OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

iWorm method of infection found!

Published October 4th, 2014 at 7:29 AM EDT , modified October 5th, 2014 at 1:45 PM EDT

e-biohazard

On Thursday, I wrote about new malware called iWorm. This morning I awoke to find an e-mail waiting for me in my Inbox from someone who wished to remain anonymous. This person indicated that he had found installers for the new iWorm malware. He pointed me to the downloads offered by a user named “aceprog” on PirateBay.

On this user’s PirateBay page, I found installers for a number of different commercial products, such as Adobe Photoshop, Adobe Illustrator, Microsoft Office and Parallels. Actually downloading one of these things was a maze of clicks and redirects to adware sites, but I finally settled on installing a torrent client and using the torrent download link, which gave me a stolen copy of Photoshop CC 2014.

The item that got downloaded included some unsavory items that could be installed or opened to allow the stolen copy of Photoshop to run without a valid license, and although you couldn’t pay me to use any of these things on a real system, none of them turned out to be the problem. It turned out that the official-looking Photoshop installer had been modified:

iWorm installer

Submitting the three executable files inside the installer to VirusTotal revealed that the one titled “0” was detected by only a small handful (3) of anti-virus engines. The other two were not detected as malicious at all. Presumably the “Install” executable is legit, but I’m left wondering about the “1” item.

I wasn’t sure what to expect when opening the file. One would hope that modifications to the app would result in the app being identified by Mac OS X as damaged, since the installer was signed. (The cryptographic signature on Mac OS X apps is meant to verify that the app was made by a particular developer and that it has not been modified.) However, opening the Install app resulted in a different warning:

iWorm installer 2

This is further puzzling, since the app appears to have a code signature. However, running “codesign -vv” on the Install app reported that the app was not signed. At this point, I overrode the Gatekeeper restrictions for this app and forced Mac OS X to run it anyway.

The very first thing that happened when I opened the app was that I was asked for my admin password. I provided it, and an official-looking Adobe installer started up, but by then the damage was done. The instant I provided the password, the iWorm malware was installed.

Looking at fs_usage output (which provides detailed information on file system activity – such as file and folder creation), it appears that the only things added to the system by the “0” executable are the following items:

/Library/Application Support/JavaW/JavaW
/Library/LaunchDaemons/com.JavaW.plist

The com.JavaW.plist file simply runs the JavaW process at startup, ensuring that the malware is constantly running in the background.

I reset my test system to a clean state, then ran the installer again, but this time I clicked the Cancel button when asked for my admin password. In this case, the malware was not installed at all.

There has been some speculation that a Java vulnerability may be involved, probably based on the “JavaW” name. However, at this point, it looks like this is far more prosaic. It’s just a trojan in the form of pirated software that has been modified.

The moral of the story? Never engage in software piracy. This single piece of malware is FAR from the only thing you can get infected with while installing stolen software. Torrents and sites like PirateBay should be avoided at all costs. If you cannot afford to pay for a piece of software or a movie or something similar, do without. Downloading such things for free often come with LOTS of strings attached.

I am also submitting this to Apple’s product security team… hopefully we will see an update to XProtect shortly.

Updates

October 5, 2014 @ 7:48 am EST: I woke up this morning to find that Apple had released an XProtect update overnight. It now includes definitions for iWorm.A, iWorm.B and iWorm.C. The iWorm.A hash matches the “install” executable file in my sample, and testing shows that my sample will no longer install on a system with up-to-date XProtect definitions. I don’t know what the other two definitions match yet.

Also, I received further information from my anonymous tipster that this malware won’t install if the folder /Library/Little Snitch/ is present (ie, if Little Snitch is installed). However, I wasn’t able to verify this in testing… the malware installed just fine with Little Snitch installed. This may be a behavior exhibited by some variants of this malware, but not others. Or there could have been something uniquely different about my testing and his testing that caused the variation in behavior.

October 5, 2014 @ 1:41 pm EST: A clarification… the malware still gets installed with Little Snitch installed, but it will apparently bail out immediately when it runs.

Tags: , ,

48 Comments

  • Chas4 says:

    It can also be in legal software too. If the build machine is infected some malware will attach itself to the software being compiled, or site gets infected, there are many ways.

    • Thomas says:

      There’s no sign from my testing that this is actually infecting other apps and spreading in a virus-like fashion. That said, there’s certainly nothing preventing this malware from also being distributed within legal apps, in much the same manner that a lot of adware is being distributed right now. There’s also the possibility that the hackers could send a command out to the botnet to make modifications to other apps, once the malware is installed.

      • Chas4 says:

        A friend of my was grabbing a game mod (for a Windows game) and one download had malware the other didn’t, it has happened to other program, it would get hijack on the computer that is doing the build (it maybe hidden or stolen code and reuploaded)

  • Ian MacGregor says:

    Thank you for this! I’ve always said that users should never touch pirated apps and this proves my point.

