Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Mac Trojan Installs Silently, No Password Required

timothy posted more than 2 years ago | from the look-ma-no-hands dept.

Security 300

An anonymous reader writes "A new Mac OS X Trojan referred to as OSX/Crisis silently infects OS X 10.6 Snow Leopard and OS X 10.7 Lion. The backdoor component calls home to the IP address 176.58.100.37 every five minutes, awaiting instructions. The threat was created in a way that is intended to make reverse engineering more difficult, an added extra that is more common with Windows malware than it is with Mac malware."

Sorry! There are no comments related to the filter you selected.

Macs don't get viruses. (5, Funny)

Anonymous Coward | more than 2 years ago | (#40777629)

Yeah, right.

Re:Macs don't get viruses. (5, Funny)

Anonymous Coward | more than 2 years ago | (#40777665)

Your are just holding it wrong.

Re:Macs don't get viruses. (5, Funny)

Pieroxy (222434) | more than 2 years ago | (#40778053)

You've got to give credit to Apple though: No Password Required. It's all in the ease of use for the user and not bother them with useless questions and controls onscreen.

Those stupid trojans ask for passwords on Windows ! Can you imagine the hassle for the user !??!!

Re:Macs don't get viruses. (5, Funny)

Anonymous Coward | more than 2 years ago | (#40778343)

Exactly. Mac malware Just Works (tm).

Re:Macs don't get viruses. (3, Insightful)

ceoyoyo (59147) | more than 2 years ago | (#40778419)

They emphasize that point because previous trojans on OS X have required a password to install. It's very rare to run a Mac under an account with superuser rights (it's disabled by default), so installing anything system related requires a sudo. I'm under the impression that trojans generally do not ask for passwords on Windows.

Re:Macs don't get viruses. (3, Funny)

BigFire (13822) | more than 2 years ago | (#40778501)

I still get a kick out of the Open Source Virus, auto-self compilation across ALL platform.

Re:Macs don't get viruses. (5, Informative)

Desler (1608317) | more than 2 years ago | (#40777675)

And trojans aren't viruses unless you're going to show how this is self-replicating.

Re:Macs don't get viruses. (4, Informative)

Jeremiah Cornelius (137) | more than 2 years ago | (#40777861)

Maybe ya'lls need to install "Little Snitch". [obdev.at]

That is, if you slipped into Slashdot under false geek creds, and don't know how to configure and monitor pf. [blogspot.com]

Re:Macs don't get viruses. (0)

Anonymous Coward | more than 2 years ago | (#40778477)

So you're saying it's more of worm, eh?

Re:Macs don't get viruses. (-1)

Anonymous Coward | more than 2 years ago | (#40778295)

ignorant apple-fanboys like you disgust me.

please refrain from breeding. Thank you

but what about mountain lion (0)

Anonymous Coward | more than 2 years ago | (#40777639)

if it ain't from the app store it aint gettin installed, bitch.

Re:but what about mountain lion (4, Informative)

benjfowler (239527) | more than 2 years ago | (#40777689)

Not going to help you if you're hit by an in-browser drive-by attack. Chrome or Firefox with Noscript can help here.

Re:but what about mountain lion (2)

Desler (1608317) | more than 2 years ago | (#40777751)

Sure it will. If it's not signed by Apple or an Apple developer, Gatekeeper prevents it from installing. Or do you have any proof ot can bypass Gatekeeper?

Re:but what about mountain lion (1)

h4rr4r (612664) | more than 2 years ago | (#40778007)

Which means any geek has to turn that off to use fink.

Re:but what about mountain lion (0)

Anonymous Coward | more than 2 years ago | (#40777773)

Yes it will. It cannot execute if it's not signed.

Re:but what about mountain lion (5, Informative)

Anubis IV (1279820) | more than 2 years ago | (#40777777)

There's a big difference between merely getting it on their machine and actually executing it. Gatekeeper is a new Mountain Lion feature that, by default, prevents any apps that are not from the Mac App Store and are not otherwise signed with an Apple-provided certificate from executing. While inflammatory, the AC's point still stands.

Re:but what about mountain lion (2)

djsmiley (752149) | more than 2 years ago | (#40777797)

When Firefox/Chrome/Safari launch a process they are still classed as being "from the app store" right?

