Imuler/Revir Trojan for OS X resurfaces

The malware scene in OS X is minimal when compared with other operating systems, but it is being developed at a snail's pace.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
3 min read

Last fall, a new Trojan malware scam called Revir and Imuler was uncovered, attempting to coerce Mac users into installing the malware on their systems, and then sending personal information to remote servers.

The scam initially used a Trojan dropper program called OS X/Revir.A that when run would download PDFs containing offensive political rhetoric in foreign languages, and then install a backdoor agent called OS X/Imuler.A. This in turn would try to connect to remote servers and send information about your system to the servers.

The malware did not work very well and appeared to be in the testing phase, but it did have the potential to do damage.

Revir C malware
When the ZIP file containing the malware is opened, among benign image files is the malware application (red square), which is disguised to look like the rest of the images. ESET

Recently, ESET reported that a new variant of the Imuler malware has been found, which instead of using a two-part attack, is now being disguised in ZIP files that contain erotic pictures. When opened, the ZIP archive will show a number of files, many of which are basic image files that will do no harm to your system, but mixed among them is an application file disguised as one of the images.

If you open the malware program itself, it will connect to remote servers directly and download a program called CurlUpload, which packages screenshots and other information into a compressed file that it then uploads. This action is performed every time the malware is opened.

This new variant of the malware is identified as OSX/Imuler.C and is currently being added to the definitions files for various anti-malware utilities. Both ESET and F-secure have released definitions updates that identify the malware, but other antivirus developers are expected to soon follow suit.

While some past malware such as the MacDefender scam appeared when visiting legitimate Web sites, the nature of the Imuler malware makes it harder to distribute as a legitimate program. Currently, its use of erotica to coerce people targets those who use peer-to-peer file sharing or who visit pornographic Web sites. And even if it were to change and use non-erotic images or other content, in its current form it would still need to use underground or peer-to-peer means to spread.

XProtect definitions
Apple's XProtect definitions have recently been updated to identify this new threat. Screenshot by Topher Kessler/CNET

Because of the nature of this threat, avoiding it is relatively easy and only involves avoiding files of which you do not know the source, especially if they are packaged in ZIP files and are erotic or otherwise provocative in nature. If you are unsure of where a file came from, one method for looking this information up is to get information on it in the Finder and going to the "More Info" field, where in some cases you may find an origin URL.

In addition to keeping a keen eye on files you download, OS X contains some technologies that help identify these threats. In current builds of OS X including Snow Leopard and Lion, Apple includes its XProtect option for scanning freshly downloaded files. Last Saturday, Apple issued an update to XProtect that includes definitions for the new Revir malware threat, so should you inadvertently download it the system should warn you that the file could potentially do harm to your system.

XProtect is one barrier that is built into OS X, but in upcoming versions of OS X, the inadvertent launch of any malware program will be much harder to do with Apple's GateKeeper technology. This feature uses Apple's developer ID program to only allow legitimate applications to run without explicit user consent, and thereby give you warning when unsigned code (such as that in malware programs) are run.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.