Mac OS X users should be aware that there is a new variant of the Imuler Trojan. My colleagues at Intego found the latest iteration which attacked the user’s system disguised as an an image file with .zip archives titles “Pictures and the Article of Renzin Dorjee.zip” and “FHM Feb Cover Girl Irina Shayk H-Res Pics.zip”.
For those that do not know, default Mac OS X settings hide the full file extensions (there is a similar issue in Windows 7 which also hides extensions by default), which allows malware to hide as an image icon with no extension tags. This will trick the user into thinking they are downloading a real image or .zip file. I don’t like hiding extensions and neither should you!
To show or hide filename extensions for ALL files:
- Choose Finder > Preferences and click Advanced
- Select or deselect “Show all filename extensions”
This particular type of Trojan malware installs a backdoor file (/tmp/.mdworker) and a process called .mdworker. An launch agent is also installed in ~/library/LaunchAgents/checkvir.plist along with an executable in the same folder. When a user next logs in the malware will launch. Once installed the Trojan malware attempts to upload screenshots of user data to C&C servers without the users knowledge. It’s worth pointing out that no infection has actually been reported in the wild, but this doesn’t mean you should ignore the potential threat.
Safe surfing folks!