Re:but what about mountain lion (1)

Desler (1608317) | more than 2 years ago | (#40777855)

No.

Re:but what about mountain lion (0)

Anonymous Coward | more than 2 years ago | (#40777873)

When you launch a process you are either launching a second copy of your executable or you are launching a completely separate executable. In either case that executable needs to be signed.

Re:but what about mountain lion (0)

Anonymous Coward | more than 2 years ago | (#40778381)

What if you load a library and call a malicious function within it from the context of the signed executable's process?

Re:but what about mountain lion (2)

iluvcapra (782887) | more than 2 years ago | (#40778567)

All libraries and frameworks, including their bundled static resources, images, strings files, and so on, must also be signed [apple.com] .

Re:but what about mountain lion (1)

jonwil (467024) | more than 2 years ago | (#40777965)

My guess is that (if Gatekeeper is enabled) every binary loaded by the system must be signed by Apple or else it wont load.

Re:but what about mountain lion (1)

Desler (1608317) | more than 2 years ago | (#40777983)

Or those signed by a registered Apple developer since that is the default Gatekeeper setting.

Re:but what about mountain lion (2)

iluvcapra (782887) | more than 2 years ago | (#40778069)

Any executable that's downloaded is "tainted." Mach-O executables carry their certificates and checksums as metadata segments in the executable, and if you don't have those, or they don't resolve to a certificate with an Apple signature, Gatekeeper will stop it from running according to the user's preference setting.

Taintedness can be removed with

$ sudo xattrs -d ...

to delete it (it's stored in the filesystem extended attributes), or by launching the app from the "Open" command contextual menu. It will not launch by double-clicking, Apple-O'ing, or with Apple Events (like Firefox would do).

Re:but what about mountain lion (4, Informative)

CanHasDIY (1672858) | more than 2 years ago | (#40778087)

Gatekeeper is a new Mountain Lion feature

RTFS; Mountain Lion is not the distro being compromised.

Re:but what about mountain lion (4, Interesting)

Moheeheeko (1682914) | more than 2 years ago | (#40778281)

Hmmm....

New Version of OSX drops, shortly after new malware discovered that only affects old versions.

I smell marketing ploy.

Re:but what about mountain lion (2)

Baloroth (2370816) | more than 2 years ago | (#40778169)

Not true. Read the Ars Technica review: Gatekeeper only stops the execution of apps directly from downloading them (downloaded executables are flagged). Hell, you can right-click the app after downloading it, select "run", and it will work just fine.

Re:but what about mountain lion (2)

jjjhs (2009156) | more than 2 years ago | (#40778471)

That didn't sound right so I looked up it up. I would not have put it past Apple to require every single program be signed by them or as an approved developer to keep out "undesirables", however, that's not what's going on. https://securosis.com/blog/os-x-10.8-gatekeeper-in-depth [securosis.com]

Re:but what about mountain lion (5, Informative)

the JoshMeister (742476) | more than 2 years ago | (#40778463)

From Intego, the company who first blogged about this malware (emphasis mine):

This threat may run on Leopard 10.5, but it has a tendency to crash. It does not run on the new Mountain Lion 10.8.

Also...

This threat has not yet been found in the wild, and so far there is no indication that this Trojan has infected users

You're right to imply that Mountain Lion users shouldn't get too cocky, but in this particular case, according to this antivirus vendor, the malware hasn't even been found in the wild—and even if it had, it doesn't run on Mountain Lion.

Re:but what about mountain lion (1)

Baloroth (2370816) | more than 2 years ago | (#40778205)

Maybe, maybe not. Gatekeeper is supposed to prevent unsigned downloaded programs from running, but it will only work if the executable gets properly flagged as "downloaded." It doesn't stop other executables from running, nor does it stop people from running them directly, so whether it will stop all drive-bys or not is not 100% clear (it should stop some, of course).

Re:but what about mountain lion (1)

gtall (79522) | more than 2 years ago | (#40778297)

Only by default, there are two other settings, one of which will let you install anything unsigned. And it isn't clear the other two settings will stop a drive by.

let's ddos it (0)

Anonymous Coward | more than 2 years ago | (#40777669)

ping 176.58.100.37 -t

Re:let's ddos it (4, Funny)

Anonymous Coward | more than 2 years ago | (#40777709)

Good call. Let me fire up my trojan botnet.

cool ... good that I use OS 10.5 (5, Insightful)

acidfast7 (551610) | more than 2 years ago | (#40777683)

how about an article on every windows- or android-based trojan.

