ThreatSTOP Blog

ThreatSTOP blocking new OSX/Morcut malware

Written by francisturner | July 27, 2012

As noted by The Register and other places, there's a new cross-platform vulnerability out that installs via a piece of Java that does a check for "Windows or Mac" and then installs the malware suitable for the platform.

The Mac malware it installs, called either OSX/Morcut or OSX/Crisis - depending on the AV researcher - is most easily detected and blocked by seeing where it tries to go. Intego reports that it calls home every 5 minutes to a single IP address (176.58.100.37) to get instructions and upload anything it may have found.

ThreatSTOP has added this IP address to our feeds and so all ThreatSTOP customers are protected from this malware. Our reporting tool will report the internal IP addresses that are attempting to contact this host, making it easy for IT departments and network administrators to identify and then remediate infected machines.

If you aren't familiar with ThreatSTOP then consider a trial on your firewall. ThreatSTOP's IP reputation service provides a way for firewalls to block currently active criminal IP addresses. The list is updated automatically and applies to both inbound and outbound traffic, such as the traffic to known botnet command & control servers.