Topless supermodel photos used to spread Mac malware

Filed Under: Apple, Featured, Malware

Irina Shayk in FHMSomehow I doubt that Mac users are any smarter than their Windows cousins when it comes to resisting temptation.

We're all human, after all. And there is a (probably significant) proportion of the population which isn't adverse to searching the web for nude pictures of supermodels.

Of course, the bad guys who spread malware know about human weakness all too well - and exploit it regularly to trick computer users into clicking on files and installing malicious code that exposes them to risks.

Take the most recent Mac malware that we have seen, for instance.

OSX/Imuler-B uses images of supermodel Irina Shayk (no, I'd never heard of her either - but apparently she's the cover girl in the March 2012 edition of FHM magazine) to do its dirty work.

Here's a screenshot of a file carrying the OSX/Imuler-B Trojan horse. You can quite plainly see that its icon is of a Irina Shayk (who appears to have left her cardigan at home):


By default, Mac OS X doesn't display file extensions. Which means, that Mac users might be duped into believing that the file they are about to click on is a JPG image, rather than an application.

Imuler Trojan, using image of Irina Shayk

If you made the mistake of clicking on the file, the Trojan would quickly launch, before creating a genuine JPG image of the Russian model, and deleting itself.

Imuler Trojan, using image of Irina Shayk

The end result is that the malicious file isn't in that folder any longer, but it *has* run on your Apple Mac. All that remains on your hard drive is an "innocent" JPG image of the underwear model.

But behind the scenes, the malware opened a backdoor to your computer and is uploading private information to a remote web server.

The trick of hiding a file's true nature by exploiting an operating system's default disabling of extensions is not a new one, of course. It's something we've seen many Windows users be fooled by in the past.

To reduce the chances of this happening to you, you may wish to do what I've done on my Mac and told Finder to always show filename extensions.

Mac OS X Finder preferences

Up-to-date anti-virus software, including Sophos's free Mac anti-virus for home users, can protect you against the threat.

But if you want to disable the malware by hand, here's what you need to do:

  • First of all, terminate the process with name ".mdworker"
  • Go to the /tmp/ directory and remove the two files ".mdworker" and "CurlUpload"
  • You then need to delete the files "checkvir" and "checkvir.plist" from $HOME/Library/LaunchAgents/

Mac users - learn from the mistakes of Windows users in the past. Think before you click, and don't ever underestimate the ability of cybercriminals to exploit the most primal urges of computer users.

Hat-tip: Thanks to Xiaochuan Zhang of SophosLabs for his assistance with this article.

, , , ,

You might like

7 Responses to Topless supermodel photos used to spread Mac malware

  1. maarten · 1297 days ago

    It would have saved me elevated heartrate if you had mentioned that mdworker is a process that belongs to Spotlight! It occurred to me to google that process name when I couldn't find the files you mentioned in tmp and in Launchagents and mdworker doggedly relaunched itself within half a minute and even after restarting.

  2. Eric · 1297 days ago

    Wouldn't the mac os give you a pop up saying "this is an application you've downloaded from the internet blah blah blah" before it actually executed?

  3. That Bitch! · 1297 days ago

    You can lead a Mac fanboy to water. If you want him to drink, you're gonna have to steal all his personal data, not install any anti-virus on his machine, then drown him.

  4. Steve · 1296 days ago

    That and when you download a app online, the first time you launch it it asks if you know this app and if you want to run it. Vs a jpg that just opens preview no questions asked.

  5. KernelPone · 1295 days ago

    Irina Shayk is An SI Swimsuit Model...

  6. Konstantin · 1293 days ago

    Poor OS X users - they still have kid's illnesses. On Win such virii is so 90x)))

  7. ale · 1289 days ago

    bless god i'm gay i don't download female pics!!!! LOL

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley