Mac Trojan may funnel files, screenshots to distant servers
updated 01:15 pm EDT, Fri September 23, 2011
Malware currently just minor threat
A newly-detailed Trojan attack is being directed at Macs, say security firms F-Secure and Sophos. Originally spotted in late July, the Trojan relies on two pieces of malware. The first is a downloader identified as "Trojan-Dropper:OSX/Revir.A," which not only retrieves the second piece of software but repeatedly opens a Chinese PDF document -- trojan.pdf -- said to contain offensive political statements. The real purpose of the document is thought to be distracting a person while the second app is downloaded.
Nicknamed "BackDoor:OSX/Imuler.A," the second half of the Trojan configures a launch agent which keeps the malware active, and then connects to a remote server, feeding it a victim's computer username and MAC address. The server can reportedly instruct a besieged system to archive files and upload them, or else capture screenshots for upload. F-Secure comments that Imuler.A currently seems to be working badly or not at all, since it isn't receiving instructions; the company warns, though, that server may simply be in a testing phase, and could later become fully functional.
Both Sophos and F-Secure have produced updated definitions for their antivirus scanners that should cope with the Trojan. Apple has yet to push out new definitions for Lion and Snow Leopard, but the malware is said to be relatively easy to stop manually. People must first stop a process called "checkvir" in the Activity Monitor, and then delete "checkvir" and "checkfir.plist" files from their /username/Library/LaunchAgents/ directory.



Fresh-Faced Recruit
Joined: Jan 2006
non-issue
Apple will provide a security definition within 24 hours to lock out the trojan.