{"id":5267,"date":"2012-07-25T21:14:12","date_gmt":"2012-07-26T04:14:12","guid":{"rendered":"http:\/\/www.intego.com\/mac-security-blog\/?p=5267"},"modified":"2016-02-12T10:29:30","modified_gmt":"2016-02-12T18:29:30","slug":"more-on-osxcrisis-advanced-spy-tool","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/more-on-osxcrisis-advanced-spy-tool\/","title":{"rendered":"More on OSX\/Crisis \u2014Advanced Spy Tool"},"content":{"rendered":"

<\/strong>Yesterday we discussed new malware for OS X called OSX\/Crisis<\/a>, which is a brand new Trojan that installs a backdoor on infected machines. Here we\u2019ll discuss some new details that have been uncovered, including some files that are a possible installer for the files found yesterday.<\/p>\n

It appears one possible installation mechanism for the OSX\/Crisis malware has been found. It arrives as a Java applet with one of a couple possible names and relies on social engineering to get people to activate the installer. If it\u2019s run, the applet will check to see whether it\u2019s being run on Windows or OS X. If it is being run on OS X, it will continue the infection chain we detailed yesterday (basically it entails installing silently to open a backdoor that\u2019s hidden by a rootkit, then phoning home for commands) .<\/p>\n

\"\"<\/a><\/p>\n

This Java applet technique has been a popular one for multi-platform infection, as Java will work on all common operating systems. Java has not, however, been installed by default on OS X from 10.7 on. This means it is unlikely that a Java applet is the only method of installation.<\/p>\n

So far these are the two different filenames we\u2019ve seen for installing OSX\/Crisis:<\/p>\n