OSX/Imuler: update

In the Epoch Times, Jack Phillips picks up on the story I flagged here yesterday about the new Tibetan-activist-targeting version of OSX/Imuler, taking his basic material from Graham Cluley’s article for Sophos. There are a couple of minor inaccuracies: I’ve known Graham a long time, and I’m pretty sure his surname isn’t Culey; to the best of my knowledge, Intego spotted and reported the thing before Sophos; and I don’t remember anyone saying the group photographs used as bait showed the owners of infected systems.

Furthermore, while the Virus Total page Graham originally quoted did indeed suggest yesterday that only 2/44 products seemed to be detecting it, it has been updated since to show that five vendors are detecting it: DRWeb, ESET, F-Secure, Trend, and Sophos. Intego also detect it of course, but aren’t included because they don’t subscribe to the Virus Total service. You should also bear in mind that even with vendors who do cooperate directly with VT, a VT report is emphatically not an authoritative guide as to whether any product does or doesn’t detect a given malicious product, and isn’t intended to be. See an old blog article of mine on VirusTotal is not a Comparative Analysis Tool! or even this comprehensive paper by VT’s Julio Canto and myself: Man, Myth, Malware and Multi-Scanning. Bear in mind also that at the time of writing, the updated report is already over seven hours old.

However, Phillips does add an interesting new perspective, linking their report on the Trojan with commentary on the high incidence of Tibetans protesting against Chinese rule by setting fire to themselves. I’m not at all convinced that there is a direct connection, but the Epoch article did call my attention to an interesting article in the Telegraph about the use of grid-management technology – somewhat bizarrely called Skynet – to facilitate response to self-immolation incidents.

David Harley CITP FBCS CISSP