Dr. Web announces new “iWorm” malware
Published October 2nd, 2014 at 7:39 AM EDT , modified October 4th, 2014 at 7:38 AM EDT
Dr. Web announced the discovery of a new piece of Mac malware on Monday, which they are calling Mac.Backdoor.iWorm. According to their report, they believe the malware is affecting “more than 17,000 unique IP addresses.” Of course, this may not correlate well with the number of infected Macs, since most Macs do not have static IP addresses, but the number of infected Macs should at least be on the same order of magnitude.
It’s unclear from Dr. Web’s report exactly how the malware gets installed. The name “iWorm” suggests some kind of virus-like behavior. According to the report, the “dropper” (ie, the program that installs the malware) puts the executable in a folder named JavaW in the /Library/Application Support/ folder, but this does not necessarily mean that Java is involved in any way. The name could simply be chosen as camouflage. I sought out some samples on VirusTotal, but found nothing that would shed light on this question. We’ll all just have to wait for further developments.
The dropper is also reported to create “a p-list file so that the backdoor is launched automatically,” which probably refers to a LaunchAgent or LaunchDaemon created to keep the executable running. This is a pretty standard malware behavior on Mac OS X.
Once installed, the malware does a search on Reddit to find a page containing the addresses of the command & control servers, then contacts one of those servers. Once connected to a command & control server, the Mac becomes a part of a “botnet” – a worldwide network of infected computers. This botnet can respond to a number of different commands sent by the hackers who “own” it. Botnets are typically used for attacks on servers. These attacks could take the form of DDoS (distributed denial of service) attacks, which attempt to take a server temporarily offline. They could also be attempts to hack user accounts through a brute-force attack on user passwords. There are many other possibilities, none of them nice.
Then, click the Go button. If you just get a beep, and the window displays a message in the bottom left corner that the folder can’t be found, then you should be okay.
If a Finder window opens showing the contents of this folder, you are infected. At this time, I don’t know what files get installed where, and the backdoor could allow the hackers to install custom code on your Mac anyway. So, the best thing you can do if infected is erase your Mac’s hard drive and reinstall everything from scratch, or restore from a backup made prior to the infection.
At this time, there are no XProtect updates that will prevent installation of this malware. In fact, because we still don’t really know how it gets installed, XProtect may or may not be able to protect against it anyway.
October 4, 2014 @ 7:37 am EST: An anonymous tip I received this morning revealed how the malware is getting installed – through illegal downloads from PirateBay. See iWorm method of infection found!.