Apple Updates Malware Definitions to Protect Against Botnet Threat Coordinated Via Reddit

Last week, Russian anti-virus firm Doctor Web disclosed a newly discovered piece of OS X malware known as Mac.BackDoor.iWorm that at the time had affected roughly 17,000 machines around the world. While the exact mechanism of infection was unclear, an interesting twist to the story involves compromised machines running search queries on Reddit to obtain instructions about which command and control servers should be used to manage the botnet.

It is worth mentioning that in order to acquire a control server address list, the bot uses the search service at reddit.com, and -- as a search query -- specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date. The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd.

Once connected to a command and control server, the backdoor opened by the malware on the user's system can receive instructions to perform a variety of tasks, from stealing sensitive information to receiving or spreading additional malware.

In an effort to address the threat, Apple has now updated its "Xprotect" anti-malware system to recognize two different variants of the iWorm malware and prevent them from being installed on users' machines.

xprotect_iworm
First introduced with OS X Snow Leopard, Xprotect is a rudimentary anti-malware system that recognizes and alerts users to the presence of various types of malware. Given the relative rarity of malware targeting OS X, the malware definitions are updated infrequently, although users' machines automatically check for updates on a daily basis. Apple also uses the Xprotect system on occasion to enforce minimum version requirements for plug-ins such as Flash Player and Java, forcing users to upgrade from older versions known to carry significant security risks.

Top Rated Comments

mikethebigo Avatar
83 months ago
It has been discovered how the botnet is installed. You have to download a pirated app, such as Photoshop, and then give the pirated installer administrator privileges.

No amount of malware security can fix stupid.

EDIT: Link to evidence: http://www.thesafemac.com/iworm-method-of-infection-found/ (http://www.thesafemac.com/iworm-method-of-infection-found/)
Score: 45 Votes (Like | Disagree)
smithrh Avatar
83 months ago

It has been discovered how the botnet is installed. You have to download a pirated app, such as Photoshop, and then give the pirated installer administrator privileges.

No amount of malware security can fix stupid.


Good update - a lot of the "Hey look! Mac malware!" hue and cry has, of course, come from the usual places, namely antivirus software houses - and that hue and cry has not mentioned how the damn thing gets in your Mac in the first place.

That was a glaring omission, and it was right for MacRumors to hold off until now.
Score: 21 Votes (Like | Disagree)
Parasprite Avatar
83 months ago

I will have to check and see if this update is via the store or the site.


You won't find it in either because the update is via xprotect, which is updated automatically. I know there used to be a way to force an update using a terminal command, but iirc there isn't a way to do this in Mavericks (yet).
Score: 16 Votes (Like | Disagree)
brdeveloper Avatar
83 months ago
Well, I'm stuck with Gimp because I'm adult and don't support piracy, and Photoshop is just too expensive for amateur photography, unless it's your main and single hobby. It's not my case, since I'm a multi-interest hobbyist. I even use the buggy Audacity for recording stuff I play with my guitar.

However there's a thing that really annoys me when installing software: allowing administrator rights. Ok, let's give administrator rights so the app can copy stuff to some system folders, but since it should not be the standard behavior of any app, why OSX doesn't give a more detailed explanation of what will be done with the root access I'm giving? It could throw that warning popup with a button providing additional details of the operation, don't you agree?
Score: 12 Votes (Like | Disagree)
slattery69 Avatar
83 months ago

Download and install the xprotect update I posted before in https://forums.macrumors.com/showpost.php?p=20014686&postcount=12


No offence but is the file safe? not to be rude but this thread is about downloading files from unknown sources and just installing them
Score: 10 Votes (Like | Disagree)
nagromme Avatar
83 months ago
You can NAME your trojan “worm,” but that does not make it a worm. (It does make good attention-bait for security firms’ PR departments.)

IF this bad software actually did spread BY ITSELF, then it would seem to be the first real-world successful OS X “virus.” (Technically, “worm” is the better term: a “virus” specifically infects/alters apps, while a “worm” is less specific: any malware that spreads on its own.)

But that doesn’t appear to be the case—making this just another trojan.

Any OS is vulnerable to lies, and that’s what a trojan is: someone lies to you and says “trust this program with your system!” Luckily, OS X makes trojans pretty hard to get these days: you have to go to some very specific effort to run un-trusted, unsigned code. If you know how to do that, you should know better! (Signed code can be remotely shut down by Apple if it's determined to be bad--even outside the App Store.)

