New variant of Imuler trojan discovered
Published September 23rd, 2012 at 5:08 PM EDT , modified September 25th, 2012 at 4:08 PM EDT
Intego announced the discovery of a new variant of the Imuler trojan on Friday. It is being sent to Tibetan activists via e-mail, much like other recent trojans. The details can be found on their blog, though sensitive eyes should be warned that that page contains some obfuscated profanity found in the e-mail message.
The new variant is an application that poses as a pornographic image file. Like the original Imuler, the application installs a backdoor, then deletes itself, replaces itself with a pornographic image file and opens that file, in an attempt to avoid alerting suspicious users. Although the original Imuler was never documented to have a working “command & control” server to call home to, this variant does. According to Intego, the new command & control server is currently active.
Although Intego makes no mention of this, it would be expected that Gatekeeper should block the trojan in Mountain Lion (and in the latest update to Lion, which adds Gatekeeper to Lion). In addition, the quarantine feature that has been a part of Mac OS X since Leopard will alert the unwary user that the document they are trying to open is actually an application, and XProtect in Snow Leopard and later will block it (once Apple adds this new variant to the XProtect definitions list, if that proves to be necessary). This new variant of Imuler may in theory be more dangerous than the last one, but most people are never going to see it, and of those who do, most will never successfully open it. Honestly, anyone who does get infected probably ought to get infected, as an important lesson in the dangers of opening porn sent from a stranger online.