December 16, 2024
New Mac.BackDoor.iWorm Threat Has Infected Over 18,500 Macs

New Mac.BackDoor.iWorm Threat Has Infected Over 18,500 Macs

Posted October 3, 2014 at 9:37pm by iClarified
Doctor Web has discovered a new threat to Mac OS X dubbed Mac.BackDoor.iWorm. The complex malicious program has already infected over 18,500 Macs which can now be used by criminals to carry out various instructions.

During installation the malware is extracted into /Library/Application Support/JavaW, after which the dropper generates a p-list file so that the backdoor is launched automatically. It's configuration is saved in a separate file and then the program reads /Library to find out which application it won't be interacting with. If no 'unwanted' directories are found, it determines the home directory, checks to see if its configuration file is in the directory and then writes the data it needs to run into the file.

When running, iWorm opens a port on the computer and waits for an incoming connection. Notably, it uses reddit to obtain a list of control servers to connect to.


Doctor Web describes how this works:

It is worth mentioning that in order to acquire a control server address list, the bot uses the search service at reddit.com, and—as a search query—specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date. The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd. The bot picks a random server from the first 29 addresses on the list and sends queries to each of them. Search requests to acquire the list are sent to reddit.com in five-minute intervals. While establishing a connection to the server whose address is picked from the list using a special routine, the backdoor attempts to determine whether the server address is on the exceptions list and engages in a data exchange with the server to employ special routines for authenticating the remote host. If successful, the backdoor sends the server information about the open port on the infected machine and its unique ID and awaits directives.

To check if you are infected, simply navigate to the /Library/Application Support/JavaW directory. If it exists you are likely infected.

To do this open a new Finder window. Press the Command + Shift + G keys at the same time. Input /Library/Application Support/JavaW into the textfield and click Go. If your computer is clean you should get a This folder can't be found message.


Doctor Web says the signature of this malware has been added to their virus database, so users running Dr.Web Anti-virus for Mac OS X are protected.

More details at the link below. Please follow iClarified on Twitter, Facebook, or RSS for updates.

Read More


New Mac.BackDoor.iWorm Threat Has Infected Over 18,500 Macs
Add Comment
Would you like to be notified when someone replies or adds a new comment?
Yes (All Threads)
Yes (This Thread Only)
No
iClarified Icon
Notifications
Would you like to be notified when we post a new Apple news article or tutorial?
Yes
No
Comments (22)
You must login or register to add a comment...
Mike Power
Mike Power - October 5, 2014 at 2:31am
so much security, yes sure.
Mike Power
Mike Power - October 5, 2014 at 3:07am
definitely you are theo ne with the virus.
1
kapnkirk24
kapnkirk24 - October 5, 2014 at 2:07am
LMAOOOOO
1
Tuma
Tuma - October 4, 2014 at 3:53pm
Folder not found
1
SimonSays
SimonSays - October 4, 2014 at 1:26pm
This is a hoax. My macs are clean as are everyone else's macs I suspect. Dr. Web just wants some attention.
snarklerfob
snarklerfob - October 4, 2014 at 9:14am
"Press the Comment + Shift + G keys..." Gosh darn, I've looked everywhere, but I can't find the "comment" key. Maybe leaving this comment will do the trick: Does iClarified use editors?
xXRedHacking
xXRedHacking - October 5, 2014 at 9:56am
Isn't "Comment", is "Command + Shift + G" :D
ipadguy
ipadguy - October 4, 2014 at 5:47am
"Not found" This is dumb
NewYorker
NewYorker - October 3, 2014 at 11:49pm
Thats a fake this person just wants attention LOL SMH
Techno
Techno - October 3, 2014 at 11:12pm
Sounds like Dr. Web is creating the Virus scare and now trying to profit on the idea they have handled their so called business. Scare tactic marketing...interesting.
Headbanger
Headbanger - October 3, 2014 at 11:08pm
If you buy windows you can totally bypass these issues...windows has less viruses
gamerscul9870
gamerscul9870 - October 4, 2014 at 12:15am
sounds like someone didn't look at malware market charts or learn from keynotes. Or better yet not even used and compared both.
Techno
Techno - October 4, 2014 at 12:46am
You must also believe Android is Malware free also and does not need anything to worry about? Wow!!!
gamerscul9870
gamerscul9870 - October 5, 2014 at 2:51am
that makes you to about judging both os'. Forgot Linux.
iAmMe
iAmMe - October 6, 2014 at 10:04am
Guys! He just wants some attention like Dr. Web. LOL
Eli Rivers
Eli Rivers - October 3, 2014 at 10:59pm
How do I know The Dr.Webb anti-virus isn't another infection for MAC...
Biggs
Biggs - October 4, 2014 at 6:26am
Good question bro
iAmMe
iAmMe - October 6, 2014 at 10:07am
That's why I never installed any anti-virus on my Mac. IMHO, it's safer that way. You just have to be careful when installing counterfeit programs specially if they ask for your password to modify your system.
hamood_d10
hamood_d10 - October 3, 2014 at 10:28pm
damn i have it on my mac, thx apple ur screwing with people more and more lately, i will format my mac now damn
sillydrew
sillydrew - October 4, 2014 at 1:07am
Here is a idea. Check your time machine backups for that folder and find a backup where it doesn't exist. It's worth a try. No need to start with starting fresh.
Robert
Robert - October 3, 2014 at 9:42pm
You mean "iBola?"
gamerscul9870
gamerscul9870 - October 3, 2014 at 9:46pm
More like iSick.
Recent. Read the latest Apple News.
RECENT
Tutorials. Help is here.
TUTORIALS
Where to Download macOS Ventura
Where to Download macOS Sequoia
AppleTV Firmware Download Locations
Where To Download iPad Firmware Files From
Where To Download iPhone Firmware Files From
Deals. Save on Apple devices and accessories.
DEALS