Monday 30 July 2012
Apple Mac Trojan named OSX/Crisis.
Discovered by Intego.
Intego is a Mac security software company founded in 1997.
![[Image: HB1ca.jpg]](http://i.imgur.com/HB1ca.jpg)
They create backup, antivirus, antispam, data protection software, firewall for MAC OS X.
Now lets get back to our discussion
OSX/Crisis:
This threat is a dropper which creates a backdoor when it's run.
It installs silently, without requiring a password only in OSX 10.6,10.7 and Snow Leopard and Lion.
If the dropper runs on a system with Admin permissions it will drop a rootkit to hide itself.
With or Without Admin permissions this folder is created in the infected user's home:
~/Library/ScriptingAdditions/appleHID
only with Admin permissions,
/System/Library/Frameworks/Foundation.framework/XPCService
A new folder will be created.
It uses low level system calls to hide its activities
Image has been scaled down 20% (500x590). Click this bar to view original image (620x731). Click image to open in new window.
![[Image: jWTMn.png]](http://i.imgur.com/jWTMn.png)
Image has been scaled down 20% (500x428). Click this bar to view original image (620x530). Click image to open in new window.
![[Image: ajycx.png]](http://i.imgur.com/ajycx.png)
Image has been scaled down 20% (500x428). Click this bar to view original image (620x530). Click image to open in new window.
![[Image: TROpT.png]](http://i.imgur.com/TROpT.png)
Intego suggest to use VirusBarrier X6 need to update to get protected from OSX/Crisis.
