New ‘iWorm’ botnet discovered affecting OS X systems

BurnIconXA new botnet malware threat called ‘Mac.BackDoor.iWorm’ has been discovered by Russian security firm Dr. Web, which claims it is affecting more than 17,000 OS X systems. When installed, the malware will search the popular online community Reddit for pages containing links to command & control servers. At this point the infected system begins communicating with the servers and other systems connected to them, allowing the system to be used in tandem with others for various attacks, including brute-force password cracking and distributed denial of service attacks.

The specific route taken for the malware to be installed on a system is unknown at this point; however, it does install at least some components into a folder called “JavaW” in the Macintosh HD > Library > Application Support directory. In addition, as with other threats for OS X, this malware takes advantage of the system launcher and creates a launch agent or daemon property list that will keep the malware running in the background when you start up your system.

As a result of these, as described on Thomas Reed’s The Safe Mac, you can first do a preliminary check on your Mac for the presence of the malware by attempting to open the “JavaW” folder, which is not known to be created by any legitimate program or service. To do this, go to the Finder and press Shift-Comand-G (or choose Go To Folder from the Go menu), and then enter this folder path into the text field (copy and paste it):

/Library/Application Support/JavaW

If a folder opens when you click the “Go” button, then the probability is high that you have been affected by this malware. Otherwise, the system will just issue a warning beep and not display a folder (hopefully–and likely–this will happen for you). Granted the name of the folder can be changed by the malware’s creators, but for now this is one that is identified.

Unfortunately little about the details of this malware is known to help remove it fully from an infected system, so if you see this folder on your system, then you might consider wiping your Mac and then reinstalling OS X, or restoring your system from a recent backup that does not have indication of the infection. Another approach is to wait for additional instructions to remove it, but this will be chancing the security of your system in the mean time.

Beyond this approach, you can help protect your Mac from this and other similar malware by doing two things:

1. Install a reverse firewall

While a traditional firewall monitors and blocks incoming connection requests, a reverse firewall allows your Mac to monitor what programs are calling out to the mother ship (or any other ship), and preventing them from doing so unless given explicit permission by you. A couple of these programs include Little Snitch, and Intego NetBarrier.

2. Monitor your system’s launch agent and daemon folders

The various launch agent and daemon folders are the only places where launch agent scripts can be placed to instruct the system to automatically open programs and keep them alive in the background. Since the process to do this requires addition of files to these folders, you can quickly set up Folder Actions in OS X to monitor these folders and inform you when files are being added. Granted when you purposefully install programs and updates you will see items added to these folders, but if at any other time an item is added, then treat it with suspicion and consider removing it while you investigate exactly what it is (as folks at the Apple Discussion forums, or at other popular online tech help forums).

5 thoughts on “New ‘iWorm’ botnet discovered affecting OS X systems

  1. B. Jefferson Le Blanc

    I’ve been using Little Snitch for years. It’s nice to know that it can warn me of unauthorized operations like those by this worm. It can be annoying sometimes as it pops up alerts for legitimate access attempts as well – until I authorize them – but with the current hazardous state of the Internet, you can hardly have too much protection. Thanks for the warning, Topher.

  2. mysterian

    you can download an app from The Computer Incident Response Center Luxembourg that will monitor the addition of new launch objects to standard locations. it works quite well:

    1. Topher Kessler Post author

      Yes that tool was developed from my instructions for how to do it manually. They have credited me on their site for the contributions. You can use either it or manual use of Folder Actions to set up system folder monitoring.

      1. Roger Pelizzari

        Topher, I just downloaded the file from
        onto my Snow Leopard computer desktop, clicked on it and got an error.

        It may not be compatible with 10.6.8

        1. Topher Kessler Post author

          I am not involved with that app’s development. I recommend you set up folder actions and manually monitor the launch agent folders, and any others that you want.

Comments are closed.