While the mode of infection is currently unknown, this new threat has uniquenesses over past malware for OS X.
A new script-based malware threat for OS X has been uncovered by security company Intego. The malware, called OSX/Crisis, has so far not been found “in the wild,” but it has the potential to do harm.
Apparently the threat only runs on OS X 10.6 and 10.7 machines, and while it does not require a password to install, if a password is provided then the mode of infection changes. Most of the installed files are randomly named, though in all cases the malware appears to install a file called “appleHID” in the /Library/ScriptingAdditions/ directory. If a password is supplied and the installer gets root permissions, then the malware will additionally locate the system’s Foundation framework and install a malware package called “com.apple.mdworker_server.xpc” within it.
The parent directories where these files are installed are the following:
Macintosh HD/Library/ScriptingAdditions/
Macintosh HD/System/Library/Frameworks/Foundation.framework/XPCServices/
Intego provides no information about what the malware looks like when it is first encountered — whether it is a fake installer posing as a legitimate program, or a drive-by-download similar to later variants of the Flashback malware. However, once installed, the malware will continuously run even when the system is rebooted, and contact a remote server every 5 minutes, which presumably could be used to send instructions to the infected machine.
Unlike prior OS X malware, this new threat is created in ways to make reverse engineering and identification more difficult, and uses low-level system calls to help disguise its activity.
Overall while this is a new threat for OS X with some unique features, unlike others it has not been found on any OS X machines. Its distribution is therefore very low if nonexistant at the moment, and malware definitions for it should soon be available to malware scanning tools so be sure to keep them updated if you have one installed.
