…or OSX/Morcut, as Sophos are apparently calling it. Paul Ducklin has pointed out an aspect that I haven’t seen mentioned before: the malicious JAR file includes a Java class file misleadingly called WebEnhancer that apparently checks on whether the Java Virtual Machine in which it finds itself is running under Windows or OS X. If the JVM is running under Windows, it installs a version of Swizzor: if it’s OS X, it installs OSX/Crisis.
By the way, the title of my previous pointer post on the topic – OSX/Crisis(? What Crisis?) shouldn’t be taken as meaning that this malware is of no interest, even though it’s not currently in the wild. (Intego found samples on VirusTotal.) Apart from the fact that it has a number of characteristics that are likely to interest other malware authors as much as they do the AV industry, there’s no guarantee that it isn’t going to find its way into the wild in some form eventually, so it definitely makes the cut as a potential threat, though not a cause of immediate panic. Some malware proves pretty significant in a research/historical context without ever finding its way onto an end user’s machine, just by influencing the way other malware behaves. Crisis isn’t actually the first or only attempt at hardware-independent malware, but we shouldn’t underestimate the significance of the fact that the attempt is being made, even though there are more technically interesting aspects to the whole malware package.
In fact, the reference in my title to a statement that UK politician Jim Callaghan probably didn’t make is possibly more subtle and apposite than you might think. 😉
David Harley CITP FBCS CISSP