1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Backdoor:OSX/Imuler.B

Backdoor:OSX/Imuler.B

Category:Malware
Type:Backdoor
Platform:OS X

Summary

Backdoor:OSX/Imuler.B contacts a remote server for instructions; it may then steal files or capture a screenshot of the infected computer system, which is later forwarded to the remote server.

Disinfection

Automatic

Allow F-Secure Anti-Virus for Mac to remove the relevant files.


Manual Removal

  • Open Activity Monitor
  • Select ScheduledSync then click Quit Process
  • Delete the following files:

    • ~/library/LaunchAgents/ScheduledSync
    • ~/library/LaunchAgents/ScheduledSync.plist
    • ~/library/.confback


Protection

Protect your Mac against threats with F-Secure Anti-Virus for Mac.

Additional Details

Backdoor:OSX/Imuler.B may be variously dropped or installed onto a system by variants in the Trojan-Dropper:OSX/Revir family.


Installation

Upon execution, the backdoor drops a copy of itself to the following location:

  • ~/library/LaunchAgents/ScheduledSync

It creates the following launch point:

  • ~/library/LaunchAgents/ScheduledSync.plist

It also creates the following file, containing its Command and Control, or C&C, server:

  • ~/library/.confback

Network Connections

The malware obtains the external IP address and current time by connecting to the following URLs:

  • http://%server%/cgi-mac/whatismyip.cgi
  • http://%server%/cgi-mac/2wmthetime.cgi

It collects system information, then uploads the collected information to the following location:

  • http://%server%/cgi-mac/2wmrecvdata.cgi

Collected information includes the following:

  • Internal IP
  • External IP
  • Username of the infected user
  • Time of last execution
  • Kernel version of the infected host

The malware then makes a HTTP POST containing the %botid% to the following URL, presumably to associate the bot to the previous session:

  • http://%server%/cgi-mac/2wmcheckdir.cgi

The malware then checks if there is a Wireshark process that is running. It will skip the rest of its routine if found. Otherwise, it makes another HTTP POST containing the %botid% to the following URL, presumably to report that the infected host is ready to receive commands:

  • http://%server%/cgi-mac/2wmsetstatus.cgi

NOTE: In the analyzed sample, %server% was www.ouchmen.com



Backdoor

The malware contacts a remote server (the C&C server) to get its instructions. The URL is based on the following formula:

  • http://%server%/users/%botid%/xnocz1

    Where:

    • %botid% - Is composed of: %user%%pad%%mac%
      • %user% - Are the first 8 characters of the username of the infected user ("XXXXXXXX" if username is longer than 8 characters)
      • %pad% - Is a series of "X" characters to make %botid% 20 characters long
      • %mac% - Is the MAC address of the machine

Depending on the instructions received, the backdoor is capable of performing the following actions:

  • Download additional files
  • Execute files on the infected host
  • Collect system information then upload to the C&C
  • Collect files to an archive, then upload it to the C&C server
  • Capture an image of the computer screen, then upload it to the C&C

After receiving the commands, the malware makes a HTTP HEAD request the to following URL, presumably to report that the infected host has successfully receive the commands:

  • http://%server%/cgi-mac/2wmdelfile.cgi