Apple Updates Malware Definitions to Protect Against Botnet Threat Coordinated Via Reddit

by

Last week, Russian anti-virus firm Doctor Web disclosed a newly discovered piece of OS X malware known as Mac.BackDoor.iWorm that at the time had affected roughly 17,000 machines around the world. While the exact mechanism of infection was unclear, an interesting twist to the story involves compromised machines running search queries on Reddit to obtain instructions about which command and control servers should be used to manage the botnet.

It is worth mentioning that in order to acquire a control server address list, the bot uses the search service at reddit.com, and -- as a search query -- specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date. The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd.

Once connected to a command and control server, the backdoor opened by the malware on the user's system can receive instructions to perform a variety of tasks, from stealing sensitive information to receiving or spreading additional malware.

In an effort to address the threat, Apple has now updated its "Xprotect" anti-malware system to recognize two different variants of the iWorm malware and prevent them from being installed on users' machines.

xprotect_iworm
First introduced with OS X Snow Leopard, Xprotect is a rudimentary anti-malware system that recognizes and alerts users to the presence of various types of malware. Given the relative rarity of malware targeting OS X, the malware definitions are updated infrequently, although users' machines automatically check for updates on a daily basis. Apple also uses the Xprotect system on occasion to enforce minimum version requirements for plug-ins such as Flash Player and Java, forcing users to upgrade from older versions known to carry significant security risks.

Popular Stories

iOS 18

Here Are Apple's Full iOS 18.5 Release Notes

Tuesday May 6, 2025 2:17 pm PDT by
Apple today seeded the release candidate version of iOS 18.5 to developers and public beta testers, giving us a look at the final version of the update that will be provided to the public next week. With the release candidate, Apple provided release notes, so we have a more complete look at the new features that are included in the update, including those that weren't found during the beta...
Read Full Article60 comments
iOS 18

Apple Says iOS 18.5 Coming Soon, Here is What's New

Monday May 5, 2025 8:19 am PDT by
In its press release for the new Pride Band today, Apple said that iOS 18.5 is "upcoming," following more than a month of beta testing. We expect the iOS 18.5 Release Candidate to be released this week, and this should be the final beta version, barring any last-minute bugs or changes. The software update should then be released to the general public next week. iOS 18.5 is a relatively...
Read Full Article60 comments
iPhone 17 Pro Blue Feature Tighter Crop

iPhone 17: What's New With the Cameras

Friday May 2, 2025 3:52 pm PDT by
We've still got months to go before the new iPhone 17 models come out, but a combination of dummy models and leaks have given us some insight into what we can expect in terms of camera changes. Apple is adding new camera features, and changing the design of the camera bump for some models. You might be skeptical of dummy models, but over the years, they've proven to be a highly accurate...
Read Full Article86 comments
Foldable iPhone 2023 Feature Homescreen

Foldable iPhone Said to Have Two Key Advantages

Monday May 5, 2025 6:41 am PDT by
Apple plans to release its first foldable iPhone next year, according to several reporters and analysts who cover the company. In his Power On newsletter today, Bloomberg's Mark Gurman said the foldable iPhone will offer two key advantages over other foldable smartphones. First, he said the foldable iPhone will have a "nearly invisible" crease when unfolded. This means the device's...
Read Full Article176 comments
Beyond iPhone 13 Better Blue Face ID

20th-Anniversary iPhone Will Reportedly Feature an All-Screen Design

Saturday May 3, 2025 9:20 am PDT by
Apple's former design chief Jony Ive long dreamed of an iPhone with a truly all-screen design, and his wish might finally become reality in a few more years. The Information today cited multiple sources who said that at least one new iPhone model launching in 2027 will have a truly edge-to-edge display. The device's front camera and Face ID system would both be placed under the screen....
Read Full Article83 comments
AirPods Pro 3 Mock Feature

