After further analysis, more information has emerged about the Morcut Mac OS X malware (also known as “Crisis” by some anti-virus products) which was discovered this week.
Clearly OSX/Morcut-A was created with spying in mind, as its code includes hooks to control/monitor the following operations:
- mouse coordinates
- instant messengers (for instance, Skype [including call data], Adium and MSN Messenger)
- location
- internal webcam
- clipboard contents
- key presses
- running applications
- web URLs
- screenshots
- internal microphone
- calendar data & alerts
- device information
- address book contents
In short, if this malware managed to infect your Mac computer it could learn an awful lot about you, and potentially steal information which could read your private messages and conversations, and open your email and other online accounts.
Fortunately, we haven’t seen Morcut in the wild. At the moment the threat is low. However, the complexity of the malware is yet another indication that malware on the Mac is becoming more serious – and designed to make money at your expense.
If you haven’t already done so, you really should run anti-virus software on your Mac. The software in the Mac App Store is (unfortunately) not up to the job, as it doesn’t include the real-time component essential to scan every file (and thus every potential threat) as it is opened.
Fortunately, if you are a home user, there is award-winning free anti-virus software for your Mac available. And yes, it works on Mountain Lion too. :)
By the way, if you’re curious about where the name “Crisis” came from, it’s a name which appears inside the malware’s code.
As far as we can tell, the author appears to have wanted his malware to be called “Crisis”.
However, there is some history and tradition in the computer security industry of not stroking the malware creator’s ego and deliberately ignoring their suggestion as to how their Trojan horse or virus should be named.
We’re delighted not to call the malware “Crisis”, but OSX/Morcut instead.
Webcam spying image from Shutterstock.