Integrated cybercrime prevention/solution provider, ThreatMetrix, released a report “Professional OS X Malware – A Reality,” on Aug. 10, 2012 that details the severity of a current malware trend penetrating the walls of Apple’s OS X operating system.
First discovered in late July by Intego, the malware known as “Crisis/OXS” is said to be an elegant and sophisticated Crisis Trojan programming code. The report not only identifies numerous helper agent classes, but explores the new threat of fraudulent behavior geared towards Apple.
According to Intego, the malware allows the person operating to:
- Spy on Skype audio traffic and record all conversations and phone calls.
- Spy on Safari or Firefox browsers to record URLs and screenshots.
- Record IM messages in both MS Messenger and Adium.
- Send file content to the control server.
“Apple has always been known for its virus immunity, but as technology develops very quickly, cybercrime matches the pace,” said Andreas Baumhof, chief technology officer, ThreatMetrix. “This is a big jump from what has been seen in the past, and it should make users think twice about protecting themselves against malware on their OS X devices.”
Apple has recently changed its tune, however, with the OS X Mountain Lion which now includes three new security features:
- Gatekeeper – Makes it safer to download apps by protecting users from inadvertently installing malicious software on their Mac.
- App Sandbox – Ensures that apps only do what they’re intended for by isolating the app from critical system components in the Mac.
- FileValut 2 – Encrypts the entire drive of users’ Macs, protecting data with XTS-AES 128 encryption.
“While the OS X Mountain Lion does include new security features known as Gatekeeper, the App Sandbox and FileVault 2, Apple should not take the security of its operating system for granted,” said Baumhof. “This particular piece of malware is very well written, making it difficult for cybersecurity experts to engineer. This can lead to extensive OS X damage and security breaches for OS X users.”
In ThreatMetrix’s report, the company says the malware consists of a loader neatly hidden in a special segment of the binary and creates the following:
- A kernel driver
- An Image
- A binary data file
- 2 universal binaries
- 1 i386 binary
Upon further inspection, Itego said there are sections of code that point to this being part of a commercial malware package; mostly sold in the U.S. and Europe. The company said to be responsible for the malware package is called Remote Control System DaVinci.
“From a technical perspective, this is a very advanced and fully functional threat. Due to the apparent cost [200,000 euros] of this malware package, it’s unlikely that this will be more than a targeted attack,” said an Intego spokesperson. “But if you are the intended target, it’s very important that you have good security measures. Most vendors now have protection for the known components, but it’s unlikely that this is the last version of this malware (or its installation packages) that we will see.”