Apple blacklists 'iWorm' malware which infected 17,000 Macs

News by Doug Drinkwater

Apple has moved to update its XProtect anti-virus solution for Mac OS X after a research firm discovered a new piece of malware infecting more than 17,000 computers.

Russian anti-virus firm Dr Web reported last week how the ‘Mac.BackDoor.iWorm' malware was being disguised as an application called ‘com.JavaW' to automatically infect Mac machines, but with the added twist of the malware being used on social media to group infected machines into a botnet.
According to the research outfit, the malware uses the search option on to search for a fake discussion forum for the video game Minecraft, at which point it acquires a list of botnet command-and-control (C&C) servers operated by the cyber-criminals. 
Reddit has since shut down the fake subreddit page and banned the account which was posting the iWorm botnet server list onto the forum.
“The search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd,” reads the firm's analysis.
Once connected to the botnet, the infected machine could be used by the cyber-criminals to send spam, conduct DDoS attacks and mine for Bitcoins, although there is no evidence of any attacks to date.
Writing in its 29 September report (which was based on a survey of recent internet traffic), Dr Web said that 18,519 unique IP addresses were connecting to the botnet, with roughly one in four of these coming from the US. There were more than 1,200 infected Mac OS X machines in both the UK and Canada.
“Criminals developed this malware using C++ and Lua. It should also be noted that the backdoor makes extensive use of encryption in its routines. During installation it is extracted into /Library/Application Support/JavaW, after which the dropper generates a p-list file so that the backdoor is launched automatically,” the researchers said.

Apple responded to this new threat over the weekend by updating its XProtect anti-malware feature, which is integrated into OS X, to block three versions of iWorm (OSX.iWork.A, OSX.iWork.B and OSX.iWorm.C).

451 security researcher Javvad Malik said that while this attack itself is not a surprise, the method of using social media to spread the worm is innovative.

“The use of social media, commenting systems etc. is a crafty way to send commands as it bypasses web-filtering etc unless you're specifically looking for it,” Malik told “Generally, we can probably expect to see more Mac-centric attacks and it will really stress-test how well Apple can react going forward”.

Brian Honan, the managing director and consultant of BH Consulting, added that this news should be a wake-up call to Apple which is ‘not immune' from cyber-criminals.

“While the number of infections is small compared to worms on other platforms, such as Windows, this should be a wake-up call for Apple users that they are not immune from being targeted by cyber criminals,” Honan told SC.

“All computer users, no matter what their platform, should ensure they take basic security precautions and ensure they do not click on suspicious links or attachments.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews