Apple Updates Malware Definitions to Protect Against Botnet Threat Coordinated Via Reddit

Last week, Russian anti-virus firm Doctor Web disclosed a newly discovered piece of OS X malware known as Mac.BackDoor.iWorm that at the time had affected roughly 17,000 machines around the world. While the exact mechanism of infection was unclear, an interesting twist to the story involves compromised machines running search queries on Reddit to obtain instructions about which command and control servers should be used to manage the botnet.

It is worth mentioning that in order to acquire a control server address list, the bot uses the search service at reddit.com, and -- as a search query -- specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date. The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd.

Once connected to a command and control server, the backdoor opened by the malware on the user's system can receive instructions to perform a variety of tasks, from stealing sensitive information to receiving or spreading additional malware.

In an effort to address the threat, Apple has now updated its "Xprotect" anti-malware system to recognize two different variants of the iWorm malware and prevent them from being installed on users' machines.

xprotect_iworm
First introduced with OS X Snow Leopard, Xprotect is a rudimentary anti-malware system that recognizes and alerts users to the presence of various types of malware. Given the relative rarity of malware targeting OS X, the malware definitions are updated infrequently, although users' machines automatically check for updates on a daily basis. Apple also uses the Xprotect system on occasion to enforce minimum version requirements for plug-ins such as Flash Player and Java, forcing users to upgrade from older versions known to carry significant security risks.

Top Rated Comments

(View all)
Avatar
76 months ago
It has been discovered how the botnet is installed. You have to download a pirated app, such as Photoshop, and then give the pirated installer administrator privileges.

No amount of malware security can fix stupid.

EDIT: Link to evidence: http://www.thesafemac.com/iworm-method-of-infection-found/ (http://www.thesafemac.com/iworm-method-of-infection-found/)
Score: 45 Votes (Like | Disagree)
Avatar
76 months ago

It has been discovered how the botnet is installed. You have to download a pirated app, such as Photoshop, and then give the pirated installer administrator privileges.

No amount of malware security can fix stupid.


Good update - a lot of the "Hey look! Mac malware!" hue and cry has, of course, come from the usual places, namely antivirus software houses - and that hue and cry has not mentioned how the damn thing gets in your Mac in the first place.

That was a glaring omission, and it was right for MacRumors to hold off until now.
Score: 21 Votes (Like | Disagree)
Avatar
76 months ago

I will have to check and see if this update is via the store or the site.


You won't find it in either because the update is via xprotect, which is updated automatically. I know there used to be a way to force an update using a terminal command, but iirc there isn't a way to do this in Mavericks (yet).
Score: 16 Votes (Like | Disagree)
Avatar
76 months ago
Well, I'm stuck with Gimp because I'm adult and don't support piracy, and Photoshop is just too expensive for amateur photography, unless it's your main and single hobby. It's not my case, since I'm a multi-interest hobbyist. I even use the buggy Audacity for recording stuff I play with my guitar.

However there's a thing that really annoys me when installing software: allowing administrator rights. Ok, let's give administrator rights so the app can copy stuff to some system folders, but since it should not be the standard behavior of any app, why OSX doesn't give a more detailed explanation of what will be done with the root access I'm giving? It could throw that warning popup with a button providing additional details of the operation, don't you agree?
Score: 12 Votes (Like | Disagree)
Avatar
76 months ago

Download and install the xprotect update I posted before in https://forums.macrumors.com/showpost.php?p=20014686&postcount=12


No offence but is the file safe? not to be rude but this thread is about downloading files from unknown sources and just installing them
Score: 10 Votes (Like | Disagree)
Avatar
76 months ago
You can NAME your trojan “worm,” but that does not make it a worm. (It does make good attention-bait for security firms’ PR departments.)

IF this bad software actually did spread BY ITSELF, then it would seem to be the first real-world successful OS X “virus.” (Technically, “worm” is the better term: a “virus” specifically infects/alters apps, while a “worm” is less specific: any malware that spreads on its own.)

But that doesn’t appear to be the case—making this just another trojan.

Any OS is vulnerable to lies, and that’s what a trojan is: someone lies to you and says “trust this program with your system!” Luckily, OS X makes trojans pretty hard to get these days: you have to go to some very specific effort to run un-trusted, unsigned code. If you know how to do that, you should know better! (Signed code can be remotely shut down by Apple if it's determined to be bad--even outside the App Store.)

