Backdoor:OSX/Imuler.A

Summary

Backdoor:OSX/Imuler.A contacts a remote server for instructions; it may then steal files or capture a screenshot of the infected computer system, which is then forwarded to the remote server.

Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus for Mac to remove the relevant files.

Manual Removal

• Open Activity Monitor
• Select checkvir then click Quit Process
• Delete the following files:
  • ~/library/LaunchAgents/checkvir
  • ~/library/LaunchAgents/checkvir.plist
  • ~/library/.confback

Technical Details

Backdoor:OSX/Imuler.A may be variously dropped or installed onto a system by variants in the Trojan-Dropper:OSX/Revir family.

Installation

Upon execution, the backdoor drops a copy of itself to the following location:

• ~/library/LaunchAgents/checkvir

It creates the following launch point:

• ~/library/LaunchAgents/checkvir.plist

It also creates the following file, containing its Command and Control, or C&C, server:

• ~/library/.confback

Network Connections

The malware downloads a command line tool from the external site

• http://%server%/CurlUpload

Note: As of this writing, %server% can be any of the following -

• www. sugarsbutters.com
• www. teklimakan.org

The downloaded file is then saved as:

• /tmp/CurlUpload

The malware obtains the external IP address and current time by connecting to the following URLs:

• http://%server%/cgi-mac/whatismyip.cgi
• http://%server%/cgi-mac/2wmthetime.cgi

It collects system information, then uploads the collected information to the following location:

• http://%server%/cgi-mac/2wmrecvdata.cgi

Collected information includes the following:

• Internal IP
• External IP
• Username of the infected user
• Time of last execution
• Kernel version of the infected host

The malware then makes a HTTP POST request containing the%botid% to the following URLs, presumably to report that the infected host is ready to receive commands:

• http://%server%/cgi-mac/2wmcheckdir.cgi
• http://%server%/cgi-mac/2wmsetstatus.cgi

Backdoor

The malware contacts a remote server (the C&C server) to get its instructions. The URL is based on the following formula:

• http://%server%/users/%botid%/xnocz1

Where:

• %botid% - Is composed of:%user%%pad%%mac%
  • %user% - Are the first 8 characters of the username of the infected user ("XXXXXXXX" if username is longer than 8 characters)
  • %pad% - Is a series of "X" characters to make %botid% 20 characters long
  • %mac% - Is the MAC address of the machine

Depending on the instructions received, the backdoor is capable of performing the following actions:

• Download additional files
• Execute files on the infected host
• Collect system information then upload to the C&C
• Collect files to an archive, then upload it to the C&C server
• Capture an image of the computer screen, then upload it to the C&C

After receiving the commands, the malware makes a HTTP HEAD request the to following URL, presumably to report that the infected host has successfully receive the commands:

• http://%server%/cgi-mac/2wmdelfile.cgi