Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Backdoor:OSX/Imuler.A


Aliases:


Backdoor:OSX/Imuler.A

Malware
Backdoor
OSX

Summary

Backdoor:OSX/Imuler.A contacts a remote server for instructions; it may then steal files or capture a screenshot of the infected computer system, which is then forwarded to the remote server.



Disinfection & Removal


Automatic Disinfection

Allow F-Secure Anti-Virus for Mac to remove the relevant files.


Manual Removal

  • Open Activity Monitor
  • Select checkvir then click Quit Process
  • Delete the following files:
    • ~/library/LaunchAgents/checkvir
    • ~/library/LaunchAgents/checkvir.plist
    • ~/library/.confback


Technical Details

Backdoor:OSX/Imuler.A may be variously dropped or installed onto a system by variants in the Trojan-Dropper:OSX/Revir family.


Installation

Upon execution, the backdoor drops a copy of itself to the following location:

  • ~/library/LaunchAgents/checkvir

It creates the following launch point:

  • ~/library/LaunchAgents/checkvir.plist

It also creates the following file, containing its Command and Control, or C&C, server:

  • ~/library/.confback

Network Connections

The malware downloads a command line tool from the external site

  • http://%server%/CurlUpload

Note: As of this writing, %server% can be any of the following -

  • www. sugarsbutters.com
  • www. teklimakan.org

The downloaded file is then saved as:

  • /tmp/CurlUpload

The malware obtains the external IP address and current time by connecting to the following URLs:

  • http://%server%/cgi-mac/whatismyip.cgi
  • http://%server%/cgi-mac/2wmthetime.cgi

It collects system information, then uploads the collected information to the following location:

  • http://%server%/cgi-mac/2wmrecvdata.cgi

Collected information includes the following:

  • Internal IP
  • External IP
  • Username of the infected user
  • Time of last execution
  • Kernel version of the infected host

The malware then makes a HTTP POST request containing the%botid% to the following URLs, presumably to report that the infected host is ready to receive commands:

  • http://%server%/cgi-mac/2wmcheckdir.cgi
  • http://%server%/cgi-mac/2wmsetstatus.cgi

Backdoor

The malware contacts a remote server (the C&C server) to get its instructions. The URL is based on the following formula:

  • http://%server%/users/%botid%/xnocz1

Where:

  • %botid% - Is composed of:%user%%pad%%mac%
    • %user% - Are the first 8 characters of the username of the infected user ("XXXXXXXX" if username is longer than 8 characters)
    • %pad% - Is a series of "X" characters to make %botid% 20 characters long
    • %mac% - Is the MAC address of the machine

Depending on the instructions received, the backdoor is capable of performing the following actions:

  • Download additional files
  • Execute files on the infected host
  • Collect system information then upload to the C&C
  • Collect files to an archive, then upload it to the C&C server
  • Capture an image of the computer screen, then upload it to the C&C

After receiving the commands, the malware makes a HTTP HEAD request the to following URL, presumably to report that the infected host has successfully receive the commands:

  • http://%server%/cgi-mac/2wmdelfile.cgi






Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.

Disinfect your Mac




F-Secure Anti-Virus for Mac will disinfect your Mac and remove all harmful files