Mac Trojan Hides as Image File

Tuesday, March 20, 2012 @ 12:03 PM gHale

Mac users beware: A new version of the Imuler Trojan is disguising itself as an image file.

Two samples of the new version, designated as Imuler.C, on the VirusTotal website, used by security companies to share malware samples, said Mac anti-virus software provider, Intego. In both samples, an application included an icon making it look like an image.

Safari Vulnerabilities Revealed
Mac Trojan Steals Passwords
Apple’s OS X Tightens Security
Apple Deals with App Privacy Issues

The technique “takes advantage of a default setting in the Mac OS X Finder, whereby file extensions are not displayed,” Intego said. “Users double-clicking on the application launch the malware, which quickly deletes itself, replacing the original application with a real JPEG image corresponding to the one that was an application, and displays this image in the user’s default image viewer. There is no visible trace of the application after this point.”

The malware then installs a backdoor on the machine.

“This malware searches for user data, and attempts to upload it to a server. It also takes screenshots and sends them to the server. It creates a unique identifier for the specific Mac to be able to link the Mac and the data it collects. We have seen that this malware is active, as it connects to a remote server and downloads new executables,” Intego said.

Intego recommends that Mac users display file extensions in the Finder’s Advanced preferences and they not open an application that has an icon of a photo.

Leave a Reply

You must be logged in to post a comment.