Re:cool ... good that I use OS 10.5 (2, Informative)

Anonymous Coward | more than 2 years ago | (#40777783)

how about an article on every windows- or android-based trojan.

Android and windows are not being sold as a safe heaven for troyan and viruses, Mac OS is.

Re:cool ... good that I use OS 10.5 (1, Troll)

acidfast7 (551610) | more than 2 years ago | (#40777935)

show me where on the Apple webpage that OS 10.8 is "a safe haven" from trojans and viruses?

Re:cool ... good that I use OS 10.5 (5, Informative)

rhsanborn (773855) | more than 2 years ago | (#40778179)

They pulled that comment just a few months ago. Earlier this spring you would have found a claim that it doesn't get PC viruses (Don't be pedantic and claim that it doesn't get PC viruses because PC refers to windows viruses, that's a specious argument and it's a deliberate ploy to claim Macs don't get viruses). So yes, almost every currently deployed Mac was sold with the claim that Macs don't get viruses, directly from Apple.

http://www.redmondpie.com/apple-removes-its-virus-immunity-claim-for-mac-from-official-website-not-so-safe-from-viruses-after-all-huh/

http://www.forbes.com/sites/timworstall/2012/06/26/yes-apples-machines-really-can-get-viruses/

Re:cool ... good that I use OS 10.5 (-1)

Anonymous Coward | more than 2 years ago | (#40778345)

Might I add to the end of his statement something that he was far to polite to say:

BITCH

Re:cool ... good that I use OS 10.5 (1)

cpu6502 (1960974) | more than 2 years ago | (#40778251)

Apple's never made that claim for 10.8, because they know they would get sued for false advertising. But they made the "Macs don't get viruses" claim to OS 10.5, 10.6, and 10.7 (which has been shown to be false).

I like Macs. But not the pricetag (see my signature). I used them faithfully throughout college, but not anymore. I wish Commodore & Atari were still in business. They sold computers at prices normal people could afford ($150 for a C64, $500 for an Amiga or ST) (versus $2-3000 for IBM PC or Mac).

Re:cool ... good that I use OS 10.5 (1)

gtall (79522) | more than 2 years ago | (#40778331)

Yes, because a decent OS gui, associated software, and integration is priceless.

Re:cool ... good that I use OS 10.5 (1)

Krojack (575051) | more than 2 years ago | (#40778557)

Wait what? $2k-$3k for a Windows/Linux computer?

Sure if you want the biggest and baddest machine currently out. You can easily build a Window/Linux machine for $900-$1500 tops that is pretty powerful.

Re:cool ... good that I use OS 10.5 (0)

Anonymous Coward | more than 2 years ago | (#40777829)

I was thinking the same thing. I personally think the OS's Apple produces suck and I do not use them, but I'm guessing there is a PR department out there fueling the flames on these stories.

Re:cool ... good that I use OS 10.5 (3, Insightful)

plover (150551) | more than 2 years ago | (#40778107)

Things constantly improve on all sides, including the quality and sophistication of attacks. But people naturally want to hang onto the old ideas in their heads, partly because they're not close to the "other" system, and partly because they don't like having their old decisions questioned or their assumptions challenged. The "Macs are perfect" idea is again proven faulty, but so are the Mac and Unix people who assign the same amount of failure to Windows 7 that they saw with Windows XP a decade ago.

It's not that Macs are "equally guilty as Windows" or that "Windows 7 is now perfect". It's just a perception thing. Human nature means that we can expect a ton of gloating and "I told you so!" kinds of responses. And while that doesn't mean a PR department is necessarily behind it, I can understand why a PR department would latch onto this and amplify it.

Re:cool ... good that I use OS 10.5 (1)

hcs_$reboot (1536101) | more than 2 years ago | (#40777999)

how about an article on every windows- or android-based trojan

Mac OS Trojans are still pretty exceptional.

Re:cool ... good that I use OS 10.5 (-1)

Anonymous Coward | more than 2 years ago | (#40778367)

How about taking Steve Job's dead dick out of your anus?

