Doctor Web has discovered a new threat to Mac OS X dubbed Mac.BackDoor.iWorm. The complex malicious program has already infected over 18,500 Macs which can now be used by criminals to carry out various instructions.
During installation the malware is extracted into /Library/Application Support/JavaW, after which the dropper generates a p-list file so that the backdoor is launched automatically. It's configuration is saved in a separate file and then the program reads /Library to find out which application it won't be interacting with. If no 'unwanted' directories are found, it determines the home directory, checks to see if its configuration file is in the directory and then writes the data it needs to run into the file.
When running, iWorm opens a port on the computer and waits for an incoming connection. Notably, it uses reddit to obtain a list of control servers to connect to.
Doctor Web describes how this works:
It is worth mentioning that in order to acquire a control server address list, the bot uses the search service at reddit.com, and—as a search query—specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date. The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd. The bot picks a random server from the first 29 addresses on the list and sends queries to each of them. Search requests to acquire the list are sent to reddit.com in five-minute intervals. While establishing a connection to the server whose address is picked from the list using a special routine, the backdoor attempts to determine whether the server address is on the exceptions list and engages in a data exchange with the server to employ special routines for authenticating the remote host. If successful, the backdoor sends the server information about the open port on the infected machine and its unique ID and awaits directives.
To check if you are infected, simply navigate to the /Library/Application Support/JavaW directory. If it exists you are likely infected.
To do this open a new Finder window. Press the Command + Shift + G keys at the same time. Input /Library/Application Support/JavaW into the textfield and click Go. If your computer is clean you should get a This folder can't be found message.
Doctor Web says the signature of this malware has been added to their virus database, so users running Dr.Web Anti-virus for Mac OS X are protected.
More details at the link below. Please follow iClarified on Twitter, Facebook, or RSS for updates.
Would you like to be notified when someone replies or adds a new comment?
Yes (All Threads)
Yes (This Thread Only)
No
Notifications
Would you like to be notified when we post a new Apple news article or tutorial?
Yes
No
Comments (22)
Comments are closed for this article.
0
Mike Power - October 5, 2014 at 2:31am
so much security, yes sure.
0
Mike Power - October 5, 2014 at 3:07am
definitely you are theo ne with the virus.
1
kapnkirk24 - October 5, 2014 at 2:07am
LMAOOOOO
1
Tuma - October 4, 2014 at 3:53pm
Folder not found
1
SimonSays - October 4, 2014 at 1:26pm
This is a hoax. My macs are clean as are everyone else's macs I suspect. Dr. Web just wants some attention.
0
snarklerfob - October 4, 2014 at 9:14am
"Press the Comment + Shift + G keys..."
Gosh darn, I've looked everywhere, but I can't find the "comment" key. Maybe leaving this comment will do the trick:
Does iClarified use editors?
0
xXRedHacking - October 5, 2014 at 9:56am
Isn't "Comment", is "Command + Shift + G" :D
0
ipadguy - October 4, 2014 at 5:47am
"Not found" This is dumb
0
NewYorker - October 3, 2014 at 11:49pm
Thats a fake this person just wants attention LOL SMH
0
Techno - October 3, 2014 at 11:12pm
Sounds like Dr. Web is creating the Virus scare and now trying to profit on the idea they have handled their so called business. Scare tactic marketing...interesting.
0
Headbanger - October 3, 2014 at 11:08pm
If you buy windows you can totally bypass these issues...windows has less viruses
0
gamerscul9870 - October 4, 2014 at 12:15am
sounds like someone didn't look at malware market charts or learn from keynotes. Or better yet not even used and compared both.
0
Techno - October 4, 2014 at 12:46am
You must also believe Android is Malware free also and does not need anything to worry about? Wow!!!
0
gamerscul9870 - October 5, 2014 at 2:51am
that makes you to about judging both os'. Forgot Linux.
0
iAmMe - October 6, 2014 at 10:04am
Guys! He just wants some attention like Dr. Web. LOL
0
Eli Rivers - October 3, 2014 at 10:59pm
How do I know The Dr.Webb anti-virus isn't another infection for MAC...
0
Biggs - October 4, 2014 at 6:26am
Good question bro
0
iAmMe - October 6, 2014 at 10:07am
That's why I never installed any anti-virus on my Mac. IMHO, it's safer that way. You just have to be careful when installing counterfeit programs specially if they ask for your password to modify your system.
0
hamood_d10 - October 3, 2014 at 10:28pm
damn i have it on my mac, thx apple ur screwing with people more and more lately, i will format my mac now damn
0
sillydrew - October 4, 2014 at 1:07am
Here is a idea. Check your time machine backups for that folder and find a backup where it doesn't exist. It's worth a try. No need to start with starting fresh.
![TSMC Enters 'Combat Readiness Mode' as 2nm Capacity Fills Up, Apple Secures Early Access [Report]](/images/news/99826/99826/99826-160.jpg "TSMC Enters 'Combat Readiness Mode' as 2nm Capacity Fills Up, Apple Secures Early Access [Report]")
![Samsung to Begin Mass Production of Display Panels for First OLED MacBook Pro in May [Report]](/images/news/99825/99825/99825-160.jpg "Samsung to Begin Mass Production of Display Panels for First OLED MacBook Pro in May [Report]")
![Beats Powerbeats Pro 2 Drop to $199.95 [Deal]](/images/news/99815/99815/99815-160.jpg "Beats Powerbeats Pro 2 Drop to $199.95 [Deal]")
![Apple Watch Series 11 Drops Back to All-Time Low of $299 [Deal]](/images/news/99283/99283/99283-160.jpg "Apple Watch Series 11 Drops Back to All-Time Low of $299 [Deal]")
![Apple AirPods 4 With Active Noise Cancellation Drop to $119 [Deal]](/images/news/99794/99794/99794-160.jpg "Apple AirPods 4 With Active Noise Cancellation Drop to $119 [Deal]")
![AirPods Pro 3 Return to All-Time Low Price of $199 [Deal]](/images/news/99752/99752/99752-160.jpg "AirPods Pro 3 Return to All-Time Low Price of $199 [Deal]")
![Apple's 13-Inch M5 iPad Pro (Silver) Hits New All-Time Low at $1,149.99 [Deal]](/images/news/99729/99729/99729-160.jpg "Apple's 13-Inch M5 iPad Pro (Silver) Hits New All-Time Low at $1,149.99 [Deal]")
