this site about how secure Linux is.

      Linux and Macs and BSD only seem secure... when compared to Windows.

      --
      Free Martian Whores!
  2. cool ... good that I use OS 10.5 by acidfast7 · · Score: 5, Insightful

    how about an article on every windows- or android-based trojan.

    1. Re:cool ... good that I use OS 10.5 by plover · · Score: 3, Insightful

      Things constantly improve on all sides, including the quality and sophistication of attacks. But people naturally want to hang onto the old ideas in their heads, partly because they're not close to the "other" system, and partly because they don't like having their old decisions questioned or their assumptions challenged. The "Macs are perfect" idea is again proven faulty, but so are the Mac and Unix people who assign the same amount of failure to Windows 7 that they saw with Windows XP a decade ago.

      It's not that Macs are "equally guilty as Windows" or that "Windows 7 is now perfect". It's just a perception thing. Human nature means that we can expect a ton of gloating and "I told you so!" kinds of responses. And while that doesn't mean a PR department is necessarily behind it, I can understand why a PR department would latch onto this and amplify it.

      --
      John
    2. Re:cool ... good that I use OS 10.5 by rhsanborn · · Score: 5, Informative

      They pulled that comment just a few months ago. Earlier this spring you would have found a claim that it doesn't get PC viruses (Don't be pedantic and claim that it doesn't get PC viruses because PC refers to windows viruses, that's a specious argument and it's a deliberate ploy to claim Macs don't get viruses). So yes, almost every currently deployed Mac was sold with the claim that Macs don't get viruses, directly from Apple.

      http://www.redmondpie.com/apple-removes-its-virus-immunity-claim-for-mac-from-official-website-not-so-safe-from-viruses-after-all-huh/

      http://www.forbes.com/sites/timworstall/2012/06/26/yes-apples-machines-really-can-get-viruses/

    3. Re:cool ... good that I use OS 10.5 by courteaudotbiz · · Score: 5, Insightful

      because PC refers to windows viruses

      PC means personal computer and makes no reference whatsoever to the operating system running on it.

      Wrong. When apple did their "I'm a PC, I'm a Mac" marketing campaing, it was perfectly clear they referred to Windows against OSX. They specifically insisted that a Mac and a PC are different, but the geeks we are know that PCs and Macs are almost the same on their hardware base. So what they referred to was about the OS they run.

      AND I AM NOT AN APPLE FANBOY! I have no Mac computers, no iPods, no iPhone

  3. Re:but what about mountain lion by benjfowler · · Score: 4, Informative

    Not going to help you if you're hit by an in-browser drive-by attack. Chrome or Firefox with Noscript can help here.

  4. Re:let's ddos it by Anonymous Coward · · Score: 4, Funny

    Good call. Let me fire up my trojan botnet.

  5. Re:But Macs Don't Get Viruses by SilverJets · · Score: 5, Informative

    It's not a virus.

  6. Re:But Macs Don't Get Viruses by h4rr4r · · Score: 3, Informative

    This is not a Virus, this is a Trojan. At least try to read the summary, I bet even your kids can do that.

  7. but it's never been seen in the wild by Anonymous Coward · · Score: 5, Informative

    if you actually read the article this is just some bullshit proof of concept made by a anti-virus company to shake down mac users. it's never actually been seen outside of a security website.

    1. Re:but it's never been seen in the wild by Desler · · Score: 3, Informative

      Maybe you should?

      Intego, which had to update its anti-malware signatures upon discovering the threat, refers to it as "OSX/Crisis." The good news is that the security firm has yet to find OSX/Crisis in the wild; the company only stumbled upon it over at VirusTotal, a service for analyzing suspicious files and URLs.

      So there is no proof of it being in the wild and was only found on a website for analyzing files. So how exactly were they wrong?

  8. How convenient by bugs2squash · · Score: 3, Funny

    that a new version of OSX has just become available to purchase, better rush out and buy it.

    --
    Nullius in verba
  9. Re:but what about mountain lion by Anubis+IV · · Score: 5, Informative

    There's a big difference between merely getting it on their machine and actually executing it. Gatekeeper is a new Mountain Lion feature that, by default, prevents any apps that are not from the Mac App Store and are not otherwise signed with an Apple-provided certificate from executing. While inflammatory, the AC's point still stands.

  10. Re:But Macs Don't Get Viruses by Anubis+IV · · Score: 4, Insightful

    They don't, but you can't fix stupid, which is what trojans exploit.

  11. Re:But Macs Don't Get Viruses by SJHillman · · Score: 4, Funny

    Kids and Viruses have a lot in common. They delete all your stuff, cost tons of money in repairs. The big difference is that you usually like it more when your kids replicate.