But Macs Don't Get Viruses (-1, Redundant)

stevegee58 (1179505) | more than 2 years ago | (#40777691)

At least that's what my kids tell me.

Re:But Macs Don't Get Viruses (5, Informative)

SilverJets (131916) | more than 2 years ago | (#40777731)

It's not a virus.

Re:But Macs Don't Get Viruses (3, Informative)

h4rr4r (612664) | more than 2 years ago | (#40777739)

This is not a Virus, this is a Trojan. At least try to read the summary, I bet even your kids can do that.

Re:But Macs Don't Get Viruses (2, Funny)

Anonymous Coward | more than 2 years ago | (#40777759)

This is not a Kid, this is a Virus. At least try to read the summary, I bet even your Trojan can do that.

Re:But Macs Don't Get Viruses (4, Funny)

SJHillman (1966756) | more than 2 years ago | (#40778017)

Kids and Viruses have a lot in common. They delete all your stuff, cost tons of money in repairs. The big difference is that you usually like it more when your kids replicate.

Re:But Macs Don't Get Viruses (5, Funny)

Killer Instinct (851436) | more than 2 years ago | (#40778159)

If you had a trojan you might not have kids or catch a bad virus as easily
-KI

Re:But Macs Don't Get Viruses (1)

thePowerOfGrayskull (905905) | more than 2 years ago | (#40778309)

::golf clap::

Re:But Macs Don't Get Viruses (1)

Cwix (1671282) | more than 2 years ago | (#40778535)

Pure awesome.

Re:But Macs Don't Get Viruses (4, Insightful)

Anubis IV (1279820) | more than 2 years ago | (#40777791)

They don't, but you can't fix stupid, which is what trojans exploit.

also writing "OS X 10.5" is like ATM machine... (-1, Offtopic)

acidfast7 (551610) | more than 2 years ago | (#40777693)

repetitive much?

Re:also writing "OS X 10.5" is like ATM machine... (1)

tgd (2822) | more than 2 years ago | (#40777979)

repetitive much?

No, its not. The product is "OS X". The version is 10.5.

What else would you say? "OS X 5"? That's neither the product, nor the version.

Re:also writing "OS X 10.5" is like ATM machine... (0)

acidfast7 (551610) | more than 2 years ago | (#40778025)

how about OS 10.5?

Re:also writing "OS X 10.5" is like ATM machine... (1)

Dog-Cow (21281) | more than 2 years ago | (#40778439)

But OS isn't the name. So while it would probably be easy to tell from context what you are referring to, it's hardly redundant to call OS X 10.5 by it's designated name (and version).

In other words, you are wrong. Get over it.

Re:also writing "OS X 10.5" is like ATM machine... (1)

cpu6502 (1960974) | more than 2 years ago | (#40778513)

>>>The product is "OS X". The version is 10.5.

So macs have been using the same OS since 2000? Wow. And I thought XP had a long lifespan. At least we XP users got our versions (SP0,1,2,3) for free and didn't have to pay for them.

According to ars techica the proper pronouncement of OS X 10.5 is "O.S. ten ten point five" so yeah the grandparent poster was correct. It's redundant.

Re:also writing "OS X 10.5" is like ATM machine... (1)

tstrunk (2562139) | more than 2 years ago | (#40778031)

repetitive much?

"also writing "OS X 10.5" is like ATM machine..."
If there was only a little bit of truth in that statement:

OSX 10.5 doesn't get security patches anymore, as written here: http://www.sture.ch/node/196 [sture.ch]
So using 10.5 (and if the link is correct also 10.6 from now on) is a bigger security threat than this single Trojan reported here.

Re:also writing "OS X 10.5" is like ATM machine... (1)

tstrunk (2562139) | more than 2 years ago | (#40778127)

Sorry, didn't get it. My reply therefore doesn't make sense.

More common... (0)

Anonymous Coward | more than 2 years ago | (#40777705)

Everything is "more common on windows" than mac regarding malware, because hitherto that's the softest, most rewarding target. With so many idevices, that's changing.

OSX - soon to be the Windows of the computer world (1)

Anonymous Coward | more than 2 years ago | (#40777711)

I love my MacBook, but this goes to show that security through obscurity isn't a great way to go.

