Backdoor:OSX/Imuler.B
Summary
Backdoor:OSX/Imuler.B contacts a remote server for instructions; it may then steal files or capture a screenshot of the infected computer system, which is later forwarded to the remote server.
Removal
The F-Secure security product will automatically remove the file.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
- Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
- Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
- Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
Backdoor:OSX/Imuler.B may be variously dropped or installed onto a system by variants in the Trojan-Dropper:OSX/Revir family.
Installation
Upon execution, the backdoor drops a copy of itself to the following location:
- ~/library/LaunchAgents/ScheduledSync
It creates the following launch point:
- ~/library/LaunchAgents/ScheduledSync.plist
It also creates the following file, containing its Command and Control, or C&C, server:
- ~/library/.confback
Network Connections
The malware obtains the external IP address and current time by connecting to the following URLs:
- http://%server%/cgi-mac/whatismyip.cgi
- http://%server%/cgi-mac/2wmthetime.cgi
It collects system information, then uploads the collected information to the following location:
- http://%server%/cgi-mac/2wmrecvdata.cgi
Collected information includes the following:
- Internal IP
- External IP
- Username of the infected user
- Time of last execution
- Kernel version of the infected host
The malware then makes a HTTP POST containing the%botid% to the following URL, presumably to associate the bot to the previous session:
- http://%server%/cgi-mac/2wmcheckdir.cgi
The malware then checks if there is a Wireshark process that is running. It will skip the rest of its routine if found. Otherwise, it makes another HTTP POST containing the%botid% to the following URL, presumably to report that the infected host is ready to receive commands:
- http://%server%/cgi-mac/2wmsetstatus.cgi
Note: In the analyzed sample,%server% waswww.ouchmen.com
Backdoor
The malware contacts a remote server (the C&C server) to get its instructions. The URL is based on the following formula:
- http://%server%/users/%botid%/xnocz1
Where:
- %botid% - Is composed of:%user%%pad%%mac%
Based on the instructions received, the backdoor is capable of performing the following actions:
- Download additional files
- Execute files on the infected host
- Collect system information then upload to the C&C
- Collect files to an archive, then upload it to the C&C server
- Capture an image of the computer screen, then upload it to the C&C
After receiving the commands, the malware makes a HTTP HEAD request the to following URL, presumably to report that the infected host has successfully receive the commands:
- http://%server%/cgi-mac/2wmdelfile.cgi
More Support
Community
Ask questions in our Community.
User guides
Check the user guide for instructions.
Contact Support
Chat with with or call an agent.
Submit a Sample
Submit a file or URL for analysis.