  • John says:

    Just want to say “thank you”! As a soon to be former Genius, I really appreciate your work.

  • Patrick says:

    My question is if they know that its getting botnet instructions from the minecraft servers, why don’t they shut down the minecraft server. I know minecraft is a popular game and all but if its servers are being used for criminal activity, it should be shut down or some other remedy should be used to stop the criminal activity. I know they will just move on to another location and when we find that location we should shut it down as well.

    • Thomas says:

      It’s not actually using a Minecraft server, it’s using a Reddit page that identifies itself as a Minecraft server list. I believe that Reddit has taken the page down at this point, but the malware could possibly have some alternates still out there, and new variants could use a different page.

    • Dennis in Japan says:

      Whack a mole!

      Band-aid solutions need to be followed up with a more permanent remedy.

  • Jay says:

    Great find. As far as I know this is the first actual installer that causes infection. Makes you wonder; out of the 17.000 infected Macs how many were infected by illegally downloaded software.

    • Robert says:

      Probably ALL of them. That is the only way this works. Download pirated software. Give it admin permissions to install. You are now infected. This isn’t an Apple OSX problem. This is a PEOPLE problem.

  • wot says:

    I have thousand plus+ dollars of pirated software on my computer and am never looking back.

    • Thomas says:

      It boggles the mind how someone could brag about an amazingly stupid, illegal and immoral activity…

    • Kurt says:

      Wow! What a moron! Let’s see how great you think your illegal activities are when your bank accounts are wiped out by the IDs and passwords stolen via the key loggers you installed. Or even better, complete identity theft. Yeah, that would be great, wouldn’t it?!

  • Jon says:

    Can you provide links to the virustotal scans? Thanks!

  • Jim says:

    I know software can be dangerous but how are movies an avenue to install unwanted viruses?

    • Thomas says:

      Illegal movie streaming sites have been one of the top sources for Mac adware recently. They generally refer you to some software that is “required” to view the movies.

  • Robert.Walter says:

    6 month to a year ago we installed viooz on our macs and then thought better of it. Haven’t used it since the first and single time. Always wondered if this was a legit service or a Trojan. Anybody have input on legitimacy and if not legit how to scan for malware?

    • Thomas says:

      Any site that purports to allow you to watch commercial movies for free is a scam, and is aiming to profit by exploiting you, the user. Avoid such sites, always!

  • Charles. says:

    Is there a way to check the status of xProtect to see if it’s been updated? Or maybe a way to manually update it? I work with many clients with Proxies….so I don’t know if the update has been applied. TIA!

    • Thomas says:

      You can find the XProtect signatures here:

      /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

      If that file has been modified since yesterday or later, you’ve been updated. You can also look at the version information in the XProtect.meta.plist file, in the same folder – Mountain Lion and above should currently be version 2050, Lion version 1060 and Snow Leopard version 75.

      • Bruce says:

        Are these hidden files? I enter this in find and nothing happens. (Mavericks with all updates.)

        • Colleen Thompson says:

          “Are these hidden files? I enter this in find and nothing happens. (Mavericks with all updates.)”

          By default, Spotlight does not search in the System folder. Just follow the path to check your version. You’ll have to right-click on the bundle to get at the Contents.

          Alternatively, in the finder choose Go menu/Go To Folder and enter

          /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/

      • Phil says:

        Thomas,

        Thank you for these types on where to look, in Yosemite beta 4. I had been looking all over trying to find the right way to find out whether the XProtect.plist had been updated, but had been looking at the XProtect.meta.plist, which seemed to have only five entries: three to force updates to Java (I think) and two to force updates to Flash (again, I think). Looking at this was quite disheartening, as it had no real updates in it, and it had the 2050 version listed.

        However, the installed XProtect.plist had a date of 10/04/2014 and indeed had the iWorm.A, iWorm.B and iWorm.C. definitions plus what I assume are all the previous definitions that Apple has supplied.

        I think it would be worthwhile for you to perhaps post something showing where these files are, as well as what one can expect when looking at them. I was not worried about being infected, since your previous posts talked about the JavaW signatures, and I had already looked for those. But many of us, I think would like to confirm that our Macs have been correctly updated to guard against this terrible worm.

        Best regards,

        Phil

  • Lewis says:

    How can I clean up my mac after I removed the Pirate bay software? Or do I need to re-install osx?

    • Thomas says:

      If you have installed something from PirateBay, or any other piracy site or torrent, your system should be considered compromised. Even if you don’t have the iWorm malware, it’s always possible you’ve got something else nasty installed after installing something being distributed by a criminal hacker. My recommendation in such a case would always be to erase and reinstall.