Re:OSX - soon to be the Windows of the computer wo (0)

Anonymous Coward | more than 2 years ago | (#40777741)

I also have Windows 7 on it with Bootcamp and run AV scans on both operating systems, because no OS is infallible.

Re:OSX - soon to be the Windows of the computer wo (1)

crashumbc (1221174) | more than 2 years ago | (#40777763)

Well, it "was", the problem is Macs and OS x are no longer "obscure" ...

Re:OSX - soon to be the Windows of the computer wo (1)

Theoden (121862) | more than 2 years ago | (#40777929)

I love my MacBook, but this goes to show that security through obscurity isn't a great way to go.

Security through obscurity has always been a myth. :P If it was truly the case, why did (does?) malware on pre-OS X (System 7.5 - Mac OS 9) greatly outnumber that on OS X systems? :P

Re:OSX - soon to be the Windows of the computer wo (1, Insightful)

vistapwns (1103935) | more than 2 years ago | (#40778453)

I answer this question so much I should just put it on my blog and link to it. System 7.5 - Mac OS 9 had NO SECURITY whatsoever and software was shared with write-able disks, and so, many people wrote malware for fun and fame in those days. Since around Mac OS X's release, software is distributed on read-only media (CDs, DVDs. blu-ray is still a bag of hurt I hear) and the threats come from exploiting programs over the network or social engineering to trick the user to download a trojan. Exploiting a program and social engineering mean selecting mac users on web sites when they are outnumbered 10:1 by Windows users typically, with malware being profit driven now-a-days because all of the mainstream OSes are basically secure against the trivial threats of 90's malware, it hardly ever makes sense to target 5% over 90%. In the same sense that most games are not available for macs, the profit incentive is not there. The argument that your logic leads to is that Macs are not infected because they can not be infected, but this and other malware prove that wrong. Mac malware thusfar does not do anything profound that Windows malware doesn't do, basically the user is tricked into downloading it and it does what it wants. It's not like mac malware so-far is some mission impossible type stuff and more difficult to deploy than windows malware..

Re:OSX - soon to be the Windows of the computer wo (0)

Anonymous Coward | more than 2 years ago | (#40777981)

Security through obscurity was never an Apple thing. This sort of comment is made by people who don't know anything but want to sound like they do.. Prior to OS X there was plenty of malware for Macs which had a far smaller market share than they do now. But OS X being Unix based did not offer the opportunities of pervious mac OS' or Windows. It was hard to do.
Now there is a tiny amount of malware for OS X including this one which has never been seen in the wild. Of course slashdot doesn't mention that because they are all about the page views now.
The the Windows kids with their Best Buy laptops daddy bought them get on and say how somehow the thousands of viruses and malware they deal with are just the same on Macs. Right.
Don't forget the Android contingent. Also predominantly teenage boys whose daddy bought their phone on a BOGO offer they never miss an opportunity to ry about Apple like the ignorant whiners they are.

Re:OSX - soon to be the Windows of the computer wo (2)

thePowerOfGrayskull (905905) | more than 2 years ago | (#40778349)

Obscurity is just one valid tool in a security arsenal -- but it shouldn't be the only one. Ranked high above it in importance is "user education" - a feat that's nearly impossible as we continue to dumb down the computing experience.
 

but it's never been seen in the wild (5, Informative)

Anonymous Coward | more than 2 years ago | (#40777743)

if you actually read the article this is just some bullshit proof of concept made by a anti-virus company to shake down mac users. it's never actually been seen outside of a security website.

Re:but it's never been seen in the wild (0)

Anonymous Coward | more than 2 years ago | (#40777799)

if you actually read the article this is just some bullshit proof of concept made by a anti-virus company to shake down mac users. it's never actually been seen outside of a security website.

Yeah, no, that's not what it says. Maybe you should read the article.

Re:but it's never been seen in the wild (3, Informative)

Desler (1608317) | more than 2 years ago | (#40777897)

Maybe you should?

Intego, which had to update its anti-malware signatures upon discovering the threat, refers to it as "OSX/Crisis." The good news is that the security firm has yet to find OSX/Crisis in the wild; the company only stumbled upon it over at VirusTotal, a service for analyzing suspicious files and URLs.

So there is no proof of it being in the wild and was only found on a website for analyzing files. So how exactly were they wrong?

