Crisis/MORCUT Mac OSX Malware



  • Rusli
    Rusli Posts: 1,019 Influencer



    I think Backdoor.Davinci.1 could be the similar with Mac OS X Morcut/Crisis.



    July 2012 virus activity review: the summer lull and a new threat to Mac OS

    August 1, 2012

    July 2012 saw an increased number of system infections by blocker Trojans; at the same time, because one of the largest BackDoor.Blackenergy botnets was brought down, spam traffic declined significantly. At the end of the month, Doctor Web discovered a cross-platform Trojan, dubbed BackDoor.DaVinci.1, targeting both Microsoft Windows and Mac OS X. It should be noted that this malware uses rootkit technologies to hide its processes and files in Mac OS X, which appears to be a unique phenomenon.


    The threat of the month: BackDoor.DaVinci.1

    On July 23 Doctor Web's anti-virus laboratory received a malware sample which turned out to be a multi-purpose backdoor comprising a large number of functional modules such as rootkit drivers used to hide the application in the system.

    BackDoor.DaVinci.1 is spread as the AdobeFlashPlayer.jar file, signed using an invalid digital certificate.


    The file determines the OS type and saves and launches an infected application in the compromised system—currently, Doctor Web's virus analysts have Trojan samples intended for Windows and Mac OS X. It is known that a version targeting mobile platforms also exists.


    The malware features a modular architecture: the main backdoor component is supplemented with an encrypted configuration file and rootkit drivers. These drivers enable the malicious application to conceal itself. All Trojan versions use the same configuration file containing the modules' settings.


    BackDoor.DaVinci.1 allows criminals to gain full control over an infected computer. In addition, the Trojan saves and transmits information about the infected machine to criminals, acts as a key logger, and can take screenshots and intercept e-mail, ICQ, Skype messages and data captured by a microphone or video camera connected to a computer. In addition, the backdoor has a large set of tools with which to bypass anti-virus software and firewalls, so it may run unnoticed in a system for a long time. Interestingly, BackDoor.DaVinci.1 for Mac OS X is the first instance of malware for the platform that uses rootkit technologies to hide its files and processes.


  • Rusli
    Rusli Posts: 1,019 Influencer

    Hi take note of the following...


    This is an excerpt from the article in TheRegister.



    Superworm Crisis eats Macs, VMware and - shock - Windows

    Don't panic, don't panic - OK, panic! Panic!

    By John Leyden

    Posted in Enterprise Security, 22nd August 2012 14:33 GMT


    Security watchers have discovered a virus strain that compromises VMware virtual machines as well as infecting Mac OS X and Windows computers and Windows Mobile devices. It demonstrates previously unseen capabilities in the process.

    The Crisis malware typically arrives in a Java archive file (.jar) and is typically installed by posing as a Flash Player Java applet to trick a victim into opening it.


    The archive contains executable files targeting Apple and Microsoft operating systems; the malware is able to detect which platform it is running on and serve up the correct variant.

    Once launched, the worm puts in place a rootkit to hide itself from view; installs spyware to record the user's every move on the computer; and opens a backdoor to the IP address, allowing miscreants to gain further access to the machine, according to a write-up of the threat by Kaspersky Lab. The malicious code also, unsurprisingly, survives across reboots.

    The Windows variant can kill off antivirus programs, log keypresses, download and upload files, take screengrabs, lift the contents of the user's clipboard, record from the computer's webcam and mic, and snoop on these applications: Firefox, Internet Explorer, Chrome, Microsoft Messenger, Skype, Google Talk and Yahoo! Messenger.

    The Apple-targeting variant is more or less the same: it monitors Adium, Mozilla, Firefox, MSN Messenger (for Mac) and Skype, and records keystrokes. On Mac OS X, at least, the user does not need administrative privileges to install the software although its functionality is affected if the logged-in punter has insufficient rights: with admin-level access, the virus can slot in the rootkit, for instance.

    Subsequent analysis of the malware by researchers at Symantec uncovered elaborate techniques in the Windows variants that allow it to spread onto virtual machines and Microsoft-powered smartphones.

    Crisis uses three methods to spread itself from Windows desktops: it can copy itself and an autorun.inf file to a removable drive in order to infect the next machine the storage stick is plugged into; it can sneak onto virtual machines; and it can drop modules onto a Windows Mobile device.

    The threat searches for VMware virtual machine images on a compromised Windows PC and attempts to copy itself onto the system using a VMware Player tool. It does not use a vulnerability in the VMware software, but rather relies on a feature that allows the virtual machine's files to be manipulated even when the virty system is not running.

