A new Trojan affecting Apple systems has been discovered. Though it's not yet in the wild, it could represent what future threats against Mac OSX endpoints may look like.
In a statement Tuesday, Bellevue, Wash.-based Apple platform security vendor Intego Inc. called the newly discovered Crisis Trojan,
OSX/Crisis has not been found in the wild and has been assigned a low-risk level by Intego's research team. According to Intego, OSX/Crisis is a dropper Trojan that creates a back door when run. It installs itself without user permission and is virtually impossible for the average user to detect if installed with root permission.
The Mac OSX Trojan creates randomly named files and folders to complete its tasks – 17 when it's run with administrative permissions, and 14 when it's run without them. However, some file names, Intego said, do appear consistently.
With administration permissions, this folder is created: /System/Library/Frameworks/Foundation.frame work/XPCServices/
With or without administrative permissions, this folder is created: /Library/ScriptingAdditions/appleHID/
Samples of OSX/Crisis malware were discovered on VirusTotal, a site used to identify different kinds of malware. According to Lysa Myers, a virus hunter at Intego, “it seems most likely that this malware is part of a commercial package that has been primarily sold to government agencies in the U.S. and Europe, and several companies within those countries.”
Myers also said this information has led Intego to believe the Crisis Trojan is likely to be used in a targeted attack, instead of spreading widely.
The Trojan runs in OSX versions Leopard 10.5, Snow Leopard 10.6 and Lion 10.7. However, it has a tendency to crash on OSX 10.5. Intego has stated the threat does not run on Mountain Lion 10.8.
Intego VirusBarrier X6 has already been updated to detect and remove the malware, and Intego had urged its customers to update their signatures as soon as possible.