A new botnet malware threat called ‘Mac.BackDoor.iWorm’ has been discovered by Russian security firm Dr. Web, which claims it is affecting more than 17,000 OS X systems. When installed, the malware will search the popular online community Reddit for pages containing links to command & control servers. At this point the infected system begins communicating with the servers and other systems connected to them, allowing the system to be used in tandem with others for various attacks, including brute-force password cracking and distributed denial of service attacks.

The specific route taken for the malware to be installed on a system is unknown at this point; however, it does install at least some components into a folder called “JavaW” in the Macintosh HD > Library > Application Support directory. In addition, as with other threats for OS X, this malware takes advantage of the system launcher and creates a launch agent or daemon property list that will keep the malware running in the background when you start up your system.

As a result of these, as described on Thomas Reed’s The Safe Mac, you can first do a preliminary check on your Mac for the presence of the malware by attempting to open the “JavaW” folder, which is not known to be created by any legitimate program or service. To do this, go to the Finder and press Shift-Comand-G (or choose Go To Folder from the Go menu), and then enter this folder path into the text field (copy and paste it):

/Library/Application Support/JavaW

If a folder opens when you click the “Go” button, then the probability is high that you have been affected by this malware. Otherwise, the system will just issue a warning beep and not display a folder (hopefully–and likely–this will happen for you). Granted the name of the folder can be changed by the malware’s creators, but for now this is one that is identified.

Unfortunately little about the details of this malware is known to help remove it fully from an infected system, so if you see this folder on your system, then you might consider wiping your Mac and then reinstalling OS X, or restoring your system from a recent backup that does not have indication of the infection. Another approach is to wait for additional instructions to remove it, but this will be chancing the security of your system in the mean time.

Beyond this approach, you can help protect your Mac from this and other similar malware by doing two things:

1. Install a reverse firewall

While a traditional firewall monitors and blocks incoming connection requests, a reverse firewall allows your Mac to monitor what programs are calling out to the mother ship (or any other ship), and preventing them from doing so unless given explicit permission by you. A couple of these programs include Little Snitch, and Intego NetBarrier.

2. Monitor your system’s launch agent and daemon folders

The various launch agent and daemon folders are the only places where launch agent scripts can be placed to instruct the system to automatically open programs and keep them alive in the background. Since the process to do this requires addition of files to these folders, you can quickly set up Folder Actions in OS X to monitor these folders and inform you when files are being added. Granted when you purposefully install programs and updates you will see items added to these folders, but if at any other time an item is added, then treat it with suspicion and consider removing it while you investigate exactly what it is (as folks at the Apple Discussion forums, or at other popular online tech help forums).