Pirates beware: don’t trust shady downloads.
Score: 10 Votes (Like | Disagree)

Top Stories

bloodoxygenapplewatch

Apple Watch Series 7 Rumored to Feature Blood Glucose Monitoring

Monday January 25, 2021 5:05 am PST by
The Apple Watch Series 7 will reportedly feature blood glucose monitoring via an optical sensor, according to ETNews. The report, which mainly focuses on the blood glucose capabilities of the Samsung Galaxy Watch 4, explains that Apple is intending to bring blood glucose monitoring to the upcoming Apple Watch Series 7 using a non-invasive optical sensor. Measuring blood glucose levels,...
14

Apple Releases iOS 14.4 and iPadOS 14.4 With New Camera Warnings and Bug Fixes

Tuesday January 26, 2021 10:04 am PST by
Apple today released iOS and iPadOS 14.4, the fourth major updates to the iOS 14 operating system that was initially released in September. iOS and iPadOS 14.4 come more than a month after the release of iOS and iPadOS 14.3, updates that brought new emojis, Intercom support, and more. The iOS and iPadOS 14.4 updates can be downloaded for free and the software is available on all eligible...
7

Apple Releases watchOS 7.3 With Unity Watch Face, Expanded ECG Availability and More

Tuesday January 26, 2021 10:03 am PST by
Apple today released watchOS 7.3, the third major update to the watchOS 7 operating system that was released in September. watchOS 7.3 comes more than a month after watchOS 7.2, an update that brought support for Apple Fitness+ ‌‌The watchOS 7.3 update‌‌ can be downloaded for free through the dedicated Apple Watch app on the iPhone by going to General > Software Update. To install...
14

Apple Releases tvOS 14.4 for Fourth and Fifth-Generation Apple TV Models

Tuesday January 26, 2021 10:02 am PST by
Apple today released tvOS 14.4, the fifth update to the tvOS 14 operating system that was initially released back in September. tvOS 14.4 comes more than a month after the release of tvOS 14.3. tvOS 14.4, which is a free update, can be downloaded over the air through the Settings app on the ‌Apple TV‌ by going to System > Software Update. ‌‌‌‌Apple TV‌‌‌‌ owners who have...
14

Apple Releasing iOS 14.4 and watchOS 7.3 Later Today

Tuesday January 26, 2021 7:20 am PST by
In its Black History Month announcement this morning, Apple has confirmed that iOS 14.4 and watchOS 7.3 will be released later today. watchOS 7.3 expands the ECG app on the Apple Watch Series 4 and newer to Japan, Mayotte, Thailand, and the Philippines, while iOS 14.4 introduces a notification on iPhone 12 models with non-genuine cameras. Both software updates also add support for a new...
AirPods Pro Gen 2 Feature2

Second-Generation AirPods Pro Widely Rumored to Launch in First Half of 2021

Tuesday January 26, 2021 8:24 am PST by
Apple plans to release second-generation AirPods Pro within the first half of 2021, according to unnamed industry sources cited by Taiwanese publication DigiTimes in a report focused on flash memory supplier Winbond. From the report:Winbond is also expected to be among the NOR flash suppliers for Apple's next-generation AirPods Pro slated for launch later in the first half of this year, the...
apple watch black unity

Apple Celebrates Black History Month With Limited-Edition Watch, Featured Apps and Books, and More

Tuesday January 26, 2021 6:14 am PST by
Apple today announced that it will be celebrating Black History Month with curated content that highlights and amplifies Black creators, artists, developers, and businesses across the App Store, Apple Music, the Apple TV app, Apple Books, Apple Podcasts, and more. The content will be featured throughout the month of February. Black Unity Sport Band has "Truth. Power. Solidarity." ...
magsafecasedangle

Apple Elaborates on Potential for iPhone 12 and MagSafe Accessories to Interfere With Implantable Medical Devices

Saturday January 23, 2021 2:42 pm PST by
Since the launch of iPhone 12 models in October, Apple has acknowledged that the devices may cause electromagnetic interference with medical devices like pacemakers and defibrillators, but the company has now shared additional information. Apple added the following paragraph to a related support document today:Medical devices such as implanted pacemakers and defibrillators might contain...
14

iOS 14.4 Patches Vulnerabilities That May Have Been Actively Exploited

Tuesday January 26, 2021 12:16 pm PST by
Apple today released iOS 14.4 and iPadOS 14.4, and along with a handful of minor new features, the software introduces security fixes for three vulnerabilities that may have been used in the wild. According to a security support document shared by Apple, there were kernel and WebKit vulnerabilities affecting all iPhones and iPads running iOS or iPadOS 14. The kernel vulnerability could allow ...
matte black macbook pro colorware

Apple Researching High-End Titanium MacBook Casings With Unique Textured Finish

Tuesday January 26, 2021 7:10 am PST by
Apple is researching the use of processed titanium with unique properties for future MacBooks, iPads, and iPhones, according to a newly-granted patent application. In a filing titled "Titanium parts having a blasted surface texture," granted by the U.S. Patent and Trademark Office and spotted by Patently Apple, Apple explains how various devices could adopt titanium casings with a...