New Mac malware Crisis discovered just as Mountain Lion is due to ship - Get your FREE Anti-Virus for Mac from Sophos in the link below
By Simplex IT | Wednesday, July 25, 2012, 09:30
SophosLabs recently received a intriguing Mac malware sample, variously known as Crisis and Morcut.
We're still digging into the details of the malware itself, but the delivery mechanism is interesting.
The malware package arrived in a file named AdobeFlashPlayer.jar.
JAR stands for Java Archive. JAR files, which are structurally just
ZIP files with a special name, are used as a standardised way of
packaging and delivering Java software.
This makes it easy to deliver a Java program along with all the
programming libraries, configuration data, images and other supporting
stuff it needs.
Inside the malicious AdobeFlashPlayer.jar is a .class file named WebEnhancer, and two unassuming-looking files named win and mac.
Class files are to Java what EXE files are to Windows - they're the
compiled software components which run inside the Java Virtual Machine
(JVM). Unlike EXE files, however, they are inherently multi-platform.
The same .class file will run on OS X and Windows, for example, with the JVM providing the platform-specific software layer.
And cross-platform support is what the malware author is after here.
WebEnhancer program file has nothing to do with web browsing - instead,
it simply works out whether you have Windows or OS X, and chooses
between the win and mac files.
WebEnhancer is implemented as an applet: a special sort of Java program that runs inside a Java-enabled browser.
The author's inventiveness obviously ran out at this point: win is an installer for Windows malware (detected by Sophos as Mal/Swizzor-D), whilst mac is an installer for the Crisis, or Morcut, malware for OS X (detected by Sophos as OSX/Morcut-A).
The good news is that the WebEnhancer applet causes a digital
signature alert. This warns you that the applet is from an untrusted
publisher, and reminds you that "this application will run with
unrestricted access which may put your personal information at risk."
Of course, the Morcut malware itself doesn't have to be delivered
inside a JAR file - but the sample I looked at was packaged that way.
We'll let you know what we find as we dig into the Morcut malware. A
cursory examination suggests that it's going to be interesting (I was
going to say "fun", but that sounds all wrong!) for the analyst who got
Morcut has kernel driver components to help it hide, a backdoor
component which opens up your Mac to others on your network, a
command-and-control component so it can accept remote instructions and
adapt its behaviour, data stealing code, and more.
So, watch this space for further details if you're interested in the guts of modern Mac malware, and don't forget:
- Cybercrooks now consider Mac users to be worthwhile victims.
- Malware can easily target multiple platforms.
- WebEnhancers often aren't.
- If you don't need Java, uninstall it. That leaves one less convenience for malware writers.
- Don't blindly ignore certificate warnings.
- Don't feel left out if you're a Linux user.
Oh, and if you don't yet have anti-malware on your Mac, why not try the free Sophos Anti-Virus for Mac Home Edition?
(No registration, no password, no expiry. We don't even ask for an email address.)
If you're planning on picking up a brand new Mac when Mountain Lion drops later today, why not start off secure?