14 DAY TRIAL // A new Trojan was recently discovered to affect Apple’s Mac computers, yet the risks appear to be low, as the malware was not yet found to be affecting machines out there.
However, the software is capable of installing itself without asking for user permission, and is capable of hiding itself pretty well is if installed with root permission, the Intego Virus Team, which found the Trojan, reports.
Called Crisis, the new software is said to be a Trojan dropper. The Intego team also notes that it exhibits some anti-analysis and stealthing techniques that are uncommon among OS X malware.
The team also notes that the threat appears to affect only Mac OS X versions 10.6 and 10.7, namely Snow Leopard and Lion.
“It installs without need of any user interaction; no password is required for it to run. The Trojan preserves itself against reboots, so it will continue to run until it’s removed,” the team explains in an email to Softpedia.
“Depending on whether or not the dropper runs on a user account with root permissions, it will install different components. It remains to be seen if or how this threat is installed on a user's system; it may be that an installer component will try to establish root permissions.”
When the Trojan runs on a system with root access, it drops a rootkit to hide itself, the team explains.
The software was designed to create a series of files and folders that help it complete its task: 17 files when running with root access, 14 files when without.
The Intego Virus Team also notes that the backdoor component of the malware calls home to the IP address 176.58.100.37 every 5 minutes, awaiting for instructions.
They also explain that the file has been designed in a manner that should make reverse engineering tools more difficult to analyze it. The anti-analysis technique is usually used for creating Windows Trojans, but it hasn’t been commonly preferred for OS X malware.
Users can protect themselves from Crisis with VirusBarrier X6 that has malware definitions dated July 24, 2012 or later. It will block any connections to remote servers, provided that the user has installed the Trojan horse on his / her machine.
“VirusBarrier Express and VirusBarrier Plus, available exclusively from the Mac App Store, detect this malware with malware definitions dated July 24, 2012 or later, but these programs do not have a real-time scanner due to limitations imposed by the Mac App Store,” the team notes.
They also suggest that “users should scan their Macs after they have updated to the latest malware definitions, or manually scan any installer packages they have downloaded if they seem suspicious.”