Backdoor:OSX/Imuler.B contacts a remote server for instructions; it may then steal files or capture a screenshot of the infected computer system, which is later forwarded to the remote server.
Allow F-Secure Anti-Virus for Mac to remove the relevant files.
Backdoor:OSX/Imuler.B may be variously dropped or installed onto a system by variants in the Trojan-Dropper:OSX/Revir family.
Upon execution, the backdoor drops a copy of itself to the following location:
It creates the following launch point:
It also creates the following file, containing its Command and Control, or C&C, server:
The malware obtains the external IP address and current time by connecting to the following URLs:
It collects system information, then uploads the collected information to the following location:
Collected information includes the following:
The malware then makes a HTTP POST containing the%botid% to the following URL, presumably to associate the bot to the previous session:
The malware then checks if there is a Wireshark process that is running. It will skip the rest of its routine if found. Otherwise, it makes another HTTP POST containing the%botid% to the following URL, presumably to report that the infected host is ready to receive commands:
Note: In the analyzed sample,%server% waswww.ouchmen.com
The malware contacts a remote server (the C&C server) to get its instructions. The URL is based on the following formula:
Depending on the instructions received, the backdoor is capable of performing the following actions:
After receiving the commands, the malware makes a HTTP HEAD request the to following URL, presumably to report that the infected host has successfully receive the commands: