Mac malware Crisis on Mountain Lion eve?

SophosLabs recently received a intriguing Mac malware sample, variously known as Crisis and Morcut.

We’re still digging into the details of the malware itself, but the delivery mechanism is interesting.

The malware package arrived in a file named AdobeFlashPlayer.jar.

JAR stands for Java Archive. JAR files, which are structurally just ZIP files with a special name, are used as a standardised way of packaging and delivering Java software.

This makes it easy to deliver a Java program along with all the programming libraries, configuration data, images and other supporting stuff it needs.

Inside the malicious AdobeFlashPlayer.jar is a .class file named WebEnhancer, and two unassuming-looking files named win and mac.

Class files are to Java what EXE files are to Windows – they’re the compiled software components which run inside the Java Virtual Machine (JVM). Unlike EXE files, however, they are inherently multi-platform. The same .class file will run on OS X and Windows, for example, with the JVM providing the platform-specific software layer.

And cross-platform support is what the malware author is after here.

The WebEnhancer program file has nothing to do with web browsing – instead, it simply works out whether you have Windows or OS X, and chooses between the win and mac files.

WebEnhancer is implemented as an applet: a special sort of Java program that runs inside a Java-enabled browser.

The author’s inventiveness obviously ran out at this point: win is an installer for Windows malware (detected by Sophos as Mal/Swizzor-D), whilst mac is an installer for the Crisis, or Morcut, malware for OS X (detected by Sophos as OSX/Morcut-A).

The good news is that the WebEnhancer applet causes a digital signature alert. This warns you that the applet is from an untrusted publisher, and reminds you that “this application will run with unrestricted access which may put your personal information at risk.”

Of course, the Morcut malware itself doesn’t have to be delivered inside a JAR file – but the sample I looked at was packaged that way.

We’ll let you know what we find as we dig into the Morcut malware. A cursory examination suggests that it’s going to be interesting (I was going to say “fun”, but that sounds all wrong!) for the analyst who got the job.

Morcut has kernel driver components to help it hide, a backdoor component which opens up your Mac to others on your network, a command-and-control component so it can accept remote instructions and adapt its behaviour, data stealing code, and more.

So, watch this space for further details if you’re interested in the guts of modern Mac malware, and don’t forget:

  • Cybercrooks now consider Mac users to be worthwhile victims.
  • Malware can easily target multiple platforms.
  • WebEnhancers often aren’t.
  • If you don’t need Java, uninstall it. That leaves one less convenience for malware writers.
  • Don’t blindly ignore certificate warnings.
  • Don’t feel left out if you’re a Linux user.

Oh, and if you don’t yet have anti-malware on your Mac, why not try the free Sophos Anti-Virus for Mac Home Edition?

(No registration, no password, no expiry. We don’t even ask for an email address.)

If you’re planning on picking up a brand new Mac when Mountain Lion drops later today, why not start off secure?

Further reading: Morcut Mac malware spies on infected users through video and audio capture

NB. Sophos Anti-Virus on all platforms detects and blocks the various components of this malware as follows:

* Troj/JVDrop-A: the outermost JAR file.
* Troj/JVDrop-A: the cross-platform .class file inside the JAR.
* Mal/Swizzor-D: the Windows malware inside the JAR.
* OSX/Morcut-A: the OS X malware inside the JAR.