Security researchers have discovered a new Mac trojan capable of installing itself without the need for admin permissions or even the user's password.
Yet more proof for the cult of Apple that Macs are just as susceptible to viruses and Trojans as any other computer: a new OS X Trojan has been discovered that drops components based on whether or not the user account it is executed on has admin permissions or not. The Trojan installs itself completely silently without any user interaction required, including not needing your password in order to install itself. After installing, it calls home to 126.96.36.199 every five minutes while it waits for instructions.
Intego, a Mac security software company, had to update its malware detection program when they discovered the threat, which they are calling “OSX/Crisis”. The good news, though, is that Intego has yet to find OSX/Crisis in the wild, instead stumbling on it at VirusTotal, a service that analyzes suspicious files and URLs. Like most Trojans, OSX/Crisis will silently install and create a backdoor to the system, but this threat is particularly dangerous and worrying is that it will install different components based on whether or not the user has admin permissions on the system; these components use low-level system calls and instructions in order to hide themselves from the operating system. Whether or not the user has admin privileges, OSX/Crisis will have the proper components to complete the tasks it was designed for.
With admin permissions, OSX/Crisis will drop a rootkit in order to hide itself; it creates 17 files with admin permissions and 14 without. Some of these files are randomly named, but some are consistent throughout installs. For instance, the folder “/Library/ScriptingAdditions/appleHID/” is created, and if admin permissions are present, the folder “/System/Library/Frameworks/Foundation.framework/XPCServices/” gets created. What’s interesting is that, according to a spokesperson for Intego, the files are created in such a way as to make reverse-engineering more difficult when analyzing them, a technique that “is common in Windows malware, but is relatively uncommon for OSX malware.”
Interestingly, OSX/Crisis only affects OS X 10.6 Snow Leopard and OS X 10.7 Lion, underlining the importance of keeping an antivirus program on Macs and keeping that program updated, as well as installing all of the latest security updates. It’s unclear whether or not OSX/Crisis will affect OSX 10.8 Mountain Lion, but updating to 10.8 would certainly not hurt.