After further analysis, more information has emerged about the Morcut Mac OS X malware (also known as “Crisis” by some anti-virus products) which was discovered this week.
Clearly OSX/Morcut-A was created with spying in mind, as its code includes hooks to control/monitor the following operations:
- mouse coordinates
- instant messengers (for instance, Skype [including call data], Adium and MSN Messenger)
- internal webcam
- clipboard contents
- key presses
- running applications
- web URLs
- internal microphone
- calendar data & alerts
- device information
- address book contents
In short, if this malware managed to infect your Mac computer it could learn an awful lot about you, and potentially steal information which could read your private messages and conversations, and open your email and other online accounts.
Fortunately, we haven’t seen Morcut in the wild. At the moment the threat is low. However, the complexity of the malware is yet another indication that malware on the Mac is becoming more serious – and designed to make money at your expense.
If you haven’t already done so, you really should run anti-virus software on your Mac. The software in the Mac App Store is (unfortunately) not up to the job, as it doesn’t include the real-time component essential to scan every file (and thus every potential threat) as it is opened.
Fortunately, if you are a home user, there is award-winning free anti-virus software for your Mac available. And yes, it works on Mountain Lion too. 🙂
By the way, if you’re curious about where the name “Crisis” came from, it’s a name which appears inside the malware’s code.
As far as we can tell, the author appears to have wanted his malware to be called “Crisis”.
However, there is some history and tradition in the computer security industry of not stroking the malware creator’s ego and deliberately ignoring their suggestion as to how their Trojan horse or virus should be named.
We’re delighted not to call the malware “Crisis”, but OSX/Morcut instead.
Webcam spying image from Shutterstock.
16 comments on “Mac malware spies on infected users through video and audio capture”
Excellent write-ups, thanks guys. Keep up the good job!
Silly Rabbit, Mac don't get viruses…
So say they.
You clearly don't know the difference between virus, trojans, worms, etc. Malware exists in every OS. But viruses are, indeed, exclusive to Windows.
Thanks to Sophos team for making this great (and free) software.
Hmmm. Viruses (of which worms form a subset) are a special sort of malware – they can replicate (i.e. spread) on their own.
I'm sorry to have to tell you that viruses aren't exclusive to Windows. Viruses have been created on a wide range of platforms, including: iOS, OS X, MacOS pre-X, Linux, OS/2, IBM VM/CMS, VMS, Amiga, Atari, MS-DOS and numerous other systems. One of the earliest in-the-wild viruses, as it happens, was Elk Cloner, written in 1982 for the Apple II.
Most malware today is indeed of the non-self-replicating sort – "Trojans", in a word – but that applies to Windows as well as to any other OS. That's because the crooks no longer need their malware to spread by itself – they can use technologies such as email, the web and social networking for distribution.
There aren't many viruses for non-Windows platforms, but viruses are not in any way "exclusive to Windows." Be careful of trying to convince yourself of that 🙂
Why isn't Sophos Anti-Virus for Mac Home Edition available in the Mac App Store? Thanks!
As Graham mentioned in the article: "[anti-virus] software in the Mac App Store is (unfortunately) not up to the job, as it doesn't include the real-time component essential to scan every file (and thus every potential threat) as it is opened."
Apple limits the technological sophistication of applications it approves for the App Store. Part of the reason is for reliability – to limit the potential harm that a buggy program might cause, such as crashing your computer.
For the hundreds of Fart Apps you can download, this is probably a good thing. But for anti-virus software, it isn't.
In particular, App Store apps can't have kernel drivers, which means they can't "dig into" the OS itself to add a layer of _preventative_ protection to stop you getting infected in the first place.
So the only way we could get our software into the App Store would be to emasculate it by removing its most important function so that it no longer protected you properly 🙂
And that's why we ask you to download SAV for Mac Home Edition directly from us.
There are other reasons, such as the fact that we would have to wait in an approval queue at Apple every time we needed to push out an update, but the fact that the software would no longer be fit for purpose is IMO the most important one…
Ugh, more FUD.
Give it up already, Sophos. Your market is in the Windows space; there's nothing here, move on.
Mac malware is a real threat, so Cluley is not clueless.
If you think Macs can't get infected with malware, you're either dreaming or smoking some Apple-weed. Wake up and smell the reality coffee.
Or you can continue to pretend Mac malware doesn't exist and expose your Mac to infection. The malware authors would certainly be glad if you think Macs are immune to their exploits. All the better to steal your data.
I agree. Mac malware is on the rise, and anyone who owns a Mac needs to wake up and face reality. These days, there’s no such thing as 100% secure, as there’s always going to be vulnerabilities in the software. Downloading and installing the free anti-virus for your Mac is an important first step in protecting yourself. I had Sophos Anti-Virus installed on my Mac for over a year now and I’ve never been infected. It doesn’t take much system resources and the best part it’s free!!!
Does the green light next to webcam light up when this trojan is recording, or can that be bypassed, too?
To the best of my knowledge, the webcam light and the webcam itself are, from a programmatic point of view, a single, indivisible device. In other words, if the light is on, the camera is capturing, and vice versa. So there isn't _supposed_ to be a way that one can be active without the other.
Never say never, of course. For example. if the LED blows, can you be sure this will stop the camera working as well?
Here's eminent cryptographer Whit Diffie on this very topic, at a recent security conference in Oz:
"AusCERT 2010 keynote speaker and public-key cryptography expert Whitfield Diffie doesn't trust Apple to keep attackers from taking control of his webcam.
At the conference, Diffie had a piece of tape over his Apple MacBook's built-in webcam. When asked why, he answered it was the most effective protection against prying eyes.
'I trust the tape more than I trust any program. I figure if there's a piece of tape over it, it isn't taking pictures of things,' he told ZDNet Australia."
"Fortunately, we haven't seen Morcut in the wild."
What does this mean? If the malware is not "in the wild" then how do you know it exists?
A sample was sent to SophosLabs from a webmail address, but without any explanation (credible or otherwise) of where it had come from, or why it was being submitted. The sender CCed a wide range of email addresses, including many we know as fellow security researchers. Obviously, we can't vouch for all the recipients on the CC list, and we have no idea what else the sender might have done with the thing. All I know is that we have a copy.
Anyway, I can definitely tell you it exists, in the same way that I can tell you that animals such as bettongs, dunnarts and bilbies exist – and very groovy they are, too – even though I've only ever seen them in a zoo.
We haven't had any confirmed reports of Morcut being in circulation amongst unsuspecting users – whether in the form of actual infections or of proactive blockings of potential infections. That's why we say, "We haven't seen it in the wild."
I installed Sophos and also tried Avast on OS X Mountain Lion and both of them absolutely disrupted the speed of the system. My web browsers were plagued with the spinning rainbow ball. It made browsing virtually unusable! After using several tools to clean my mac of the software, I ended up having to do a fresh install of OSX Mountain Lion to fix the problem. What a headache! Beware…
Sorry to hear that you had a problem.
I have tried it myself on Mountain Lion without any difficulties, but clearly there's some sort of conflict which both Sophos and Avast are experiencing on your setup.
The support community for our free Mac product can be found at http:/;/openforum.sophos.com/macav – I would recommend you give that a try.
Morcut is definitely in the wild now. I am in South Korea, and received a prompt to update Adobe Acrobat. I of course accepted and updated, as I always trust Adobe products. Well now I am infected and going through the cleanup process. PITA. Hopefully this will rid the system of it, and I may have to update to Mountain Lion soon. 4gb on the road though is a tough pill to swallow at hotel download speeds.