Apple ‘Crisis’ Virus For Mac OS X Detected By Intego

Security firm Intego on Tuesday announced the discovery of “Crisis” the newest in a recent string of Mac OS X based viruses. According to Intego the virus is engineered to escape many standard virus detection practices, bypassing OS X security features while installing itself with no user interaction.

The Crisis malware code calls back to the IP address 176.58.100.37 every five minutes at which point it receives new instructions. Intego is believed to only affect OS X versions 10.6 and 10.7.

Because the virus does not require a user to enter a password and is resistant to reboots it will continue to run until detected and removed.

Intego also warns that when installed on a user account with root permissions the program will install additional programs to hide itself.

Crisis installed the following file with our without root access:

/Library/ScriptingAdditions/appleHID/
Contents/Resources/appleOsax.r

When Crisis is installed with root access, it installs two files:

/System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc
/Contents/MacOS/com.apple.mdworker_server

And

/System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc
/Contents/Resources/

According to ZDNet:

“If the dropper runs on a system with Admin permissions, it will drop a rootkit to hide itself. The malware creates 17 files when it’s run with Admin permissions, 14 files when it’s run without. Many of these are randomly named, but there are some that are consistent.”

To combat the virus which is hard to detect Intego has updated its VirusBarrier X6 software to guard against the attack. The Intego software upgrade dated July 24, 2012 will protect against the Crisis malware and other virus destinations.

Do you think Apple’s security protocols are falling apart with a string of viruses recently detected.