'iWorm' malware controls Macs via Reddit, more than 17K affected
Security researchers recently discovered that more than 17,000 Macs around the world have been infected by a new OS X malware threat called "iWorm," which at one point used Reddit.com as a go-between to cull user data, perform various system actions and execute Lua scripts.
Entered into the virus database of Russian research firm Dr. Web as "Mac.BackDoor.iWorm," the new threat is described as a complex multi-purpose backdoor capable of issuing a variety of commands to be carried out by an affected host Mac. Among the operations available to the malware are data gathering and limited system remote control.
After iWorm installs, it creates an operating file, opens a port to request a list of control servers and connects, awaiting further instructions. Unique to this particular piece of malware is its use of Reddit.com's search service to retrieve the botnet server list, which until recently was disguised in a comment to the post "minecraftserverlists."
The Reddit string has since been shut down, but iWorm's creators likely set up another server list through an alternate search service that has yet to be discovered.
Once iWorm connects with a command and control server, the backdoor pulls in instructions via binary data or the Lua programming language. Alternatively, connected servers can send over another bit of malware to further compromise the affected machine.
iWorm itself can gather and send off sensitive user information, set parameters in configuration files, perform GET queries, put a Mac to sleep, ban nodes and perform nested Lua scripts, among other backdoor operations.
Individual ISPs affected by iWorm as of late September.
Because iWorm extracts into a folder on OS X, users can check if their Mac is infected by navigating to "Go > Go to Folder" from the OS X Finder menu and typing in
According to Dr. Web's statistical analysis of iWorm, the malware as infected some 17,658 Macs worldwide as of Sept. 26.
Entered into the virus database of Russian research firm Dr. Web as "Mac.BackDoor.iWorm," the new threat is described as a complex multi-purpose backdoor capable of issuing a variety of commands to be carried out by an affected host Mac. Among the operations available to the malware are data gathering and limited system remote control.
After iWorm installs, it creates an operating file, opens a port to request a list of control servers and connects, awaiting further instructions. Unique to this particular piece of malware is its use of Reddit.com's search service to retrieve the botnet server list, which until recently was disguised in a comment to the post "minecraftserverlists."
The Reddit string has since been shut down, but iWorm's creators likely set up another server list through an alternate search service that has yet to be discovered.
Once iWorm connects with a command and control server, the backdoor pulls in instructions via binary data or the Lua programming language. Alternatively, connected servers can send over another bit of malware to further compromise the affected machine.
iWorm itself can gather and send off sensitive user information, set parameters in configuration files, perform GET queries, put a Mac to sleep, ban nodes and perform nested Lua scripts, among other backdoor operations.
Individual ISPs affected by iWorm as of late September.
Because iWorm extracts into a folder on OS X, users can check if their Mac is infected by navigating to "Go > Go to Folder" from the OS X Finder menu and typing in
/Library/Application Support/JavaW. If OS X cannot find the folder, the computer is clear. If the folder is found, however, users are urged to employ an anti-virus program to wipe iWorm from their hard drive. According to Dr. Web's statistical analysis of iWorm, the malware as infected some 17,658 Macs worldwide as of Sept. 26.
Comments
This never would have happened if Apple hadnt ditched PPC.
This is all Tim Cook's fault, he's killing Apple.
/s
There, I got the potential stupidity out of the way.
Now, my MBA is too slow to take advantage of (2008 model) and my Mac Pro is off 97% of the time. Unless they infected my G4 Cube I think I'm safe.
how is this even happening?
I don't have this JavaW folder on my Mac running Yosemite.
because 3B Apple paid for stupid Beats!!
/s
Russian firm discovered it eh? ... probably Kasperky behind this in the first place, paid by Scammy and Google ... OK I'm kidding. Then again .....
Exactly, they had to put in their Mac's password to install it unless the Earth shifted on its axis. There was a ready made VM of Yosemite out a while back on the dark net and we suspected it was a trojan. Unable to resist seeing if it was, we tested it .. It was, we ran it in a very safe environment but it was fun to watch it trying to open ports and make connections. If anyone actually ran it on a normal Mac they would have been naked in minutes.
Thanks, techies.
I wish AI would simply put one sentence into the article stating that you have to download and install this software with a password.
http://news.drweb.com/show/?i=5977&lng=en
FWIW BitDefender says they've identified some other variations of it.
It'll be interesting to see if this article gets more comments then that of the latest Samsung ad.
Malware NOT virus ... calm down people. .
I think malware is a term that describes all malicious software from adware all the way up to viruses that can steal and delete data and replicate across the network. If the creators named it iWorm, they clearly think it is very nasty indeed.
I agree the infected users are likely self inflicted but in a way Apple is responsible because they have created a false sense of security that Macs are not susceptible to viruses. Then the users go clicking on phishing links because they are naive or just stupid.
I think malware is a term that describes all malicious software from adware all the way up to viruses that can steal and delete data and replicate across the network. If the creators named it iWorm, they clearly think it is very nasty indeed.
I agree the infected users are likely self inflicted but in a way Apple is responsible because they have created a false sense of security that Macs are not susceptible to viruses. Then the users go clicking on phishing links because they are naive or just stupid.
Good fracking grief, if people infects their own machine and put into their own credentials (which of course they use on every site in the world) in those software, there is nothing you can do about it, EVER!
A antivirus or antimalware can only help you if what is run is not off the boat new. It is not that hard to modify the signature of whatever and those anti-virus or anti-malware software won't detect it. There's a substantial chance you'll run into a new malware or Virus. I've reported a few new ones in the last 15 years.
The best thing for security is sandboxing everything (can use a VM), strict user access control to resources of all kind (so your VM is not used to sniff the network for example, even if it is compromised) and education of users telling them : don't be stupid. A sandbox won't help you are phished and give away your password.
That this spread through reddit lowers my already low opinion of this site.
In what bazaro universe does creating an almost virus proof system make someone more responsible for the rare exception?
I guess seatbelts are to be blamed for traffic fatalities, and Microsoft must be doing us all a favor by not fixing security issues with their software.
A "worm" is SELF-spreading malware.
IF this just a trojan--(essentially, simply a lie--which every OS will always be vulnerable to)—then this is just the latest Mac FUD False Alarm.
In which case, naming the trojan with "worm" in the name does not a worm make. I could release a word processor called "WormWrite" but that wouldn't mean i had created the first real-world successful Mac malware!
So how DOES it spread, exactly? Does it need to convince the user to give up your password?
F*ck this lack of security on the Mac.
I run a professional business. I need to know that my operating system of choice is secure, reliable, and receives regular updated new features.
I'm moving to Windows.
In what bazaro universe does creating an almost virus proof system make someone more responsible for the rare exception?
I guess seatbelts are to be blamed for traffic fatalities, and Microsoft must be doing us all a favor by not fixing security issues with their software.
I'm not placing any blame on Apple technology, it is maybe Apple marketing. Sort of like those new car commercials that show cars automatically applying the brakes when it detects dangerous situations. Some foolish people might think they no longer need to wear their seat belts.
Now you know why Apple locks down its iOS devices.