Mac malware Crisis on Mountain Lion eve?

Filed Under: Apple, Featured, Java, Malware, OS X

SophosLabs recently received a intriguing Mac malware sample, variously known as Crisis and Morcut.

We're still digging into the details of the malware itself, but the delivery mechanism is interesting.

The malware package arrived in a file named AdobeFlashPlayer.jar.

JAR stands for Java Archive. JAR files, which are structurally just ZIP files with a special name, are used as a standardised way of packaging and delivering Java software.

This makes it easy to deliver a Java program along with all the programming libraries, configuration data, images and other supporting stuff it needs.

Inside the malicious AdobeFlashPlayer.jar is a .class file named WebEnhancer, and two unassuming-looking files named win and mac.

Class files are to Java what EXE files are to Windows - they're the compiled software components which run inside the Java Virtual Machine (JVM). Unlike EXE files, however, they are inherently multi-platform. The same .class file will run on OS X and Windows, for example, with the JVM providing the platform-specific software layer.

And cross-platform support is what the malware author is after here.

The WebEnhancer program file has nothing to do with web browsing - instead, it simply works out whether you have Windows or OS X, and chooses between the win and mac files.

WebEnhancer is implemented as an applet: a special sort of Java program that runs inside a Java-enabled browser.

The author's inventiveness obviously ran out at this point: win is an installer for Windows malware (detected by Sophos as Mal/Swizzor-D), whilst mac is an installer for the Crisis, or Morcut, malware for OS X (detected by Sophos as OSX/Morcut-A).

The good news is that the WebEnhancer applet causes a digital signature alert. This warns you that the applet is from an untrusted publisher, and reminds you that "this application will run with unrestricted access which may put your personal information at risk."

Of course, the Morcut malware itself doesn't have to be delivered inside a JAR file - but the sample I looked at was packaged that way.

We'll let you know what we find as we dig into the Morcut malware. A cursory examination suggests that it's going to be interesting (I was going to say "fun", but that sounds all wrong!) for the analyst who got the job.

Morcut has kernel driver components to help it hide, a backdoor component which opens up your Mac to others on your network, a command-and-control component so it can accept remote instructions and adapt its behaviour, data stealing code, and more.

So, watch this space for further details if you're interested in the guts of modern Mac malware, and don't forget:

  • Cybercrooks now consider Mac users to be worthwhile victims.
  • Malware can easily target multiple platforms.
  • WebEnhancers often aren't.
  • If you don't need Java, uninstall it. That leaves one less convenience for malware writers.
  • Don't blindly ignore certificate warnings.
  • Don't feel left out if you're a Linux user.

Oh, and if you don't yet have anti-malware on your Mac, why not try the free Sophos Anti-Virus for Mac Home Edition?

(No registration, no password, no expiry. We don't even ask for an email address.)

If you're planning on picking up a brand new Mac when Mountain Lion drops later today, why not start off secure?

Further reading: Morcut Mac malware spies on infected users through video and audio capture


NB. Sophos Anti-Virus on all platforms detects and blocks the various components of this malware as follows:

* Troj/JVDrop-A: the outermost JAR file.
* Troj/JVDrop-A: the cross-platform .class file inside the JAR.
* Mal/Swizzor-D: the Windows malware inside the JAR.
* OSX/Morcut-A: the OS X malware inside the JAR.

, , , , , , , , , , ,

You might like

10 Responses to Mac malware Crisis on Mountain Lion eve?

  1. So this .jar file when tries to execute does it asks for the users password ?

    • Paul Ducklin · 1171 days ago

      It doesn't - but (at least on my test box, with a vanilla OS X Lion Java install and the Safari browser) it is rather obvious, as it produces a digital signature alert to warn you that it's from an untrusted publisher.

      (I've updated the main article to clarify this - thanks for the question!)

      • You are welcome.. the question just came in my mind when i read the article. Thanx for updating the main article.

  2. Another reason I don't have Java installed on my iMac.

  3. Taigo · 1171 days ago

    If it's not out in the wild,

    a - why should I care
    b - how did YOU get hold of it?

    I may have this wrong, but this post strikes me as a rather blatant attempt to ride the Mountain Lion publicity.

    • I can answer a:

      The reason to care is that someone went through the effort of writing this, whether as something to present at BlackHat/Defcon, as a proof-of-concept, or to unleash eventually on the internet at large. This malware is targeting OS X using many of the techniques traditionally only seen on Windows. This means that yes, more such things (some using ideas from this sample malware) WILL show up, as that's the way things usually go.

      However, if you follow what Paul suggested above, you likely don't have much reason to care at this point, unless you're an IT staffer somewhere.

      Forewarned is forearmed, as they say.

  4. anonmyous · 1171 days ago

    Am I reading this wrong, wouldn't a better solution be to not enable "Java" in Safari.
    How many home users need to run java applets introduced via a webs browser really?

  5. Sean · 1171 days ago

    Since you keep mentioning mountain lion... What happens when this malware is run with the default gatekeeper settings?
    Does it still work, raise alerts or fail?

    • Juan · 1167 days ago

      In that case headline would be "gatekeeper didn't prevent infection"

    • XYZ · 1164 days ago

      I've just tried with another jar file: They do trigger gatekeeper and are NOT executed on Mountain Lion by default.

      Now, _maybe_ the jar does not arrive as a download, but is instead executed using an applet directly in the browser. You should assume that this is not the case, and your are safe with Mountain Lion, unless Sophos comes forward and describes in detail how the installer is triggered exactly _on_ Mountain Lion.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog