New Mac OS X malwares - OSX/Crisis DAVINCI rootkit

Senior Advisor

New Mac OS X malwares - OSX/Crisis DAVINCI rootkit

Go to this link to find out more:-

 

http://www.intego.com/mac-security-blog/category/malware/

 

http://www.intego.com/mac-security-blog/apple-ceo-android-malware/

 

http://www.intego.com/mac-security-blog/new-osx-crisis-variant-invokes-pope-francis/

 

New OSX/Crisis Variant Invokes Pope Francis Posted on January 20th, 2014 by Arnaud Abbati A new sample of OSX/Crisis, the too popular Da Vinci rootkit from Hacking Team, reached our Malware Lab during the weekend. We currently do not have information about the origin of the file on VirusTotal, named “Frantisek,” but it is an Eastern European first name meaning Francis. Could it be related to Pope Francis? Like the previous variants, OSX/Crisis.C is delivered through a dropper that installs silently, without requiring a password, and works on Mac OS X 10.5, 10.6, and 10.7. However, Hacking Team has updated some of the dropper code and the backdoor configuration file format. The dropper executes an unusual segment: __INITSTUB. The original entry point EIP points to this code segment before reaching the almost empty _main function of the program. For this reason, an incautious researcher using a debugger could get infected without even noticing it. While it uses a different way to resolve system symbols, it crashes on OS X Mountain Lion or OS X Mavericks (segmentation fault). This might be a 64-bit bug in the malware. Following is a screenshot of the resolved symbols hash of the dropper in IDA: OSX/Crisis.C - screenshot of the resolved symbols hash of the dropper in IDA When the dropper runs successfully, it hides the following files in the user’s home directory (in the Library/Preferences folder), inside a fake application bundle called OvzD7xFr.app: 1 backdoor: 8oTHYMCj.XIl (32-bit) 1 configuration file: ok20utla.3-B 2 kernel extentions: Lft2iRjk.7qa (32-bit) and 3ZPYmgGV.TOA (64-bit) 1 scripting addition: EDr5dvW8.p_w (FAT) 1 XPC service: GARteYof._Fk (FAT) 1 TIFF image, a System Preferences icon, ripped of Linkinus preferences panel: q45tyh Then it executes the backdoor and finishes the installation by creating a LaunchAgent file, com.apple.mdworker.plist. Similar to OSX/Crisis.B, this binary is obfuscated using MPress packer. It doesn’t run on OS X 10.9 as it is linked against the Apple System Profiler private framework, SPSupport, which is now 64-bit only; an “Image not found” exception is raised, and then it crashes. Furthermore, on a supported target, the backdoor simply uninstalls its files and quits. This could be related to a corrupted configuration file (the sample one starts with NULL bytes). Other than a few new tricks, features implemented by the backdoor component are similar to previous variants: it patches the Activity Monitor application to hide itself, takes screenshots, captures audio and video, gathers user locations, connects to WiFi hotspots, syncs collected data with a Command and Control (C&C) server, and tricks the user using social engineering to gain System Administrator privileges and drop its rootkit. At the time of this writing, the overhaul detection rate on VirusTotal is very low. Intego VirusBarrier with up-to-date malware definitions protects Mac users against this malware, detected as OSX/Crisis.C. This entry was posted in Malware and tagged crisis, hacking team, Mac, osx, OSX/Crisis.C, rcs. Bookmark the permalink.

 

http://www.intego.com/mac-security-blog/why-the-flashback-botnet-is-a-threat/

 

http://www.intego.com/mac-security-blog/flashback-botnet-is-adrift/

 

http://www.intego.com/mac-security-blog/new-osx-crisis-business-cards-gone-wild/

 

http://www.intego.com/mac-security-blog/new-cross-platform-backdoor-trojans-used-in-targeted-attack/

 

http://www.intego.com/mac-security-blog/new-mac-trojan-discovered-related-to-syria/

 

http://www.intego.com/mac-security-blog/os-x-malware-tibet-variant-found/

 

http://www.intego.com/mac-security-blog/cross-platform-adware-poses-as-flash-player-update/

 

http://www.intego.com/mac-security-blog/details-of-malicious-ios-charger-presented-at-black-hat-conf...

