Saturday, July 28, 2012

New Mac Malware Spies on You!!

 SophosLabs recently received a intriguing Mac malware sample, variously known as Crisis and Morcut.

Thee're still digging into the details of the malware itself, but the delivery mechanism is interesting.

The malware package arrived in a file named AdobeFlashPlayer.jar.
JAR stands for Java Archive. JAR files, which are structurally just ZIP files with a special name, are used as a standardised way of packaging and delivering Java software. 

This makes it easy to deliver a Java program along with all the programming libraries, configuration data, images and other supporting stuff it needs.

Inside the malicious AdobeFlashPlayer.jar is a .class file named WebEnhancer, and two unassuming-looking files named win and mac.

Class files are to Java what EXE files are to Windows - they're the compiled software components which run inside the Java Virtual Machine (JVM). Unlike EXE files, however, they are inherently multi-platform. The same .class file will run on OS X and Windows, for example, with the JVM providing the platform-specific software layer.And cross-platform support is what the malware author is after here.

The WebEnhancer program file has nothing to do with web browsing - instead, it simply works out whether you have Windows or OS X, and chooses between the win and mac files.

WebEnhancer is implemented as an applet: a special sort of Java program that runs inside a Java-enabled browser.

The author's inventiveness obviously ran out at this point: win is an installer for Windows malware (detected by Sophos as Mal/Swizzor-D), whilst mac is an installer for the Crisis, or Morcut, malware for OS X (detected by Sophos as OSX/Morcut-A).

The good news is that the WebEnhancer applet causes a digital signature alert. This warns you that the applet is from an untrusted publisher, and reminds you that "this application will run with unrestricted access which may put your personal information at risk."

Of course, the Morcut malware itself doesn't have to be delivered inside a JAR file - but the sample I looked at was packaged that way.

Other Spying function include the monitoring of :
  • Mouse coordinates
  • Location
  • Clipboard contents
  • Key presses
  • Running applications
  • Web URLs
  • Screenshots
  • Calendar data & alerts
  • Device information
  • Address book contents
 Morcut has kernel driver components to help it hide, a backdoor component which opens up your Mac to others on your network, a command-and-control component so it can accept remote instructions and adapt its behaviour, data stealing code, and more.
So, watch this space for further details if you're interested in the guts of modern Mac malware, and don't forget:
  • Cybercrooks now consider Mac users to be worthwhile victims.
  • Malware can easily target multiple platforms.
  • WebEnhancers often aren't.
  • If you don't need Java, uninstall it. That leaves one less convenience for malware writers.
  • Don't blindly ignore certificate warnings.
  • Don't feel left out if you're a Linux user.
Oh, and if you don't yet have anti-malware on your Mac, why not try the free Sophos Anti-Virus for Mac Home Edition?
(No registration, no password, no expiry. They don't even ask for an email address.)

Source from Sophos


Post a Comment