Re:but it's never been seen in the wild (2)

inject_hotmail.com (843637) | more than 2 years ago | (#40778391)

So there is no proof of it being in the wild and was only found on a website for analyzing files. So how exactly were they wrong?

Where do you think the "suspicious files" come from?

Little Snitch should catch it, tho, right? (1)

jbeach (852844) | more than 2 years ago | (#40777755)

Hopefully LIttle Snitch [obdev.at] alerts about this, and can block it?

How convenient (3, Funny)

bugs2squash (1132591) | more than 2 years ago | (#40777775)

that a new version of OSX has just become available to purchase, better rush out and buy it.

Re:How convenient (1)

Desler (1608317) | more than 2 years ago | (#40777803)

Yes, because Apple is well known for colluding with anti-virus companies to sell new versions of their OS.

Re:How convenient (-1)

Anonymous Coward | more than 2 years ago | (#40777939)

If it was well known, it wouldn't work so well. This is why Apple quietly pays off the anti-virus companies, and occasionally takes the time to develop viruses like this one in-house, since there isn't a big enough user-base to keep an effective virus eco-system and drive sales.

Really good news... (0)

Anonymous Coward | more than 2 years ago | (#40777787)

This is really good to hear. Lately, remembering all of those passwords
has been a problem (and I'm sure many others have had the same experience),
so the fact that it installs without a password is a real convenience for me.

Let's face it, these kind of things give the lock-in architecture more credibility,
so I'm suspecious of the money driving these types of thing...

Just sayin'

CAPTCHA = actually (Really!)

Horrible, horrible threat... (2, Interesting)

mrdogi (82975) | more than 2 years ago | (#40777843)

The backdoor component calls home to the IP address 176.58.100.37 every five minutes, awaiting instructions. The threat was created in a way that is intended to make reverse engineering more difficult...

However, blocking the threat is as simple as an ACL on your router...

Re:Horrible, horrible threat... (0)

Anonymous Coward | more than 2 years ago | (#40777889)

Can it be done with a hosts file?

Re:Horrible, horrible threat... (2)

hcs_$reboot (1536101) | more than 2 years ago | (#40777949)

Nope. The hosts file is used to resolve a host name locally (e.g. not via a DNS server).

Re:Horrible, horrible threat... (0)

Anonymous Coward | more than 2 years ago | (#40777951)

no because it's not a hostname, you have to do it with a router or firewall

Re:Horrible, horrible threat... (2)

SJHillman (1966756) | more than 2 years ago | (#40778037)

No, but it can be done with wire cutters.

Re:Horrible, horrible threat... (1)

hcs_$reboot (1536101) | more than 2 years ago | (#40777977)

The address seems to be located in the UK. Try to arrange a chat at this address, and you get yourself a way to learn the 9 yo UK English :-)

Re:Horrible, horrible threat... (1)

ColdWetDog (752185) | more than 2 years ago | (#40778015)

However, blocking the threat is as simple as an ACL on your router...

This time. Next week it's a different address. So now you're playing Wack-a-mole?

Sounds like a vaguely familiar strategy....

Re:Horrible, horrible threat... (1)

CanHasDIY (1672858) | more than 2 years ago | (#40778129)

The backdoor component calls home to the IP address 176.58.100.37 every five minutes, awaiting instructions. The threat was created in a way that is intended to make reverse engineering more difficult... However, blocking the threat is as simple as an ACL on your router...

Assuming the only access your machine has to the internet is via said router...

Who is willing to bet... (0)

Anonymous Coward | more than 2 years ago | (#40777903)

That that IP comes under an extremely heavy DDOS about now?

Re:Who is willing to bet... (3, Funny)

Anonymous Coward | more than 2 years ago | (#40778081)

How? From all the Mac users who know how to do that?

*said while holding up "sarcasm" sign*

Mac Trojan Installs Silently, No Password Required (2, Funny)

Anonymous Coward | more than 2 years ago | (#40777919)

That's not a trojan, that's Mountain Lion.

Little Snitch Works! (2)

BoRegardless (721219) | more than 2 years ago | (#40777975)

To catch outgoing calls.