  • Bruce says:

    In Finder Go Go to Folder passte;

    /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/

    scroll to bottom open Xprotect.plist

    It should show a reference to iworm

    mine does

  • Charles says:

    Still looking for a way to manually update xProtect…I see references about a terminal launch command from back in 2011 but it’s not working now, at least not in 10.9 I support many users behind proxy’s and have been looking at the .plist date and many are dated September back to even July. I’d sure like to manually update these computers. TIA.

    • Thomas says:

      Unfortunately, there is no way to manually force an update in 10.9. This is a source of endless frustration for me, since that means that when an XProtect update is released and I want to test some malware against it, I have to just let my test system run for a while, until it finally decides to get the update.

      As for the machines that aren’t updating, do they have the “Install system data files and security updates” box checked in System Preferences -> App Store? If not, that should be checked.

  • Gavin says:

    If you don’t mind my asking, has there been any news about what ZeoBits are doing with clamxavDOTorg?

    I accidentally went there instead of clamxav.com (but didn’t click on anything once I’d realized my mistake). Thank you.

    • Thomas says:

      No idea… there’s no evidence at this point that Zeobit still owns the domain, but whether they do or don’t, it’s a scam site regardless. Avoid it entirely!

      • fetch says:

        Did you find anything malicious on the *.org site or you just does not like fake domens ?

        • Thomas says:

          I have not investigated it lately. At one time it directed users who clicked the “Download” button on a fake ClamXav review to the MacKeeper site. This no longer happens, but the site is still a fake ClamXav review site, and thus is not to be trusted.

    • Al Varnell says:

      The site used to belong to a ZeoBIT advertising partner who was obviously much too aggressive in attempts to promote the original MacKeeper. The worst thing it ever did was download MacKeeper when you clicked the Big Green Button. Later they added a much smaller link to ClamXav and eventually the Big Green Button disappeared entirely.

      If you click the link to “Click here to download ClamXav” it now takes you to the actual ClamXav[dot]com download page.

      The site has no history of ever having served malicious software on Google SafeBrowsing, BItDefender or any of the VirusTotal scanners.

      I’m at a loss as to why the site is still being paid for.

      • Gavin says:

        Thank you again, Mr Varnell, for your help on the ClamXav forums a little earlier (I’m that Gavin).

        As it happens, I accidentally visited clamxavDOTorg yesterday, which is what started this conversation. (Never type a URL from memory is I suppose the lesson.) I think it’s the most likely site for me to have visited that gave rise to the ClamXav detections that you helped me with today. Because I’d had the previous problem that morning and had scanned those folders at that point, I can be pretty certain that I have to have visited the offending site yesterday afternoon or evening. This doesn’t give me all that long a list of possibilities.

        Using a site designed originally to scam Mac users is maybe an odd strategy to spread Windows malware, but what do I know?

  • Austin says:

    Two questions:

    1. I tried to look at my XProtect signatures by following the path: /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist, but I could not access the signatures.
    I even put the path in the go to folder option and it still didn’t work. Is there another way of opening the list up to check if I got the release?

    2. I looked at my updates, and the last time I had any new updates to install was on Sept. 24th. (I think that I didn’t receive an XProtect definition update.) Is there a way to get my system to recognize there is an update available, and search for and download the update? If not, is there a place on the apple website where I could manually download and update the definitions? (I looked but couldn’t find anything.)

    Sorry for all the questions. Thanks for your help.

    • Thomas says:

      Well, there are three possibilities that come to mind. One is that you have a version of Mac OS X that is too old. This was introduced in Mac OS X 10.6.0 (Snow Leopard). If you have an older system, you don’t have XProtect.

      Another possibility is that your system is damaged somehow. How that may have happened is impossible to predict.

      The third option is that you have done something wrong. For example, many people want to enter this path in the search box in a Finder window, but that doesn’t work… you must use Go -> Go to Folder. Or, you may have tried to type the path in and introduced an error.

      As for a specific address on Apple’s site where the updates can be found, such a thing does exist, but I don’t know that Apple wants it to be widely publicized. There must be a reason that they took away the ability to force an update, and that may have been that many people were frequently forcing updates and causing a lot of traffic on that server. I’d prefer not to publicize that here.

      • actionmarker says:

        Hi Thomas,

        Congratulations for the dedicated work that you do here.

        Just as a suggestion, if some users are not comfortable with drilling right down into Finder to see if they have the latest Xprotect update, they can always look in System Information > Software – Installations and look for the XProtectPlistConfigData entries. System Information is of course accessed either by the Applications > Utilities folder, or by the  menu > About This Mac.

        It won’t tell the user which version number was installed, but at least it will give them the date it was installed. As the updates are generally few and far between, it’s not hard to tell if the latest version has been installed.

This post is more than 90 days old and has been locked. No further comments are allowed.