Apple Updates Malware Definitions to Protect Against Botnet Threat Coordinated Via Reddit

Last week, Russian anti-virus firm Doctor Web disclosed a newly discovered piece of OS X malware known as Mac.BackDoor.iWorm that at the time had affected roughly 17,000 machines around the world. While the exact mechanism of infection was unclear, an interesting twist to the story involves compromised machines running search queries on Reddit to obtain instructions about which command and control servers should be used to manage the botnet.

It is worth mentioning that in order to acquire a control server address list, the bot uses the search service at reddit.com, and -- as a search query -- specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date. The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd.

Once connected to a command and control server, the backdoor opened by the malware on the user's system can receive instructions to perform a variety of tasks, from stealing sensitive information to receiving or spreading additional malware.

In an effort to address the threat, Apple has now updated its "Xprotect" anti-malware system to recognize two different variants of the iWorm malware and prevent them from being installed on users' machines.

xprotect_iworm
First introduced with OS X Snow Leopard, Xprotect is a rudimentary anti-malware system that recognizes and alerts users to the presence of various types of malware. Given the relative rarity of malware targeting OS X, the malware definitions are updated infrequently, although users' machines automatically check for updates on a daily basis. Apple also uses the Xprotect system on occasion to enforce minimum version requirements for plug-ins such as Flash Player and Java, forcing users to upgrade from older versions known to carry significant security risks.

Top Rated Comments

mikethebigo Avatar
109 months ago
It has been discovered how the botnet is installed. You have to download a pirated app, such as Photoshop, and then give the pirated installer administrator privileges.

No amount of malware security can fix stupid.

EDIT: Link to evidence: http://www.thesafemac.com/iworm-method-of-infection-found/ (http://www.thesafemac.com/iworm-method-of-infection-found/)
Score: 45 Votes (Like | Disagree)
smithrh Avatar
109 months ago
It has been discovered how the botnet is installed. You have to download a pirated app, such as Photoshop, and then give the pirated installer administrator privileges.

No amount of malware security can fix stupid.

Good update - a lot of the "Hey look! Mac malware!" hue and cry has, of course, come from the usual places, namely antivirus software houses - and that hue and cry has not mentioned how the damn thing gets in your Mac in the first place.

That was a glaring omission, and it was right for MacRumors to hold off until now.
Score: 21 Votes (Like | Disagree)
Parasprite Avatar
109 months ago
I will have to check and see if this update is via the store or the site.

You won't find it in either because the update is via xprotect, which is updated automatically. I know there used to be a way to force an update using a terminal command, but iirc there isn't a way to do this in Mavericks (yet).
Score: 16 Votes (Like | Disagree)
brdeveloper Avatar
109 months ago
Well, I'm stuck with Gimp because I'm adult and don't support piracy, and Photoshop is just too expensive for amateur photography, unless it's your main and single hobby. It's not my case, since I'm a multi-interest hobbyist. I even use the buggy Audacity for recording stuff I play with my guitar.

However there's a thing that really annoys me when installing software: allowing administrator rights. Ok, let's give administrator rights so the app can copy stuff to some system folders, but since it should not be the standard behavior of any app, why OSX doesn't give a more detailed explanation of what will be done with the root access I'm giving? It could throw that warning popup with a button providing additional details of the operation, don't you agree?
Score: 12 Votes (Like | Disagree)
slattery69 Avatar
109 months ago
Download and install the xprotect update I posted before in https://forums.macrumors.com/showpost.php?p=20014686&postcount=12

No offence but is the file safe? not to be rude but this thread is about downloading files from unknown sources and just installing them
Score: 10 Votes (Like | Disagree)
nagromme Avatar
109 months ago
You can NAME your trojan “worm,” but that does not make it a worm. (It does make good attention-bait for security firms’ PR departments.)

IF this bad software actually did spread BY ITSELF, then it would seem to be the first real-world successful OS X “virus.” (Technically, “worm” is the better term: a “virus” specifically infects/alters apps, while a “worm” is less specific: any malware that spreads on its own.)

