Two new pieces of malware for OS X discovered

Sophos discovered a new piece of malware that finds it way onto a users system through a phishing attack. A user will receive an email from a courier company stating there is a package waiting for you and there is a link in the message that looks like it will download a copy of the package paperwork. Clicking the link redirects the user to a compromised domain and they end up with a malicious file on their Mac, this file poses as a PDF but an application (something that can be spotted right away if you enable a Finder feature described here) that will install all kinds of nasties on the machine. For more detailed information read the article by Sophos. I have tried to get more information about the malware but the author appears to be somewhat of a control freak when it comes to approving comments. The comments that are allowed show little relevant information and cover an Apple Store employee, insulted author and an insulin-pump-like implant amongst other things. Yeah, great help!

As more relevant information becomes available I will write about it and I’ll also incorporate a sample of this malware in my antivirus test as soon as possible. The malware is signed with a developer ID so OS X’s gatekeeper is of little use until Apple revokes the ID. [Update: Thank you Lars for pointing me in the right direction, I have the samples and will update the test soon] [Update 2: Apple has revoked the Developer ID that was used to sign the malware]

That same day, Intego reported on a new sample of OSX/Crisis, a name that has been seen a few times before. This new version has a few new tricks up it’s sleeve but it’s basically still a backdoor allowing attackers access to the system. It’s able to alter Activity Monitor to hide itself, takes screenshots, captures audio and video and more. This malware hides well and is not signed by a developer ID. As it is currently unknown exactly how a machine is infected it’s not known if OS X’s built-in defenses like gatekeeper will be of any help. I have not been able to do much testing on this malware sample as it is believed the executable part of the sample is damaged, until a working sample is found I can not replicate a real infection. Manual extraction of the files was done however and both the sample itself and the trace files were added to the antivirus test which will be published in the next few days. For now OS X users on 10.8 Mountain Lion or 10.9 Mavericks appear to be safe from this particular piece of malware, users with OS X versions 10.5 – 10.7 that have been targeted and infected with this malware are vulnerable though. It is unknown if an infected user can disable the malware by upgrading to 10.8 or 10.9 but for a few reasons other than this one it is recommended to upgrade if you can. More info on Intego’s blog here.

The year has only just started but we now already have two pretty sophisticated pieces of malware available for OS X. One based on what appears to be a good foundation as the creators keep using it after a few small tweaks (OSX/Crisis). This may become and interesting year in OS X malware discoveries. I will continue updating my antivirus test as new samples or major application updates become available, the latest version of the test results can be found here.