OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

New variant of Revir/Imuler

Published March 15th, 2012 at 4:05 PM EDT , modified March 15th, 2012 at 4:05 PM EDT

Intego has announced the discovery of a new version of the Revir/Imuler trojan today.  It looks like the trojan is now using the trick of disguising itself as naughty pictures, rather than a PDF file as previous variants did.  However, as per their usual behavior, there is some important information that Intego never mentions in their blog post.

Revir/Imuler was first discovered by F-Secure, and oddly given two names: Revir, for the installer that came disguised as a PDF file, and Imuler, for the payload that gets installed and does the dirty work.  Intego has said nothing about Revir, seemingly referring to both parts as Imuler.C.  They admit that the malware has not yet been seen by them in the wild.  Instead, it was obtained through the online virus database VirusTotal.  Of course, that means that someone out there has seen it, recognized it as a trojan and uploaded it to VirusTotal.  So, caution is definitely warranted.

Intego makes a big deal about showing file extensions and ends with telling you how their software will protect you.  However, they leave out a significant piece of information.  Mac OS X has included a feature called Quarantine since version 10.5.  Quarantine’s purpose is to warn you before you open an application downloaded from the internet.  (It is also used in Mac OS X 10.6 and later to scan downloaded files for malware.)  This means you’re already protected.  If you open an image file and it warns you that it is an application, you should immediately cancel opening it and check the file extension.  If you don’t have all file extensions shown, as recommended by Intego, you can see the extension by selecting the file, choosing File -> Get Info and looking at the Name & Extension information.

With this in mind, the new version of Revir/Imuler is not a very serious threat.  It’s simply another social exploit, and not a particularly dangerous one.  Some people will fall for it, of course, but mostly those so desperate for a look at those “naughty pictures” that their sense goes straight out of their head!  🙂

Tags: , , , , ,

This post is more than 90 days old and has been locked. No further comments are allowed.