OSX/Crisis malware revealed as targeted attack
Published July 27th, 2012 at 7:06 AM EDT , modified July 30th, 2012 at 10:10 PM EDT
Over the last couple days, a lot more information about the malware Intego announced as OSX/Crisis has come out. It has been discovered that it contains part of a commercial malware package called Remote Control System DaVinci, which is marketed primarily to governments and sells for 200,000 euros. At this point, it appears to be a targeted attack, likely on the part of a Middle Eastern government and aimed at a group of Moroccan journalists who covered the Arab Spring revolution.
Intego revealed that it installs via a Java applet that uses social engineering tricks to install, much like other recent malware, like GetShell. The Java applet also can apparently detect whether the system is Mac OS X or Windows and drop the appropriate malware, indicating that there must be a Windows component to this malware as well. Intego also revealed their source, DefensiveLab, which in turn revealed that the infection had been found on the hard drive of a Moroccan journalist.
Sophos posted details on what this malware can do once installed, and it’s a frightening litany of spying. It does more than I recall any other Mac malware ever being capable of, including recording through the Mac’s internal microphone and webcam and intercepting conversations in programs like Skype, Adium and MSN Messenger! They also refer to this malware as Morcut, and leveled some mild criticism at Intego for the name “Crisis.” Evidently, that name comes from the malware’s code, in such a way that it looks like the creator wanted it to be called “Crisis.” The security industry apparently has an informal tradition of deliberately ignoring such names, as a kind of poke in the eye to the author of the malware, which Intego did not follow.
In all, this seems like just another targeted attack that the average Mac user will never need to worry about. Since this malware is not a self-replicating virus, it’s extremely unlikely that it would get out of its creators control. Unless you are part of a group that a large government might be interested in closely monitoring, you’re almost certainly safe from malware like this.