    Virtualisation technology is widely used by security vendors - it allows them to create a sandbox in which they can probe and toy with captured wild software nasties without (ideally) infecting their host workstations. As a result many strains of malware are programmed to stop running once they find themselves in a virtualised environment to avoid being examined.

    OSX-Crisis seems to be a proof-of-concept code designed to probe virtualised environments for weaknesses, according to Symantec.

    "This may be the first malware that attempts to spread onto a virtual machine. Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed, so this may be the next leap forward for malware authors," Symantec researcher Takashi Katsuki concludes.

    Crisis also spreads from compromised Windows boxes by dropping modules onto Windows Mobile devices once they are connected to infected computers. The malware uses Microsoft's Remote Application Programming Interface (RAPI), so it only affects Windows Mobile devices and not Android or iPhone devices, neither of which support the technology.

    A full write-up of the latest analysis on the potent malware can be found in a blog post by Symantec here. ®


    The article reported in TheInquirer.



    Crisis malware is more dangerous than first thought
    Symantec warns Trojan is capable of infecting VMware virtual machines and Windows Mobile devices
    Wed Aug 22 2012, 17:44

    THE HIGH-PROFILE Crisis Trojan is more dangerous than first thought, as it has now emerged that as well as infecting Mac computers, it is also capable of infecting VMware virtual machine images, Windows Mobile devices and removable USB drives.

    Crisis was originally uncovered in July targeting businesses with social engineering attacks that trick users into running a malicious Java applet.

    Symantec has since revealed that the malware has more advanced capabilities, letting it search for and copy itself onto VMware virtual machine (VM) images on compromised computers.

    Once on the VM images the malware can reportedly steal and intercept data from virtual machines including financial information.

    "We've discovered it getting onto VM systems not via exploits but by copying itself into the VM code," Symantec senior security response manager Peter Coogan told The INQUIRER.

    "We haven't seen this before [...] they're increasing the amount of information the spyware can gather."

    Symantec also reported discovering the malware installing rogue modules on Windows Mobile devices connected to compromised systems, though the purpose of the modules remains unknown.

    Coogan went on to clarify that Crisis "is incredibly complex and likely created by an advanced group", warning that its full capabilities remain unknown.

    Despite its sophisticated nature, Crisis is believed to have infected a number of systems. Kaspersky Lab has reported discovering the malware on 21 systems located in Italy, Mexico, Iran, Turkey, Iraq, Oman, Brazil, Kazakhstan, Kyrgyzstan and Tajikistan, said Kaspersky Lab malware expert Sergey Golovanov. µ


    From CNET Security reports.



    'Crisis' malware targets VMware virtual machines

    Single piece of malware targets both Windows and OSX users and is capable of spreading to VMware virtual machines and Windows Mobile devices.


    August 21, 2012 8:35 PM PDT

    Security researchers have discovered a single piece of malware that is capable of spreading to four different platform environments, including Windows, Mac OSX, VMware virtual machines, and Windows Mobile devices.

    First uncovered last month by security company Integro, Crisis was originally described as a Mac Trojan capable of intercepting e-mails and instant messages and tracking Web sites visited. Additional scrutiny by Symantec has found that the malware targets both OSX and Windows users with executable files for both operating systems.

    Crisis is distributed using social engineering techniques designed to trick users into installing a JAR, or Java archive, file masquerading as an Adobe Flash installer. The malware then identifies the computer's OS and installs the corresponding executable (see diagram below).

    (Credit: Symantec)

    "This may be the first malware that attempts to spread onto a virtual machine," Takashi Katsuki, a researcher with antivirus provider Symantec, wrote in a blog post Monday. "Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed, so this may be the next leap forward for malware authors."

    Crisis spreads by searching for a VMware virtual machine image on the compromised computer. When it finds such an image, the malware copies itself onto the image using the VMware Player tool, which allows multiple operating systems to run on the same computer.


    "It does not use a vulnerability in the VMware software itself," Katsuki wrote. "It takes advantage of an attribute of all virtualization software: namely that the virtual machine is simply a file or series of files on the disk of the host machine. These files can usually be directly manipulated or mounted, even when the virtual machines is not running."

    The Windows version of Crisis can also spread to Windows Mobile devices connected to compromised computers by installing a module on the device. However, because it uses the Remote Application Programming Interface, it does not affect Android or iOS devices.

    "We currently do not have copies of these modules and hence we are looking for them so we can analyze them in greater detail," Katsuki wrote.

    Symantec said the malware has infected fewer than 50 machines.


This discussion has been closed.