'iWorm' malware controls Macs via Reddit, more than 17K affected

Posted:
in macOS edited October 2014
Security researchers recently discovered that more than 17,000 Macs around the world have been infected by a new OS X malware threat called "iWorm," which at one point used Reddit.com as a go-between to cull user data, perform various system actions and execute Lua scripts.


Screenshot of Reddit.com post hosting iWorm's C&C server list. | Source: Dr. Web


Entered into the virus database of Russian research firm Dr. Web as "Mac.BackDoor.iWorm," the new threat is described as a complex multi-purpose backdoor capable of issuing a variety of commands to be carried out by an affected host Mac. Among the operations available to the malware are data gathering and limited system remote control.

After iWorm installs, it creates an operating file, opens a port to request a list of control servers and connects, awaiting further instructions. Unique to this particular piece of malware is its use of Reddit.com's search service to retrieve the botnet server list, which until recently was disguised in a comment to the post "minecraftserverlists."

The Reddit string has since been shut down, but iWorm's creators likely set up another server list through an alternate search service that has yet to be discovered.

Once iWorm connects with a command and control server, the backdoor pulls in instructions via binary data or the Lua programming language. Alternatively, connected servers can send over another bit of malware to further compromise the affected machine.

iWorm itself can gather and send off sensitive user information, set parameters in configuration files, perform GET queries, put a Mac to sleep, ban nodes and perform nested Lua scripts, among other backdoor operations.


Individual ISPs affected by iWorm as of late September.


Because iWorm extracts into a folder on OS X, users can check if their Mac is infected by navigating to "Go > Go to Folder" from the OS X Finder menu and typing in /Library/Application Support/JavaW. If OS X cannot find the folder, the computer is clear. If the folder is found, however, users are urged to employ an anti-virus program to wipe iWorm from their hard drive.

According to Dr. Web's statistical analysis of iWorm, the malware as infected some 17,658 Macs worldwide as of Sept. 26.
«13456

Comments

  • Reply 1 of 118
    This never would have happened if Steve were still here.

    This never would have happened if Apple hadnt ditched PPC.

    This is all Tim Cook's fault, he's killing Apple.

    /s


    There, I got the potential stupidity out of the way.

    Now, my MBA is too slow to take advantage of (2008 model) and my Mac Pro is off 97% of the time. Unless they infected my G4 Cube I think I'm safe. :D
  • Reply 2 of 118
    calicali Posts: 3,494member
    wow Macs being infected by something.
    how is this even happening?
  • Reply 3 of 118
    It's a Java bug.
    I don't have this JavaW folder on my Mac running Yosemite.
  • Reply 4 of 118
    calicali Posts: 3,494member
    This never would have happened if Steve were still here.

    This never would have happened if Apple hadnt ditched PPC.

    This is all Tim Cook's fault, he's killing Apple.

    /s


    There, I got the potential stupidity out of the way.
    forgot one:

    because 3B Apple paid for stupid Beats!!

    /s
  • Reply 5 of 118
    bsenkabsenka Posts: 799member
    By "infected", you mean people installed it on their own Macs thinking it was pirated software, right?
  • Reply 6 of 118
    MacProMacPro Posts: 19,718member
    Malware NOT virus ... calm down people. Last thing I'd do is install a bloody anti virus program on a Mac. I do use Little Snitch and practice safe [S]sex[/S] err ... internet activity.

    Russian firm discovered it eh? ... probably Kasperky behind this in the first place, paid by Scammy and Google ... OK I'm kidding. Then again .....
  • Reply 7 of 118
    MacProMacPro Posts: 19,718member
    bsenka wrote: »
    By "infected", you mean people installed it on their own Macs thinking it was pirated software, right?

    Exactly, they had to put in their Mac's password to install it unless the Earth shifted on its axis. There was a ready made VM of Yosemite out a while back on the dark net and we suspected it was a trojan. Unable to resist seeing if it was, we tested it .. It was, we ran it in a very safe environment but it was fun to watch it trying to open ports and make connections. If anyone actually ran it on a normal Mac they would have been naked in minutes.
  • Reply 8 of 118
    bsenka wrote: »
    By "infected", you mean people installed it on their own Macs thinking it was pirated software, right?

    Exactly, they had to put in their Mac's password to install it unless the Earth shifted on its axis. There was a ready made VM of Yosemite out a while back on the dark net and we suspected it was a trojan. Unable to resist seeing if it was, we tested it .. It was, we ran it in a very safe environment but it was fun to watch it trying to open ports and make connections. If anyone actually ran it on a normal Mac they would have been naked in minutes.

    Thanks, techies.

