New Mac.BackDoor.iWorm Threat Has Infected Over 18,500 Macs

Doctor Web has discovered a new threat to Mac OS X dubbed Mac.BackDoor.iWorm. The complex malicious program has already infected over 18,500 Macs which can now be used by criminals to carry out various instructions.

During installation the malware is extracted into /Library/Application Support/JavaW, after which the dropper generates a p-list file so that the backdoor is launched automatically. It's configuration is saved in a separate file and then the program reads /Library to find out which application it won't be interacting with. If no 'unwanted' directories are found, it determines the home directory, checks to see if its configuration file is in the directory and then writes the data it needs to run into the file.

When running, iWorm opens a port on the computer and waits for an incoming connection. Notably, it uses reddit to obtain a list of control servers to connect to.


Doctor Web describes how this works:

It is worth mentioning that in order to acquire a control server address list, the bot uses the search service at reddit.com, and—as a search query—specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date. The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd. The bot picks a random server from the first 29 addresses on the list and sends queries to each of them. Search requests to acquire the list are sent to reddit.com in five-minute intervals. While establishing a connection to the server whose address is picked from the list using a special routine, the backdoor attempts to determine whether the server address is on the exceptions list and engages in a data exchange with the server to employ special routines for authenticating the remote host. If successful, the backdoor sends the server information about the open port on the infected machine and its unique ID and awaits directives.

To check if you are infected, simply navigate to the /Library/Application Support/JavaW directory. If it exists you are likely infected.

To do this open a new Finder window. Press the Command + Shift + G keys at the same time. Input /Library/Application Support/JavaW into the textfield and click Go. If your computer is clean you should get a This folder can't be found message.


Doctor Web says the signature of this malware has been added to their virus database, so users running Dr.Web Anti-virus for Mac OS X are protected.

More details at the link below. Please follow iClarified on Twitter, Facebook, or RSS for updates.

Read More