Erik Eckel explains why new malware threats such as OS X Crisis and Morcut should get the attention of users and admins.
Some OS X organizations and users suffer delusions, believing Macs to be immune to infection. A combination of claims-OS X is a more secure platform that's more difficult to hack, and OS X boasts less market share making it a less popular target for hackers-lead to some justifiable arguments that OS X is more secure than Windows. But the fact remains: OS X is still vulnerable to infection.
In the past, purported malware infections required that users almost purposefully infect their machines with spyware. But just this week numerous reports surfaced regarding the discovery of new malware infections that compromise a Mac. These new infections enable compromised systems to essentially eavesdrop on users' audio, video, email, browser, and instant messaging sessions.
Most worrisome is the technical sophistication of the new infections. Mac software site, Intego, reports that the so-called OS X/Crisis infection opens a backdoor subsequently hidden by a rootkit. The software presents as a Java applet, then makes software changes to begin monitoring use of Skype, browser, IM, and other applications. The infection also hides itself from OS X's Activity Monitor. Enthusiast site Ars Technica reports that new Mac malware, named Morcut or backdoor.OSX.Morcut by Kaspersky Lab, also doesn't even require that an administrative password be entered to enable the malware's installation.
While massive infections are not being reported (in fact Ars Technica and CNET News state that the malware is not circulating widely), OS X organizations and business users should pay particular attention to this new round of potential infections for several reasons. First, the technical sophistication is concerning. The infection works as a Trojan rootkit, hiding itself as described above. Second, the infection does not require that an administration password be entered to install the malware. Third, the program reportedly possesses the ability to monitor data entered within browser sessions, IM chat sessions, email and even Web-based audio applications.
Obviously, the capacity for a third party to monitor and obtain sensitive or private information through such means is disconcerting for business users. Organizations already struggle to implement and maintain best security practices; the potential for an infected Mac that's believed to be secure distributing critical and sensitive information to unauthorized third parties should keep enterprise IT staff up at night.
What to do?
Organizations should continue encouraging staff not to install or load any application, operating system or other common updates. Those responsibilities should be left to seasoned IT staff members who can better differentiate between legitimate and fraudulent updates.
Firms should make it policy that OS X systems possess capable antivirus software. Despite Apple's pronouncement years ago that Mac users should install antivirus, anti-malware software is often not found on Mac systems, at least in my experience or that of IT professionals with whom I interact and speak.
Organizations should also reconsider the installation or use of potentially unnecessary applications. If Skype, MSN instant messaging and similar vulnerable applications aren't installed, then they can't be compromised. The fewer the potential entry points for compromise or vulnerability, the better.
With the arrival of these new infections, everyone plays a role in helping protect organization systems and information. Users, too, should be reminded to report to the IT department any unusual behavior, crashes or anomalies that their OS X systems experience. Making users aware of these specific new threats, will help organizations seeking to maintain secure systems.