 

http://www.intego.com/mac-security-blog/new-mac-malware-janicab-uses-old-trick-to-hide/

 

http://www.intego.com/mac-security-blog/how-malware-is-researched-part-2/

 

 

5 REPLIES 5
Senior Advisor
Senior Advisor

Re: New Mac OS X malwares - OSX/Crisis DAVINCI rootkit

Try Dr Web Light for Mac, you can get via Apple Apps Store to purchase!

 

https://itunes.apple.com/en/app/dr.web-light/id471859438?mt=12

 

or Intego VirusBarrier

 

http://www.intego.com/antivirus-internet-security-x8

 

Senior Advisor

Re: New Mac OS X malwares - OSX/Crisis DAVINCI rootkit

Ref issues occurance:- http://community.f-secure.com/t5/Security/Re-14-antivirus-apps-found-to/td-p/55591/page/8

 

 

* Please take note that this malware can infect EFI, Filevault, Skype, Contacts, etc, *

(Kaspersky indicates that the Hacking Team is release infection to Mobile Phones iPhone,Android,Windows Phone as well)

 

At the moment, Dr Web Light for Mac and Intego Virus Barrier are detecting this malware.

 

Senior Advisor

Re: New Mac OS X malwares - OSX/Crisis DAVINCI rootkit

Make sure if you own smartphones, make sure you have Antivirus for Mobile Install.

 

Just to be real safe.

 

Because this things is real and really happen to people....

 

Turn off bluetooth when not in use.

 

Make sure your Antivirus Mobile is up to date and that goes the same to your Mobile Phones security updates. Need to keep up to date.

 

Do not download or make any purchase of software from the Apps Store that contains malwares!

 

Skype can also infected by this malware! So Skype is not secure!!!

 

* Remove the battery of your phone if you believe your calls have been wire tap. Turn off your handphone immediately if you are in vacinity that is not secure and vulnerable. These Government Viruses are way too real! So to FinFisher*

 

http://securelist.com/blog/mobile/63693/hackingteam-2-0-the-story-goes-mobile/

 

http://securelist.com/analysis/publications/37064/spyware-hackingteam/

 

http://securelist.com/blog/research/64215/adobe-flash-player-0-day-and-hackingteams-remote-control-s...

 

 

See the video here:-

 

 

 

http://www.youtube.com/watch?v=i8cTGGu07B8

 

 

 

http://www.youtube.com/watch?v=oNsXKPHBR3s

 

 

 

Main source from Kaspersky Securelist blogs:-

 

http://securelist.com/?s=osx&x=0&y=0&search_nonce=acfd81681c&_wp_http_referer=%2F

 

http://www.intego.com/mac-security-blog/

 

http://nakedsecurity.sophos.com/category/organisations/apple/

 

 

 

 

 

Always check Mikko Hypponen TED Talks and F-Secure blog.

 

Videos :-

 

http://www.youtube.com/watch?v=9CqVYUOjHLw

 

 

http://www.youtube.com/watch?v=EMIsuZsfEVg

 

 

http://www.youtube.com/watch?v=W7-jVMJ1-NY&list=PLkMjG1Mo4pKKwx8sieOhE1bnTJRYDyz2S

 

 

http://www.f-secure.com/weblog

 

 

 

 

 

Watch F-Secure Labs from Kuala Lumpur Malaysia.

 

 

http://www.youtube.com/watch?v=9s8nd9jIOdU

Senior Advisor

Re: New Mac OS X malwares - OSX/Crisis DAVINCI rootkit

AVG Cleaner, PrivacyFix, Antivirus for Mac.

 

http://www.avg.com/ww-en/for-mac