New Mac Trojan dubbed OSX/Crisis could be a potential threat

New Mac Trojan Discovered

It’s been a little over 3 months since the Flashback Trojan wreaked havoc for approximately 550,000 Mac users, and now a new Mac Trojan called OSX/Crisis has already been identified. Discovered by Apple security specialist Intego, the malware currently poses as a threat to version 10.6 and 10.7 of the OS X platform.

Although the report points out that the malware hasn’t been spotted in the wild as yet, it’s noted that the threat shows signs of certain anti-analysis and stealthing techniques that are considered unusual for an OS X malware. Snow Leopard and Lion versions of the platform are at risk here. The Trojan dropper is capable of self-installation without the influence of user interaction or a password. To top it off, it’s said to preserve itself against reboots and can continue to run until removed.

“We have not yet seen if or how this threat is installed on a user’s system; it may be that an installer component will try to establish Admin permissions. If the dropper runs on a system with Admin permissions, it will drop a rootkit to hide itself. In either case, it creates a number of files and folders to complete its tasks. It creates 17 files when it’s run with Admin permissions, 14 files when it’s run without. Many of these are randomly named, but there are some that are consistent,” states Lysa Myers through a post on The Mac Security blog.

Based on whether the user account has admin permissions or not, the files installed by the malware will vary. If the conditions are right, the dropper installs a rootkit to stay off the grid and also creates a total of 17 files. And when admin permissions aren’t granted, approximately 14 files will be generated. There are a couple of consistent files as well.

Disregarding the root access status, users will notice the existence of this file –

New Mac Trojan

And while root access is granted, the following files/folders are created –

New Mac Trojan

The report further explains that a call for instructions is placed to the IP address 176.58.100.37 by the backdoor component every 5 minutes.

According to Intego, the company’s VirusBarrier X6 software is capable of detecting the new Mac OSX/Crisis Trojan and removing the malware through the latest definitions.