AirPods Pro 3 Just Months Away – Here's What We Know

Tuesday April 29, 2025 1:30 am PDT by
Despite being more than two years old, Apple's AirPods Pro 2 still dominate the premium wireless‑earbud space, thanks to a potent mix of top‑tier audio, class‑leading noise cancellation, and Apple's habit of delivering major new features through software updates. With AirPods Pro 3 widely expected to arrive in 2025, prospective buyers now face a familiar dilemma: snap up the proven...
Read Full Article102 comments
siri glow

iPhone Users Now Able to Submit Claims in $95 Million Siri Spying Lawsuit

Wednesday May 7, 2025 11:40 am PDT by
If you owned a Siri-compatible device and had an accidental Siri activation between September 17, 2014 and December 31, 2024, you could be eligible for a payment from Apple as part of a class action lawsuit settlement. Apple in January agreed to pay $95 million to settle a class action lawsuit involving Siri spying accusations, and a website to distribute the funds has now been set up and...
Read Full Article69 comments
Apple Watch 2025 Pride Feature

Apple Announces 2025 Pride Band, Watch Face, and iPhone Wallpaper

Monday May 5, 2025 6:08 am PDT by
Apple today announced its 2025 Pride Collection, including a new Apple Watch band, watch face, and a matching wallpaper for the iPhone and iPad. Ahead of Pride Month in June, Apple says its Pride Collection celebrates the strength and beauty of LGBTQ+ communities around the world. The new Pride Edition Sport Band is now available to order on Apple.com and in the Apple Store app in 40mm,...
Read Full Article235 comments

Top Rated Comments

mikethebigo Avatar
mikethebigo
138 months ago
It has been discovered how the botnet is installed. You have to download a pirated app, such as Photoshop, and then give the pirated installer administrator privileges.

No amount of malware security can fix stupid.

EDIT: Link to evidence: http://www.thesafemac.com/iworm-method-of-infection-found/ (http://www.thesafemac.com/iworm-method-of-infection-found/)
Score: 45 Votes (Like | Disagree)
smithrh Avatar
smithrh
138 months ago
It has been discovered how the botnet is installed. You have to download a pirated app, such as Photoshop, and then give the pirated installer administrator privileges.

No amount of malware security can fix stupid.

Good update - a lot of the "Hey look! Mac malware!" hue and cry has, of course, come from the usual places, namely antivirus software houses - and that hue and cry has not mentioned how the damn thing gets in your Mac in the first place.

That was a glaring omission, and it was right for MacRumors to hold off until now.
Score: 21 Votes (Like | Disagree)
Parasprite Avatar
Parasprite
138 months ago
I will have to check and see if this update is via the store or the site.

You won't find it in either because the update is via xprotect, which is updated automatically. I know there used to be a way to force an update using a terminal command, but iirc there isn't a way to do this in Mavericks (yet).
Score: 16 Votes (Like | Disagree)
brdeveloper Avatar
brdeveloper
138 months ago
Well, I'm stuck with Gimp because I'm adult and don't support piracy, and Photoshop is just too expensive for amateur photography, unless it's your main and single hobby. It's not my case, since I'm a multi-interest hobbyist. I even use the buggy Audacity for recording stuff I play with my guitar.

However there's a thing that really annoys me when installing software: allowing administrator rights. Ok, let's give administrator rights so the app can copy stuff to some system folders, but since it should not be the standard behavior of any app, why OSX doesn't give a more detailed explanation of what will be done with the root access I'm giving? It could throw that warning popup with a button providing additional details of the operation, don't you agree?
Score: 12 Votes (Like | Disagree)
slattery69 Avatar
slattery69
138 months ago
Download and install the xprotect update I posted before in https://forums.macrumors.com/showpost.php?p=20014686&postcount=12

No offence but is the file safe? not to be rude but this thread is about downloading files from unknown sources and just installing them
Score: 10 Votes (Like | Disagree)
nagromme Avatar
nagromme
138 months ago
You can NAME your trojan “worm,” but that does not make it a worm. (It does make good attention-bait for security firms’ PR departments.)

IF this bad software actually did spread BY ITSELF, then it would seem to be the first real-world successful OS X “virus.” (Technically, “worm” is the better term: a “virus” specifically infects/alters apps, while a “worm” is less specific: any malware that spreads on its own.)

But that doesn’t appear to be the case—making this just another trojan.

Any OS is vulnerable to lies, and that’s what a trojan is: someone lies to you and says “trust this program with your system!” Luckily, OS X makes trojans pretty hard to get these days: you have to go to some very specific effort to run un-trusted, unsigned code. If you know how to do that, you should know better! (Signed code can be remotely shut down by Apple if it's determined to be bad--even outside the App Store.)

Pirates beware: don’t trust shady downloads.
Score: 10 Votes (Like | Disagree)
Read All Comments