The Latest in IT Security

Crisis for Mac


Symantec – A new Macintosh malware is making the rounds.

For the first half of 2012, we have seen an increase in the number of Mac-based threats: variant OSX.Flashback.K appeared, newly discovered OSX.Sabpab, and OSX.Macontrol with a new variant.

As we begin the second half of 2012, we would like to introduce you to a new instance of Mac malware: OSX.Crisis.

OSX.Crisis is a Trojan that installs a back door on compromised OSX systems. At the time of writing, we are not seeing this threat in the wild. We believe that the infection vector may rely primarily on social engineering to be installed and at this point in time there is no reason to believe there is a vulnerability being used in conjunction with the threat. One possible method of installation is through brand recognition like popular trademarks to compel users to install the malware.

When this back door is installed, it can monitor the following programs:

  • Adium
  • Mozilla Firefox
  • MSN Messenger (for Mac)
  • Skype

Figure 1. Adium monitoring example

Figure 2. Mozilla Firefox monitoring example

Figure 3. Skype monitoring example

Figure 4. Keylogging functionality

The malware can perform the following actions:

  • Record traffic on MSN Messenger (for Mac) and Adium
  • Record Internet usage on Safari or Mozilla Firefox
  • Capture or record Skype sessions
  • Send confidential information to a command-and-control (C&C) server through a back door ( and receive commands

It also creates the following directories and files:

  • /System/Library/Frameworks/Foundation.framework/XPCServices/
  • /System/Library/Frameworks/Foundation.framework/XPCServices/
  • /Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r

It definitely appears to be an advanced threat in function but, because we do not see the infection vector in the wild at the time of this blog, the spread is low at the moment. Symantec has protection in place for OSX.Crisis with Norton 360 Everywhere, Norton One, and Norton Internet Security for Mac. Our Symantec Endpoint Protection and Symantec Endpoint Protection Small Business Edition products also offer the necessary protection. Users of our Norton AV products are encouraged to update their definitions.

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments