Both firms say the malware is newly discovered and investigation is ongoing; so few details are yet available. The Intego report describes the malware’s evasion techniques, such as ‘low-level system calls to hide its activities.’ “This sort of anti-analysis technique is common in Windows malware, but is relatively uncommon for OS X malware,” says Intego.
The Windows background is corroborated by Sophos. Delivery of the sample currently being analyzed by Sophos was via a file called AdobeFlashPlayer.jar. Inside the archive are ‘WebEnhancer’ and ‘mac’ and ‘win’ files. WebEnhancer simply works out whether the operating system is OS X or Windows, and runs either the mac or win files (‘else... exit’ – so Linux users needn’t worry – says the code). For Windows, “win is an installer for Windows malware (detected by Sophos as Mal/Swizzor-D)” says Sophos, “whilst mac is an installer for the Crisis, or Morcut, malware for OS X (detected by Sophos as OSX/Morcut-A).”
Analysis of Crisis/Morcut is now beginning in earnest. Existing details are meager and a little confusing. Sophos notes that it “has kernel driver components to help it hide, a backdoor component which opens up your Mac to others on your network, a command-and-control component so it can accept remote instructions and adapt its behavior, data stealing code, and more.” Intego gives no details on how their sample was delivered, but says it “found samples of this malware on the VirusTotal website,” and that the “threat has not yet been found in the wild.” This leaves the question about who submitted the trojan to VirusTotal unanswered. It is unlikely to be the developer since he or she knows the malware will immediately be circulated to the AV companies. So was it a user – in which case the malware could be in the wild?
Mac security specialist David Harley told Infosecurity that it could have been a suspicious user, who submitted a suspect file without actually installing it. “Someone who submits a suspicious sample won’t necessarily let it execute, even if no AV detects it as malicious.” So it may be out there, but not technically ‘in the wild’ since it is not yet actively spreading. If it does start to spread, one worrying feature noted by Intego is that it doesn’t prompt the user for a password. The sample found by Sophos, inside the jar file, triggers a certificate warning; but it is the jar file rather than the Crisis/Morcut malware that does this.
One line of investigation might involve the IP address found in the malware. “The backdoor component calls home to the IP address 126.96.36.199 every 5 minutes, awaiting instructions,” explains Intego. According to WHOIS, this address is administered by Linode LLC; a virtual hosting company with an abuse address in New Jersey. This should at least provide an initial line of enquiry.
In the meantime, the bad news is that this malware confirms that OS X is now considered a serious target by the criminals. The good news is that both Intego and Sophos anti-malware can detect it, and it doesn’t seem likely that it will run on the new OS X Mountain Lion due out today.