    I wish AI would simply put one sentence into the article stating that you have to download and install this software with a password.
  • Reply 9 of 118
    gilly33gilly33 Posts: 433member
    Thanks techies as well. 'Cause I was all ready to type that "Go>Go..." command.
  • Reply 10 of 118
    gatorguygatorguy Posts: 24,176member
    Details page here for those few interested:
    http://news.drweb.com/show/?i=5977&lng=en

    FWIW BitDefender says they've identified some other variations of it.
  • Reply 11 of 118
    iWorm. Designed by Apple in Cupertino.
  • Reply 12 of 118
    droidftwdroidftw Posts: 1,009member

    It'll be interesting to see if this article gets more comments then that of the latest Samsung ad.

  • Reply 13 of 118
    ibeamibeam Posts: 322member
    Quote:
    Originally Posted by digitalclips View Post



    Malware NOT virus ... calm down people. .

    I think malware is a term that describes all malicious software from adware all the way up to viruses that can steal and delete data and replicate across the network. If the creators named it iWorm, they clearly think it is very nasty indeed.

     

    I agree the infected users are likely self inflicted but in a way Apple is responsible because they have created a false sense of security that Macs are not susceptible to viruses. Then the users go clicking on phishing links because they are naive or just stupid.

  • Reply 14 of 118
    foggyhillfoggyhill Posts: 4,767member
    Quote:
    Originally Posted by ibeam View Post

     

    I think malware is a term that describes all malicious software from adware all the way up to viruses that can steal and delete data and replicate across the network. If the creators named it iWorm, they clearly think it is very nasty indeed.

     

    I agree the infected users are likely self inflicted but in a way Apple is responsible because they have created a false sense of security that Macs are not susceptible to viruses. Then the users go clicking on phishing links because they are naive or just stupid.


     

    Good fracking grief, if people infects their own machine and put into their own credentials (which of course they use on every site in the world) in those software, there is nothing you can do about it, EVER!

     

    A antivirus or antimalware can only help you if what is run is not off the boat new. It is not that hard to modify the signature of whatever and those anti-virus or anti-malware software won't detect it. There's a substantial chance you'll run into a new malware or Virus. I've reported a few new ones in the last 15 years.

     

    The best thing for security is sandboxing everything (can use a VM), strict user access control to resources of all kind (so your VM is not used to sniff the network for example, even if it is compromised) and education of users telling them : don't be stupid.  A sandbox won't help you are phished and give away your password.

     

    That this spread through reddit lowers my already low opinion of this site.

  • Reply 15 of 118
    iaeeniaeen Posts: 588member
    ibeam wrote: »
    I think malware is a term that describes all malicious software from adware all the way up to viruses that can steal and delete data and replicate across the network. If the creators named it iWorm, they clearly think it is very nasty indeed.

    I agree the infected users are likely self inflicted but in a way Apple is responsible because they have created a false sense of security that Macs are not susceptible to viruses. Then the users go clicking on phishing links because they are naive or just stupid.

    In what bazaro universe does creating an almost virus proof system make someone more responsible for the rare exception?

    I guess seatbelts are to be blamed for traffic fatalities, and Microsoft must be doing us all a favor by not fixing security issues with their software.
  • Reply 16 of 118
    nagrommenagromme Posts: 2,834member
    I thought: finally, the first real OS X worm! It spreads on its own! Except... the article says nothing about how it gets on your machine.

    A "worm" is SELF-spreading malware.

    IF this just a trojan--(essentially, simply a lie--which every OS will always be vulnerable to)—then this is just the latest Mac FUD False Alarm.

    In which case, naming the trojan with "worm" in the name does not a worm make. I could release a word processor called "WormWrite" but that wouldn't mean i had created the first real-world successful Mac malware!

    So how DOES it spread, exactly? Does it need to convince the user to give up your password?
  • Reply 17 of 118
    gatorguygatorguy Posts: 24,176member
    foggyhill wrote: »
    Good fracking grief, if people infects their own machine and put into their own credentials (which of course they use on every site in the world) in those software, there is nothing you can do about it, EVER!
    That this spread through reddit lowers my already low opinion of this site.
    Reddit had zero blame in this. I also haven't seen anything official posted yet on how the user machines were actually infected.
  • Reply 18 of 118
    gtrgtr Posts: 3,231member
    That's it.

    F*ck this lack of security on the Mac.

    I run a professional business. I need to know that my operating system of choice is secure, reliable, and receives regular updated new features.

    I'm moving to Windows.
  • Reply 19 of 118
    ibeamibeam Posts: 322member
    Quote:
    Originally Posted by iaeen View Post



    In what bazaro universe does creating an almost virus proof system make someone more responsible for the rare exception?



    I guess seatbelts are to be blamed for traffic fatalities, and Microsoft must be doing us all a favor by not fixing security issues with their software.

    I'm not placing any blame on Apple technology, it is maybe Apple marketing. Sort of like those new car commercials that show cars automatically applying the brakes when it detects dangerous situations. Some foolish people might think they no longer need to wear their seat belts.

  • Reply 20 of 118
    jungmarkjungmark Posts: 6,926member
    Security is only as strong as your weakest link, ie users.

    Now you know why Apple locks down its iOS devices.
Sign In or Register to comment.