Spying on browsing and instant messaging activities

A new Mac OS X Trojan referred to as OSX/Crisis silently infects OS X 10.6 Snow Leopard and OS X 10.7 Lion. It then spies on the user by monitoring Adium, Firefox, Microsoft Messenger, Safari, and Skype.

The threat installs itself silently (no user interaction required) and does not need your user password to infect your Mac. It exploits Java vulnerabilities, but since OS X 10.7 Lion doesn’t include Java by default, this is suggesting there are other ways for this malware to infect your Mac. Newly released Mac OS X 10.8 Mountain Lion doesn’t seem to be affected by the OSX/Crisis.

The malware allows the person operating it to:

• Spy on Skype audio traffic and record all conversations and phone calls.
• Spy on Safari or Firefox browsers to record URLs and screenshots.
• Record IM messages in both Microsoft Messenger and Adium.
• Send file contents to the control server.

As this is a very advanced threat and since it hasn’t been seen in the wild yet, you’re unlikely to get infected by it. Still, if your work on Apple Mac is critical or you have classified information stored on it, it is very important that your security updates are always up to date and that you’re using an updated antivirus program.

Microsoft also suggests doing something about your Java as Java-based malware sees no end. So regardless of whether you’re using Mac or Windows-based computers, this is what Microsoft asks you to do with Java: "Update it, disable it, or kill it."

More Than 600,000 Macs Infected

Mac OS X has been relatively safe from malware. However, there has been a few malware scares recently that have affected a significant number of Mac users.

One of those was MacDefender fake antivirus scam that led users to believe their systems were infected and asked for credit card details to remove the "infection". Another one was DNSChanger malware, which directed affected computers to malicious websites that tried to get people provide their personal information.

The latest malware to hit Mac users has been Flashback. It appeared in spring last year as a fake Adobe Flash player installer. Getting infected with this malware was relatively easy to avoid, plus Apple quickly patched the hole as part of security updates. But then, Flashback came back exploiting a Java vulnerability and, by simply visiting a malicious website, this malware could install on a Mac running Java. It didn't require any user attention. Although Oracle patched Java vulnerability back in February, it didn't help Mac users because Apple uses its own version of Java. Apple (finally) patched Flashback last week... two months and 600,000 infections later :(

There is a free tool that lets you check whether your Mac has been infected with Flashback. Simply go to http://public.dev.drweb.com/april/ and follow a few simple steps. But regardless of whether you have it or not, make sure you keep up with Apple security updates.