updated 07:07 pm EDT, Tue July 24, 2012
Crisis Trojan yet to appear in the wild
Security firm Intego's virus team has identified a new trojan horse malware targeting the Mac platform. The trojan, called Crisis, has yet to be seen in the wild, but Intego says it is engineered to make analysis of the malware difficult for security experts. Intego has stressed alertness regarding the new malware, as it appears to be able to bypass OS X security features and install itself with no user interaction.
Crisis has been traced back to the IP address 126.96.36.199, which it calls back to every five minutes for instructions. Only OS X versions 10.6 and 10.7 are said to be susceptible to the malware, which can install and run itself without the need for the user to enter a password. Since the malware is resistant to reboots, it will run until it is detected and removed. If the program is installed on a user account with root permissions, it will install additional programs to hide itself.
With or without root access, Crisis installs the following file: /Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r
When Crisis has root access, it installs two files: /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/MacOS/com.apple.mdworker_server and /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/Resources/
Intego says that the malware was created in a way that makes reverse engineering tools more difficult when analyzing it. Anti-analysis measures of this sort are said to be more common for Windows malware but relatively uncommon for programs targeting Macs. Intego has updated its VirusBarrier X6 software to guard against this malware and other definitions dated July 24, 2012 or later.