But that doesn’t appear to be the case—making this just another trojan.

Any OS is vulnerable to lies, and that’s what a trojan is: someone lies to you and says “trust this program with your system!” Luckily, OS X makes trojans pretty hard to get these days: you have to go to some very specific effort to run un-trusted, unsigned code. If you know how to do that, you should know better! (Signed code can be remotely shut down by Apple if it's determined to be bad--even outside the App Store.)

Pirates beware: don’t trust shady downloads.
Score: 10 Votes (Like | Disagree)

Popular Stories

dewey airtag

Report Highlights Danger of Using AirTags for Tracking Dogs

Monday January 30, 2023 1:45 pm PST by
AirTags may be a convenient way for tracking dogs that might get off leash or otherwise lost, but there are dangers associated with the practice, as outlined by a report from The Wall Street Journal. At 1.26 inches in diameter, AirTags are able to fit easily on a dog's collar, but that size also makes the tracking devices small enough to swallow, at least for a medium to large-sized dog, and ...
Multi Display CarPlay 1

Apple Launching All-New CarPlay Experience Later This Year With These 5 Features

Sunday January 29, 2023 10:15 am PST by
In June 2022, Apple previewed the next generation of CarPlay, promising deeper integration with vehicle functions like A/C and FM radio, support for multiple displays across the dashboard, personalization options, and more. Apple says the first vehicles with support for the next-generation CarPlay experience will be announced in late 2023, with committed automakers including Acura, Audi,...
General iOS 16 Feature Yellow

Five New iOS Features Coming to Your iPhone Later This Year

Tuesday January 31, 2023 11:58 am PST by
Apple has previously announced several upcoming iOS features that are expected to be added to the iPhone this year. Some of the features could be introduced with iOS 16.4, which should enter beta testing soon, while others will arrive later in the year. Below, we have recapped five new iOS features that are expected to launch in 2023, such as an Apple Pay Later financing option for purchases ...
maxresdefault

Kuo: Apple to Release Foldable iPad With Carbon Fiber Kickstand in 2024

Monday January 30, 2023 12:55 am PST by
Apple will launch a foldable iPad with a carbon fiber kickstand sometime next year, according to analyst Ming-Chi Kuo. Subscribe to the MacRumors YouTube channel for more videos. In a series of tweets, Kuo said he expects an "all-new design foldable iPad" to be the next big product launch in the iPad lineup, with no other major iPad releases in the next nine to 12 months. The analyst said he...
Apple Silicon Teal Feature

The Next Big Apple Silicon Device May Not Be a Mac or iPad

Wednesday February 1, 2023 3:57 am PST by
Apple's next device with an Apple silicon chip may not be a Mac or an iPad, but rather an advanced external display, according to recent reports. The display, which is rumored to arrive this year, is expected to sit somewhere between the $1,599 Studio Display and the $4,999 Pro Display XDR – but more exact information about the device's positioning and price point is as yet unknown. While ...
MKBHD HomePod 2 White Ring Stain

New HomePod Can Still Stain Some Wooden Surfaces

Tuesday January 31, 2023 8:29 am PST by
When the original HomePod launched in 2018, it was discovered that the speaker can leave white rings on some wooden surfaces. Now, well-known YouTuber Marques Brownlee has confirmed that the issue persists to a lesser extent with the new HomePod. In a side-by-side test, he showed that the white second-generation HomePod left a white ring on the wooden surface that he placed the speaker on,...
tim cook data privacy day

Apple Violated U.S. Labor Laws With Anti-Leak Email

Monday January 30, 2023 3:43 pm PST by
Apple violated United States labor laws when it sent out an email warning employees about leaking confidential information about the company, the National Labor Relations Board (NLRB) said today in a ruling shared by Bloomberg. Rules that Apple has established around leaks "tend to interfere with, restrain or coerce employees" from the exercise of their rights under the National Labor...