I’m guessing that the myth of OS X invulnerability to malware is pretty much busted by now: at any rate, there has been wave after wave of OS X-related malware reports in the past week or two. Sophos were the latest big name to weigh in on the OSX/Imuler malware that DrWeb, Intego, ESET and your humble scribe have already commented on, though Sophos calls it Imuler-B and both Intego and ESET call it Imuler.C. There’s no particular significance in that: there’s no guarantee that variant designations will be the same across all vendors for all malware. In fact, they often aren’t, and that’s inevitable since in general, detection names tend to derive from malware family classifications and individual detection algorithms rather than the names picked up by the media: once upon a time, much malware could be neatly compartmentalized into a vendor-agnostic variant listing, but those days are long gone. It’s an unfortunate artefact of the 21st century glut-ridden threat scene.
Written by
At any rate, it looks like everyone is using the same graphic from the same .ZIP, called “FHM Feb Cover Girl Irina Shayk H-Res Pics.zip”. There’s another recent example called Nangdrol.app in “Pictures and the Ariticle of Renzin Dorjee.zip” which I think only Intego has mentioned, but I guess topless models are a bigger draw than Tibetan activists, for security bloggers as well as for malware social engineering.
Strangely enough, however, it’s been suggested that there might be a connection between Imuler and the direct attacks on Tibetan activists using different malware as I mentioned at Mac Virus. The only connection I can see is the mention of Tibet, though: OSX/Olyx.B is a very different kettle of (spear)phish. The reports by SecureMac on Tibetan NGOs (non-governmental organizations) are in line with other attacks assumed to originate in China, whether or not they’re government-sponsored. As is often the case with spearphishing and APTs (let’s not get into the quagmire of definitions), those particular attacks, which are directed against PC and Mac users, are based on a mixture of social engineering and a specific software vulnerability.
The attacks are launched by a web-hosted malicious Java applet exploiting CVE-2011-3544 (an already-patched vulnerability in Java) to download and install a persistent backdoor Trojan with botnet-like C&C (command-and-control) capability. A comprehensive analysis of the Windows version of the malware has already been published by AlienVaults, which has a particular interest in the case, since the spearphishing emails points to a copy of AlienVaults’ own report on Targeted Attacks against Tibetan organizations but located on assyra.com (to which shenhuawg.com also points) and booby-trapped with Javascript.
The Java attack has also been linked to bot-generated Twitter spam targeting Tibetan activist conversations by including hashtags like “#Tibet” and “#freetibet”, presumably in order to drown out political dissent.
Meanerwhile, you may want to take a look at F-Secure's comprehensive analysis of OSX/Flashback here, though it has no particular link to the other malware mentioned above.