New Mac malware Crisis discovered just as Mountain Lion is due to ship - Get your FREE Anti-Virus for Mac from Sophos in the link below

Profile image for Simplex IT

By Simplex IT | Wednesday, July 25, 2012, 09:30

SophosLabs recently received a intriguing Mac malware sample, variously known as Crisis and Morcut.

We're still digging into the details of the malware itself, but the delivery mechanism is interesting.

The malware package arrived in a file named AdobeFlashPlayer.jar.

JAR stands for Java Archive. JAR files, which are structurally just

ZIP files with a special name, are used as a standardised way of

packaging and delivering Java software.

This makes it easy to deliver a Java program along with all the

programming libraries, configuration data, images and other supporting

stuff it needs.

Inside the malicious AdobeFlashPlayer.jar is a .class file named WebEnhancer, and two unassuming-looking files named win and mac.

Class files are to Java what EXE files are to Windows - they're the

compiled software components which run inside the Java Virtual Machine

(JVM). Unlike EXE files, however, they are inherently multi-platform.

The same .class file will run on OS X and Windows, for example, with the JVM providing the platform-specific software layer.

And cross-platform support is what the malware author is after here.

The

WebEnhancer program file has nothing to do with web browsing - instead,

it simply works out whether you have Windows or OS X, and chooses

between the win and mac files.

WebEnhancer is implemented as an applet: a special sort of Java program that runs inside a Java-enabled browser.

The author's inventiveness obviously ran out at this point: win is an installer for Windows malware (detected by Sophos as Mal/Swizzor-D), whilst mac is an installer for the Crisis, or Morcut, malware for OS X (detected by Sophos as OSX/Morcut-A).

The good news is that the WebEnhancer applet causes a digital

signature alert. This warns you that the applet is from an untrusted

publisher, and reminds you that "this application will run with

unrestricted access which may put your personal information at risk."

Of course, the Morcut malware itself doesn't have to be delivered

inside a JAR file - but the sample I looked at was packaged that way.

We'll let you know what we find as we dig into the Morcut malware. A

cursory examination suggests that it's going to be interesting (I was

going to say "fun", but that sounds all wrong!) for the analyst who got

the job.

Morcut has kernel driver components to help it hide, a backdoor

component which opens up your Mac to others on your network, a

command-and-control component so it can accept remote instructions and

adapt its behaviour, data stealing code, and more.

So, watch this space for further details if you're interested in the guts of modern Mac malware, and don't forget:

  • Cybercrooks now consider Mac users to be worthwhile victims.
  • Malware can easily target multiple platforms.
  • WebEnhancers often aren't.
  • If you don't need Java, uninstall it. That leaves one less convenience for malware writers.
  • Don't blindly ignore certificate warnings.
  • Don't feel left out if you're a Linux user.

Oh, and if you don't yet have anti-malware on your Mac, why not try the free Sophos Anti-Virus for Mac Home Edition?

(No registration, no password, no expiry. We don't even ask for an email address.)

If you're planning on picking up a brand new Mac when Mountain Lion drops later today, why not start off secure?

http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx

      

Comments

       
max 4000 characters
        
   

Latest Stories in Clevedon

       
      

Local Vouchers

       
  • Line caught Blagdon Lake Trout.

    The Queen Adelaide

    If you are planning a trip through the Chew Valley or Blagdon Lake area, then plan to dine with us and enjoy a House special, cooked in wine, lemon and finished with capers & red onion.

    Terms: Best to phone. As we are a little pub, £9.95 is great value for locally caught Trout.

    Contact: 01761 250366

    Valid until: Sunday, August 31 2014

     
   

Local Jobs

       
   

Search for...

       
        
Min price is bigger than Max price
        
Min price is bigger than Max price
        
Min rent is bigger than Max rent