  12. Re:Who is willing to bet... by Anonymous Coward · · Score: 3, Funny

    How? From all the Mac users who know how to do that?

    *said while holding up "sarcasm" sign*

  13. Re:but what about mountain lion by CanHasDIY · · Score: 4, Informative

    Gatekeeper is a new Mountain Lion feature

    RTFS; Mountain Lion is not the distro being compromised.

    --
    An enigma, wrapped in a riddle, shrouded in bacon and cheese
  14. Re:But Macs Don't Get Viruses by Killer+Instinct · · Score: 5, Funny

    If you had a trojan you might not have kids or catch a bad virus as easily
    -KI

    --
    #include bier;
  15. Another name, more details by Anonymous Coward · · Score: 3, Informative

    It's called "Morcut" by Sophos and they offer a free anti-virus product for Mac OS X.

    They claim it's designed to access these things: mouse coordinates, instant messengers (for instance, Skype [including call data], Adium and MSN Messenger), location, internal webcam, clipboard contents, key presses, running applications, web URLs, screenshots, internal microphone, calendar data & alerts, device information, address book contents

  16. Re:but what about mountain lion by Moheeheeko · · Score: 4, Interesting
    Hmmm....

    New Version of OSX drops, shortly after new malware discovered that only affects old versions.

    I smell marketing ploy.

  17. User mode malware by tlhIngan · · Score: 4, Insightful

    It seems more and more these days, that malware is becoming user-mode to avoid the nasty popups that comes with trying to gain administrator mode.

    Which makes sense as a lot of stuff you need to do as malware can be done strictly as usermode without needing to get admin priviledges. This one apparently checks to see if it can get admin or running in a restricted user account.

    So even malware these days are learning to be friendly and compatible with users who aren't admins and not requiring admin for everything.

  18. Re:but what about mountain lion by the+JoshMeister · · Score: 5, Informative
    From Intego, the company who first blogged about this malware (emphasis mine):

    This threat may run on Leopard 10.5, but it has a tendency to crash. It does not run on the new Mountain Lion 10.8.

    Also...

    This threat has not yet been found in the wild, and so far there is no indication that this Trojan has infected users

    You're right to imply that Mountain Lion users shouldn't get too cocky, but in this particular case, according to this antivirus vendor, the malware hasn't even been found in the wild—and even if it had, it doesn't run on Mountain Lion.

    --
    the JoshMeister on Security
  19. Re:How can reverse engineering be difficult? by Viol8 · · Score: 3, Informative

    "The code detects the debugger and changes it's behavior or disables the debugger."

    Code can't detect being disassembled because its not being run.

    "Ultimately these tools decrypt their payload so you can't just dump the raw binary. You have to get them to run and decrypt the payload without detecting that you're using a debugger. That's actually pretty damn hard and where most of the time is spent."

    Understood, but if you have the assembler code that does the initial decryption on hand then you just rip out the decryption part and run it on the payload.

    Ultimately you can always single step through each instruction and the program simply won't have a chance to wipe debugger information because you'll see it about to do it before it happens and can break at that point.

  20. Re:but what about mountain lion by dgatwood · · Score: 4, Informative

    My guess is that (if Gatekeeper is enabled) every binary loaded by the system must be signed by Apple or else it wont load.

    Your guess is completely wrong.

    First, the way Gatekeeper works is by interposing the mechanism used for quarantining downloads. A binary compiled on your computer was never downloaded, so code you build yourself should be unaffected by Gatekeeper unless you upload and re-download it or manually set the quarantine flags for testing purposes.

    Second, because Gatekeeper is tied into the quarantine system, the check occurs only the first time that you launch an application. Any application that you installed under previous releases of the OS continues to work as it always did because again, it was not just downloaded.

    When a Gatekeeper check does occur, however, the behavior depends on which mode Gatekeeper is in (set in System Preferences). There are three modes: "Mac App Store" (the default), in which only apps downloaded from the Mac App Store are allowed to launch, "App Store and identified developers", in which apps downloaded from the Mac App Store or from other sites are allowed, but only if signed by a cert obtained from Apple's developer program, or "Anywhere" (essentially turning Gatekeeper off).

    In that middle mode, the app is not signed by Apple at all, but by a third-party developer. That third-party developer's cert is signed by Apple, of course, but the app itself isn't.

    And in all cases, you can override Gatekeeper's behavior by control-clicking the app and choosing "Open" instead of double-clicking it. This will give you the traditional set of prompts from previous OS releases in which it asks you if you want to launch this app that you've never launched before. Alternatively, you can turn Gatekeeper into "Anywhere" mode, launch the app, then change it back. Either way, once you have launched and un-quarantined a given app, Gatekeeper should never bother you again.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.