New Mac OS X malware variant spotted in the wild

New Mac OS X malware variant spotted in the wild

Summary: Security researchers from Intego, have intercepted a new variant of the Imuler trojan horse targeting Mac OS X users.

SHARE:

Security researchers from Intego, have intercepted a new variant of the Imuler trojan horse targeting Mac OS X users.

The latest version of the Imuler.C trojan attempts to trick end and corporate users into thinking that they're downloading and about to view image files. The trojan horse circulates using .zip archives named “Pictures and the Ariticle of Renzin Dorjee.zip” and “FHM Feb Cover Girl Irina Shayk H-Res Pics.zip”.

According to the researchers, the malware authors are relying on a known social engineering tactic and the default Mac OS X settings, where full file extensions are not displayed by default, hence the use of image icons for application files.

Once executed, the malware performs the following actions:

The malware installs a backdoor at /tmp/.mdworker, along with other files in this directory. A process called .mdworker then launches; the mdworker process (not the absence of the . before the name) is a processed used by Spotlight to index files.A launchagent file is also installed at ~/library/LaunchAgents/checkvir.plist, along with an executable in the same folder, ensuring that the malware launches when the user logs into his or her Mac, or starts it up. After a restart, the .mdworker process is deleted, and the checkvir executable launches.This malware searches for user data, and attempts to upload it to a server. It also takes screenshots and sends them to the server. It creates a unique identifier for the specific Mac to be able to link the Mac and the data it collects. We have seen that this malware is active, as it connects to a remote server and downloads new executables.

End users are advised to turn on the feature that's showing all filename extensions in order to differentiate between real image files and applications, such as the Imuler.C trojan, and to submit suspicious files to the popular VirusTotal service in order to ensure that they're malware-free.

Topics: Malware, Apple, Hardware, Operating Systems, Security, Software

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

27 comments
Log in or register to join the discussion
  • Procedure

    1) Click on the smiling mac in the left (or the top) of your dashboard
    2) Click on the gear button in the header of the window
    3) Pick "Show View Options" menu item
    4) Tick the "Show Item Info" checkbox.
    m0o0o0o0o
  • Relax, it's not a virus

    it's a trojan and requires human intervention but unlike Windows user Mac users are still virus free :)
    shellcodes_coder
    • Mac users are not virus free

      if the count you as one of their own.
      :|
      Tim Cook
      • Trojans and viruses

        Are technically two different things. Windows 8 would not stop the end user from getting this type of malware
        Jumpin Jack Flash
      • Please do tell.

        @Junpin Jack Flash: [i]Windows 8 would not stop the end user from getting this type of malware[/i]

        Setting aside for the moment Windows 8 is not yet released.
        ye
      • Technically...

        Technically he's correct.

        In fact this trend of trojans rather than viruses is also evident on Windows too. Probably down the simple fact that Windows is becoming much more difficult to infect with a virus.

        We have two similar problems on both Mac and Windows.

        On the Mac users have become confident that their system can't get infected with a virus.

        On Windows users have become confident that their AntiVirus product means their system can't get infected with a virus.

        Trouble is both groups are more likely to be infected via a trojan.

        To many the distinction seems academic - but it really isn't. I virus spreads by exploiting a weakness in the system. A trojan tricks the user. Trojans don't need OS flaws, the OS is operating correctly when the infection happens.

        So Mac vs Windows debates miss the point entirely - users need to be informed about what to look for, and need to be cautious of files who's provenance is unclear.

        Pointless bickering about the relative merits of Mac VS Windows are a distraction in debate about infection via trojan. And it would be better to put "trojan (malware)" in the title of the article too.
        jeremychappell
      • RE: technically

        @jeremychappell... <i>"So Mac vs Windows debates miss the point entirely - users need to be informed about what to look for, and need to be cautious of files who's provenance is unclear."</i>

        I agree with the point, however the average user does not know what to look for. Of course taking the precaution of not opening attachments from senders you don't know and have no reason to trust is a big one, the fact is if you are roaming around the underbelly of the web, it is hard to know what to trust and what not to.
        Snooki_smoosh_smoosh
      • I'll tell

        [i]Setting aside for the moment Windows 8 is not yet released.[/i]

        Which you'd only say when it suits you. Otherwise it's the 'greatest thing' known to man.
        ScorpioBlack
    • So please name a Windows Vista/7 Virus...

      Could you please name one virus that has succeeded to infect a fully patched Windows Vista or Windows 7 Computer?
      brhorv
      • Take a wander over to Sophos' site

        Or look around say at pcpro's website and note that not too long ago Sophos tested W7 against 10 somewhat new viruses. Eight apparently got in. So, either Sophos is kind of tweaking things to pimp for business or they're right and W7 is just as sad in terms of security as what came before.
        ego.sum.stig
      • Check this out

        http://nakedsecurity.sophos.com/2010/11/25/new-windows-zero-day-flaw-bypasses-uac/
        ScorpioBlack
      • Easy:

        Danom

        A family of viruses written to infect Windows Vista. When they were released they were capable of infecting Windows Vista. Sticks in my mind as it was the first virus specific to Vista.

        But this is rather irrelevant don't you think?
        jeremychappell
      • Nice qualifier...

        but a fully patched system isn't going to protect you from a virus that takes advantage of an otherwise unknown exploit, in fact not even up to date antivirus is going to do that. I remember w32.blaster worm back in 2K3 when that little bugger took my fully patched and up to date virus protection machine running XP down.
        Snooki_smoosh_smoosh
  • Headline errata:

    This was taken from the blog of Intego (the source of this article)
    "This was not found in the wild, and the risk was considered to be low." (http://blog.intego.com/new-version-of-imuler-trojan-horse-masquerades-as-image-files/,1st paragraph)

    *Notice how it says "NOT" found in the wild.
    scigeek64
    • So if it was not found in the wild...

      ..where the heck was it "found"?
      toadlife
      • Must have been found in civilization then

        Instead of the Wild.
        bobiroc
  • ~/Library not ~/library

    The path should be ~/Library/... NOT ~/library/... There is no lowercase 'library' folder in my system.
    pepe4
  • Here we go again

    Another Trojan for MacOS will bring out the trolls that can only say "It's not a virus" neglecting the fact that a fully patched Windows system with Anti-Virus protection is secure from viruses as well leaving Trojans to trick victims into compromising their machine.

    To me this is like saying that a person that is real sick from a bacterial infection is better off than one sick from viral infection. Either way it is still bad.
    bobiroc
    • Secure from known viruses

      not necessarily new ones that exploit holes yet to be patched. This goes for any OS though.

      Don't lull yourself into a false sense of security just because your machine is patched and you have malware protection running.
      Snooki_smoosh_smoosh
      • RE: false sense of security

        Oh I am not.. I am a realist and understand that there are risks out there on that thing they call the internet. Every OS and piece of software has holes and the companies that make those Operating Systems and software are usually very good about patching their systems before the security hole becomes a real issue. The problem is if the user(s) of those computers apply those patches or not.

        I am going through this now with a client that has a bunch of machines on XP and some of them are only running XP SP1a. The person they named the "keeper of the computers" refuses to install patches because she had a patch cause a problem back in the Windows 98 days so she thinks all patches break software. Even arguing that there were newer computers running XP SP3 and the same software that have no issues did not convince her. She also did not have the company's servers running any antivirus and no firewall. I am usually the type that puts security before convenience even if it means changing the way things are done a little bit. At my day job they call me the Security Nazi. I am also a stickler about software licensing and have upset quite a few people when I told them they cannot have a copy of Office or other software that we have with take home rights to give to their kid for college.
        bobiroc