The vast misinformation about malware “OSX / Crisis”

The combination of the mainstream media (who do not want reality to ruin a good story) and homes antivirus (who see a new niche Mac market) convert any data about malware for Mac into a jumble of confusion and misinformation. What actually happens with malware OSX / Crisis? Let’s try to clarify something.

Houses as they are called antivirus Morcut Crisis or interchangeably. Let us first see what the malware in order to position ourselves.

Malware: distribution

An issue often confused in the malware is the distribution (how come the system) and the end (which it once there). Distribution of Crisis is being done from a file. Jar (an applet called AdobeFlashPlayer.jar.). We know of discharge points (websites that hosted and distributed). For now, it seems that does not use vulnerabilities to install , so the user must launch the applet in a more or less conscious when your browser asks. As the applet does not validate the certificate chain of trust, an alert appears. The signature data are within the META-INF folder. Jar.


The. Jar are actually ZIP files, which normally contain. Class, Java executables. The case is interesting because this crisis. Jar (zip, actually) contains: a. Class, a Windows executable, and a Mac.

Class, merely serves to distinguish the operating system and launch one or other executable. The code speaks for itself.

Perhaps that is distributed in. Jar (Java platform), and contains two files, news has led some to speak of ” malware for Mac and Windows “, opening the door to the idea of multiplatform malware (single file work in both operating systems) when the reality is quite different. These two native executables for each platform , and a file in Java that is responsible for selecting one or the other based on the system on which it runs. Simple as that. He could have chosen any method of achieving this, such as they used to in 2007 DNSChanger: according to the browser user-agent, the page the attacker tried to download an EXE or DMG.

Malware: diffusion

The spread seems very low right now , as we see in VirusTotal (if we take as reference). The. Jar itself, appeared on July 24 and has been sent nine times.

The executable for Mac that is inside (and a variant that perhaps, be half the size of the known sample, another sample question differently) has been forwarded so many times.

Malware for Windows, it is detected (26 of 39) but his name is a mystery. Each house has been classified as seen fit.

The Jar, as usual, is much less detected. Only 5 engines for signatures.

The success of malware is mostly in its method of dissemination: the more the better automated . A malware is distributed through a transparent execution system (no user) thanks to a vulnerability, it will be widespread. The less known vulnerability, the more successful for malware. Conversely, if the malware requires the user to run ” with your own mouse “will depend entirely on social engineering employed. The more clever or attractive, more users will sting. In the case of crisis, it seems not exploit any vulnerability. Being a. Jar signed, Java launch an alert when running, which will further hinder other users to launch.

Malware: what does?

The third question to ask is what makes this Trojan. As mentioned, after a distribution ” Original “, will run on the system or the binary for Windows or Mac, so we actually have two.

The executable for Mac is a spy can record the keys on your Mac, turn on the microphone, camera, steal the clipboard, etc. A spyware ” traditional “that allows a third party control system and steal information . Apparently can be based on a commercial tool. Do not even try to raise privileges: if the user runs it with privileges, you can hide better and control over, and if not, settle for what you can. An important fact is that this malware was promptly released when it appeared the new version of Mac Mountain Lion This is totally irrelevant, but it seems that many owners are saying that this is a malware that version when it is not. Work on any Mac
We analyzed the executable for Windows in depth, but also seems a back door (which curiously makes use PuTTy). It has rootkit functionality and steals system information.

In short

It is a malware for Mac and one for Windows , which are distributed through a. jar, untapped security flaws in Apple or Windows, which aims to spy on the infected. Neither shows the degree of insecurity of Apple (because it uses a vulnerability), or that Mac malware is being consolidated (diffusion is small compared to other threats to that platform), or that Apple is no longer immune to malware (nonsense still believed by many) …

What in my opinion shows is that there is a tremendous lack of understanding between users and media.