Linode UK (-1)

Anonymous Coward | more than 2 years ago | (#40778051)

That's a Linode UK IP address

naming conventions (2)

slashmydots (2189826) | more than 2 years ago | (#40778071)

So they just assign these viruses an arbitrary nickname, right? I think "Crisis" was a pretty funny shot at Apple, seeing as how they refuse to admit the last month or two has been one for them because of viruses. But if anyone can just randomly assign it a name, why not go all the way and name it Lol@Apple then the next one Lol@Apple2 etc?

How can reverse engineering be difficult? (2)

Viol8 (599362) | more than 2 years ago | (#40778147)

Disassemble it and follow the code. Even if some of the code is encrypted something in the virus will have to decrypt it before it can be run and you'll have that on hand too.

I'm not saying its easy but its not protected by some magic ward.

Re:How can reverse engineering be difficult? (0)

Anonymous Coward | more than 2 years ago | (#40778371)

it's harder than you think for sure.

The code detects the debugger and changes it's behavior or disables the debugger. The debugger has to use registers in the CPU as well.

Their code looks for known debuggers in the various registers and constantly wipes out various things the debugger has flagged in the CPU.

Ultimately these tools decrypt their payload so you can't just dump the raw binary. You have to get them to run and decrypt the payload without detecting that you're using a debugger. That's actually pretty damn hard and where most of the time is spent.

It's like trying to catch a kid picking his nose. He only does it when your not watching. You have to be sneaky.

Re:How can reverse engineering be difficult? (3, Informative)

Viol8 (599362) | more than 2 years ago | (#40778465)

"The code detects the debugger and changes it's behavior or disables the debugger."

Code can't detect being disassembled because its not being run.

"Ultimately these tools decrypt their payload so you can't just dump the raw binary. You have to get them to run and decrypt the payload without detecting that you're using a debugger. That's actually pretty damn hard and where most of the time is spent."

Understood, but if you have the assembler code that does the initial decryption on hand then you just rip out the decryption part and run it on the payload.

Ultimately you can always single step through each instruction and the program simply won't have a chance to wipe debugger information because you'll see it about to do it before it happens and can break at that point.

Re:How can reverse engineering be difficult? (1)

swb (14022) | more than 2 years ago | (#40778503)

Are there any tools for doing this with a hypervisor or some other 100% emulated environment, or perhaps kernel trace modules that are capable of this in a way hard or impossible for a process to detect?

I would have thought by now that there would be completely invisible debugging environments via whatever method was necessary to accomplish it, either designed specifically for the security trade or for reverse engineering markets.

Re:How can reverse engineering be difficult? (2)

ceoyoyo (59147) | more than 2 years ago | (#40778573)

This is an antivirus company we're talking about.

The whole thing seems a little suspicious as yet. They "found" this trojan on a website security professionals use to share suspicious files, but haven't seen it in the wild? Intego's own article (http://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/) says they "have not yet seen if or how this threat is installed on a user’s system." Really? So how do they know it doesn't ask for a password? How do they know it's even real?

They go on to say lots of other things that don't really seem to be supported by other admissions in their article. Of course they end with a pitch to buy their software.

Another name, more details (3, Informative)

Anonymous Coward | more than 2 years ago | (#40778235)

It's called "Morcut" by Sophos [sophos.com] and they offer a free anti-virus product for Mac OS X.

They claim it's designed to access these things: mouse coordinates, instant messengers (for instance, Skype [including call data], Adium and MSN Messenger), location, internal webcam, clipboard contents, key presses, running applications, web URLs, screenshots, internal microphone, calendar data & alerts, device information, address book contents

User mode malware (4, Insightful)

tlhIngan (30335) | more than 2 years ago | (#40778315)

It seems more and more these days, that malware is becoming user-mode to avoid the nasty popups that comes with trying to gain administrator mode.

Which makes sense as a lot of stuff you need to do as malware can be done strictly as usermode without needing to get admin priviledges. This one apparently checks to see if it can get admin or running in a restricted user account.

So even malware these days are learning to be friendly and compatible with users who aren't admins and not requiring admin for everything.

Clever (1)

Sparticus789 (2625955) | more than 2 years ago | (#40778543)

"The latest threat further underlines the importance of protecting Macs against malware with an updated antivirus program as well as the latest security updates. That means you should start by geting OS X 10.8 Mountain Lion when it comes out Wednesday "

From the bottom of the article..... so is this an actual computer threat or a nefarious marketing ploy by Apple to make you upgrade?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?