Pirates beware: don’t trust shady downloads.
Score: 10 Votes (Like | Disagree)

Top Stories

Apple Takes Legal Action Against Small Company With Pear Logo

Saturday August 8, 2020 11:09 am PDT by
Apple is taking legal action against the developers of the app "Prepear" due to its logo, according to iPhone in Canada. Prepear is an app that helps users discover recipes, plan meals, make lists, and arrange grocery deliveries. The app is a spinoff of "Super Healthy Kids," and the founders claim that they are facing litigation from Apple. Apple reportedly takes issue with Prepear's logo, ...

Kuo: Global iPhone Shipments Could Decline Up to 30% If Apple Forced to Remove WeChat From App Store [Updated x2]

Sunday August 9, 2020 10:17 pm PDT by
In a worst-case scenario, Apple's annual global iPhone shipments could decline by 25–30% if it is forced to remove WeChat from its App Stores around the world, according to a new research note from analyst Ming-Chi Kuo viewed by MacRumors. The removal could occur due to a recent executive order aiming to ban U.S. transactions with WeChat and its parent company Tencent. Kuo lays out...

Google Maps Debuts New Apple Watch App and CarPlay Features

Monday August 10, 2020 9:16 am PDT by
Google today announced the launch of several features for Google Maps on Apple products, including new CarPlay functionality and a new Google Maps app that works on Apple Watch. The new Google Maps app for Apple Watch works similarly to the iOS app, allowing Apple Watch owners to get directions for a car, bike, public transit, or on foot. The app supports estimated arrival times and...

2020 iMac Teardown Reveals Internal Changes and Similarities

Saturday August 8, 2020 12:44 pm PDT by
A teardown video, shared by OWC, reveals the internal changes in the new 2020 27-inch iMac. The 2020 27-inch iMac was announced earlier this week with 10th-generation Intel Core processors, AMD Radeon Pro 5000 series graphics, up to 128GB of RAM, up to 8TB of storage, a 1080p front-facing FaceTime camera, a True Tone display with a nano-texture glass option, higher fidelity speakers, and...

Apple Seeds iOS 14 and iPadOS 14 Public Beta 4 to Testers

Thursday August 6, 2020 10:05 am PDT by
Apple today seeded new public betas of upcoming iOS 14 and iPadOS 14 updates to its public beta testing group. Today's software releases, which Apple labels as fourth betas to keep them in line with developer betas, are actually the third betas that Apple has provided and they come two weeks after the prior beta releases. Public beta testers who have signed up for Apple's beta testing...

Apple Believes This German Cycling Path Logo Infringes on Its Own Logo

Wednesday May 1, 2019 9:51 am PDT by
Apple recently objected to the logo of a new German cycling path in an appeal filed with the German Patent and Trademark Office, according to German outlets General-Anzeiger Bonn and Westdeutscher Rundfunk. Apple reportedly takes issue with the logo's green leaf and supposed "bitten" right side, attributes the company believes are too similar to its own logo. The logo, registered with the ...

Supposed iPhone 12 Display Unit Leaks

Thursday August 6, 2020 8:13 am PDT by
An image supposedly of an iPhone 12 display unit has been shared online by leaker "Twitter user Mr. White". Compared to images of an iPhone 11 Pro display piece, this new unit has a reoriented display connector, reaching up from the bottom of the display, rather than from the left-hand side on iPhone 11 Pro. This may be due to the logic board moving to the other side of the device. A...

Foxconn Reportedly Begins Seasonal Hiring Spree for iPhone 12 Production

Monday August 10, 2020 7:03 am PDT by
Apple's largest manufacturing partner Foxconn has begun its seasonal hiring spree to assist with iPhone 12 production, offering employees who recruit qualified applicants up to a 9,000 yuan bonus, according to Chinese media reports. As usual, Foxconn needs as many hands on deck as possible at its factory in Zhengzhou, China to assist with mass production of the upcoming iPhones. Apple is...

8 Third-Party Home Screen Widgets That You Can Try Out Now on iOS 14

Wednesday August 5, 2020 12:56 pm PDT by
One of the biggest new features of iOS 14 is Home Screen widgets, which provide information from apps at a glance. The widgets can be pinned to the Home Screen in various spots and sizes, allowing for many different layouts. When the iOS 14 beta was first released in June, widgets were limited to Apple's own apps like Calendar and Weather, but several third-party developers have begun to test ...

New 27-Inch iMac's Storage Affixed to Logic Board, 4TB and 8TB Configurations Have Expansion Connector

Friday August 7, 2020 7:46 am PDT by
Following a report from German blog iFun.de that claimed the new 27-inch iMac's flash storage is soldered to the logic board, MacRumors has obtained additional information in an internal document for Apple technicians. In the document, Apple says that the flash storage is indeed affixed to the logic board and cannot be removed. However, for the 4TB and 8TB configurations, Apple says that a...