Dr. Web announces new “iWorm” malware
Published October 2nd, 2014 at 7:39 AM EDT , modified October 4th, 2014 at 7:38 AM EDT
Dr. Web announced the discovery of a new piece of Mac malware on Monday, which they are calling Mac.Backdoor.iWorm. According to their report, they believe the malware is affecting “more than 17,000 unique IP addresses.” Of course, this may not correlate well with the number of infected Macs, since most Macs do not have static IP addresses, but the number of infected Macs should at least be on the same order of magnitude.
It’s unclear from Dr. Web’s report exactly how the malware gets installed. The name “iWorm” suggests some kind of virus-like behavior. According to the report, the “dropper” (ie, the program that installs the malware) puts the executable in a folder named JavaW in the /Library/Application Support/ folder, but this does not necessarily mean that Java is involved in any way. The name could simply be chosen as camouflage. I sought out some samples on VirusTotal, but found nothing that would shed light on this question. We’ll all just have to wait for further developments.
The dropper is also reported to create “a p-list file so that the backdoor is launched automatically,” which probably refers to a LaunchAgent or LaunchDaemon created to keep the executable running. This is a pretty standard malware behavior on Mac OS X.
Once installed, the malware does a search on Reddit to find a page containing the addresses of the command & control servers, then contacts one of those servers. Once connected to a command & control server, the Mac becomes a part of a “botnet” – a worldwide network of infected computers. This botnet can respond to a number of different commands sent by the hackers who “own” it. Botnets are typically used for attacks on servers. These attacks could take the form of DDoS (distributed denial of service) attacks, which attempt to take a server temporarily offline. They could also be attempts to hack user accounts through a brute-force attack on user passwords. There are many other possibilities, none of them nice.
To check to see if you are infected, go to the Finder and choose Go to Folder from the Go menu. Copy the following path and paste it into the window that opens:
/Library/Application Support/JavaW
Then, click the Go button. If you just get a beep, and the window displays a message in the bottom left corner that the folder can’t be found, then you should be okay.
If a Finder window opens showing the contents of this folder, you are infected. At this time, I don’t know what files get installed where, and the backdoor could allow the hackers to install custom code on your Mac anyway. So, the best thing you can do if infected is erase your Mac’s hard drive and reinstall everything from scratch, or restore from a backup made prior to the infection.
At this time, there are no XProtect updates that will prevent installation of this malware. In fact, because we still don’t really know how it gets installed, XProtect may or may not be able to protect against it anyway.
Updates
October 4, 2014 @ 7:37 am EST: An anonymous tip I received this morning revealed how the malware is getting installed – through illegal downloads from PirateBay. See iWorm method of infection found!.
17 Comments
This post is more than 90 days old and has been locked. No further comments are allowed.
I checked….I’m good
It also leaves a file in /private/var/root/.JavaW as the directory is restricted so far not a single AV in my test has picked up on that file. Not sure if it helps the persistence of iWorm but if it does, hiding in that directory will beat all AV. Interestingly the admin account doesn’t have access yet iWorm managed to get a file in there. Perhaps a root exploit of some kind?
Dr. Web’s site includes a special footnote that if you purchase Dr. Web now, you will be protected from this worm. That old trick. Should we put our trust in Russian companies at this time?
That’s not really a trick, it’s standard operating procedure for any anti-virus company announcing new malware. They’ll always say that their product protects against the new malware.
As for whether we can trust Russian companies, it’s definitely wise to be cautious about Russian sites, but Dr. Web is legit. Not everyone in Russia is engaged in illegal hacking, and Dr. Web has done more to protect the Mac community from malware than some U.S. security companies.
There is a Javaws.1 and a MD5 in older Mac so look close.
I found one file labeled Javaws.1 and a whole bunch of stuff with MD5 in the name… shoudl I delete these… used show system files when searching for both… please help!! thank you!! MacAwesome88 Also Q on Apple support communtiies under same name…
MD5 is a legit command-line tool that is installed on Mac OS X (and every other Unix-based operating system). It is not part of this malware, and if you remove anything with MD5 in the name from your computer, you’ll be damaging the system.
I believe that Adam’s point is that there is a legit tool named “javaws” and not to confuse that with this malware. I’m not sure why he mentioned MD5.
Several of us have left notes for you on the ASC asking for more information, etc. Please try to answer them as quickly as you can as you are the only infected user we have been able to find.
I found All of these found in a folder called sbin…. what are they and should I leave them be or delete?
[list of files removed]
STOP!
All of what? There is only one file listed in the article and when more are confirmed the article will be updated. You should not be deleting anything unless you want to brick your Mac by disabling what are clearly system level files. If you don’t have /Library/Applications Support/JavaW/ then go back to whatever you were doing before you read this and don’t give it another thought. There are only a small fraction of Mac users affected at the moment and I’ve only been able to locate one who seems to have been infected.
If you really worry that you might be next, then set up a folder action to alert you when something new is added to /Library/Applications Support/ and you’ll be the first to know:
http://jacobsalmela.com/roll-defense-mac-backdoor-iworm/.
Does anyone know the vector for this worm? Where it came from? Where it has been found? I would love to know so as to avoid it, and inform my clients to do the same. But I can find no hint, or clue, or trace.
I got an anonymous tip this morning that revealed the vector – downloading pirated software from PirateBay. See:
http://www.thesafemac.com/iworm-method-of-infection-found/
I checked on my iMac running 10.6.8 and no such file was found, thankfully!!
I checked I am good
Amazing, this is a handy online site.
I have it 🙁
I knew something was going on this past few days: slow, not going to some sites, looked on router and discoverered smurf packet attacks and some other strange things and then nit being able to access wifi.
Installed Sophos and the second scan caught it. I’m scanning again but suspect I’m not out of the woods.
So disappointed that my Mac got infected—was a good run though, all these years never encountering problems like my Windows computer 🙂
Yuk. I have it too. I know that I will need to erase the drive and start over, however, are my personal files, pictures, word documents, PDF’s etc all going to have to be deleted as well, or can I skim them off and download them again onto the new IOS? Has any other way been detected yet to cleanse the system rather than just starting over? What else do I need to do to protect myself as of now?