Topless supermodel photos used to spread Mac malware

Topless supermodel photos used to spread Mac malware

Irina Shayk in FHMSomehow I doubt that Mac users are any smarter than their Windows cousins when it comes to resisting temptation.

We’re all human, after all. And there is a (probably significant) proportion of the population which isn’t adverse to searching the web for nude pictures of supermodels.

Of course, the bad guys who spread malware know about human weakness all too well – and exploit it regularly to trick computer users into clicking on files and installing malicious code that exposes them to risks.

Take the most recent Mac malware that we have seen, for instance.

OSX/Imuler-B uses images of supermodel Irina Shayk (no, I’d never heard of her either – but apparently she’s the cover girl in the March 2012 edition of FHM magazine) to do its dirty work.

Here’s a screenshot of a file carrying the OSX/Imuler-B Trojan horse. You can quite plainly see that its icon is of a Irina Shayk (who appears to have left her cardigan at home):


By default, Mac OS X doesn’t display file extensions. Which means, that Mac users might be duped into believing that the file they are about to click on is a JPG image, rather than an application.

Imuler Trojan, using image of Irina Shayk

If you made the mistake of clicking on the file, the Trojan would quickly launch, before creating a genuine JPG image of the Russian model, and deleting itself.

Imuler Trojan, using image of Irina Shayk

The end result is that the malicious file isn’t in that folder any longer, but it *has* run on your Apple Mac. All that remains on your hard drive is an “innocent” JPG image of the underwear model.

But behind the scenes, the malware opened a backdoor to your computer and is uploading private information to a remote web server.

The trick of hiding a file’s true nature by exploiting an operating system’s default disabling of extensions is not a new one, of course. It’s something we’ve seen many Windows users be fooled by in the past.

To reduce the chances of this happening to you, you may wish to do what I’ve done on my Mac and told Finder to always show filename extensions.

Mac OS X Finder preferences

Up-to-date anti-virus software, including Sophos’s free Mac anti-virus for home users, can protect you against the threat.

But if you want to disable the malware by hand, here’s what you need to do:

  • First of all, terminate the process with name “.mdworker”
  • Go to the /tmp/ directory and remove the two files “.mdworker” and “CurlUpload”
  • You then need to delete the files “checkvir” and “checkvir.plist” from $HOME/Library/LaunchAgents/

Mac users – learn from the mistakes of Windows users in the past. Think before you click, and don’t ever underestimate the ability of cybercriminals to exploit the most primal urges of computer users.

Hat-tip: Thanks to Xiaochuan Zhang of SophosLabs for his assistance with this article.