Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Updates Malware Definitions to Protect Against Botnet Threat Coordinated Via Reddit

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,548
30,866



Last week, Russian anti-virus firm Doctor Web disclosed a newly discovered piece of OS X malware known as Mac.BackDoor.iWorm that at the time had affected roughly 17,000 machines around the world. While the exact mechanism of infection was unclear, an interesting twist to the story involves compromised machines running search queries on Reddit to obtain instructions about which command and control servers should be used to manage the botnet.
It is worth mentioning that in order to acquire a control server address list, the bot uses the search service at reddit.com, and -- as a search query -- specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date. The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd.
Click to expand...
Once connected to a command and control server, the backdoor opened by the malware on the user's system can receive instructions to perform a variety of tasks, from stealing sensitive information to receiving or spreading additional malware.

In an effort to address the threat, Apple has now updated its "Xprotect" anti-malware system to recognize two different variants of the iWorm malware and prevent them from being installed on users' machines.

xprotect_iworm.jpg
First introduced with OS X Snow Leopard, Xprotect is a rudimentary anti-malware system that recognizes and alerts users to the presence of various types of malware. Given the relative rarity of malware targeting OS X, the malware definitions are updated infrequently, although users' machines automatically check for updates on a daily basis. Apple also uses the Xprotect system on occasion to enforce minimum version requirements for plug-ins such as Flash Player and Java, forcing users to upgrade from older versions known to carry significant security risks.

Article Link: Apple Updates Malware Definitions to Protect Against Botnet Threat Coordinated Via Reddit
 
Article Link
https://www.macrumors.com/2014/10/04/iworm-malware-xprotect/
Parasprite

Parasprite

macrumors 68000
Mar 5, 2013
1,698
144
Michaelgtrusa said:
I will have to check and see if this update is via the store or the site.
Click to expand...

You won't find it in either because the update is via xprotect, which is updated automatically. I know there used to be a way to force an update using a terminal command, but iirc there isn't a way to do this in Mavericks (yet).
 
smithrh

smithrh

macrumors 68030
Feb 28, 2009
2,722
1,730
mikethebigo said:
It has been discovered how the botnet is installed. You have to download a pirated app, such as Photoshop, and then give the pirated installer administrator privileges.

No amount of malware security can fix stupid.
Click to expand...

Good update - a lot of the "Hey look! Mac malware!" hue and cry has, of course, come from the usual places, namely antivirus software houses - and that hue and cry has not mentioned how the damn thing gets in your Mac in the first place.

That was a glaring omission, and it was right for MacRumors to hold off until now.
 
nagromme

nagromme

macrumors G5
May 2, 2002
12,546
1,196
You can NAME your trojan “worm,” but that does not make it a worm. (It does make good attention-bait for security firms’ PR departments.)

IF this bad software actually did spread BY ITSELF, then it would seem to be the first real-world successful OS X “virus.” (Technically, “worm” is the better term: a “virus” specifically infects/alters apps, while a “worm” is less specific: any malware that spreads on its own.)

But that doesn’t appear to be the case—making this just another trojan.

Any OS is vulnerable to lies, and that’s what a trojan is: someone lies to you and says “trust this program with your system!” Luckily, OS X makes trojans pretty hard to get these days: you have to go to some very specific effort to run un-trusted, unsigned code. If you know how to do that, you should know better! (Signed code can be remotely shut down by Apple if it's determined to be bad--even outside the App Store.)

Pirates beware: don’t trust shady downloads.
 
Last edited:
Parasprite

Parasprite

macrumors 68000
Mar 5, 2013
1,698
144
mikethebigo said:
It has been discovered how the botnet is installed. You have to download a pirated app, such as Photoshop, and then give the pirated installer administrator privileges.

No amount of malware security can fix stupid.

EDIT: Link to evidence: http://www.thesafemac.com/iworm-method-of-infection-found/
Click to expand...

That was almost interesting while it lasted.

Arguments about viruses vs trojans and how it affects OS X below this line:
_________________________
 
Chad-VI

Chad-VI

macrumors 6502
Mar 31, 2014
255
48
What about the "Attention required Cloudflare" message that appears when opening some sites on some iOS devices ? Does that mean that these iOS devices are also infected by some kind of malware?
 
C

cr2

macrumors 6502
Feb 19, 2011
340
112
Parasprite said:
You won't find it in either because the update is via xprotect, which is updated automatically. I know there used to be a way to force an update using a terminal command, but iirc there isn't a way to do this in Mavericks (yet).
Click to expand...
How do I check if xprotect is running properly (installed and not disabled) on my Mac? Thanks in advance.
 
Parasprite

Parasprite

macrumors 68000
Mar 5, 2013
1,698
144
cr2 said:
How do I check if xprotect is running properly (installed and not disabled) on my Mac? Thanks in advance.
Click to expand...

I actually don't have an answer to that. However, there is an indirect way to do it. Go to Finder->Go->Go To Folder. Copy this into the box:
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/​

Scroll to the bottom to a file called "xprotect.meta.plist". The date it was last changed will be the last time it was modified. Mine shows 9/18/14 (I think that was when I installed 10.9.5) but yours may be different. Apple doesn't update it very often so I wouldn't be that surprised if it looks more out-of-date than this. You can check back periodically to see if it gets modified.
 
76ShovelHead

76ShovelHead

macrumors 6502a
May 30, 2010
527
32
Florida
Okay. Just to be clear here, this is not a virus? A virus is something that can manipulate/alter specific programs and spread itself, whereas a worm can do the same but not limited to specific softwares? So that makes this just another Trojan, and by trojan I mean malware that was somehow authenticated by the user and will collect sensitive information. Bottom line is, OS X is still as secure as it ever was, and non-pirate users have zilch to worry about?

Did I just answer my own question?

My only other concern is if OS X's gain in popularity may have caused this, but if I did answer my own question, then OS X is as secure as it ever was and these trojans are just another exploit that will soon byte the dust. :apple:
 
Parasprite

Parasprite

macrumors 68000
Mar 5, 2013
1,698
144
76ShovelHead said:
Okay. Just to be clear here, this is not a virus? A virus is something that can manipulate/alter specific programs and spread itself, whereas a worm can do the same but not limited to specific softwares? So that makes this just another Trojan, and by trojan I mean malware that was somehow authenticated by the user and will collect sensitive information. Bottom line is, OS X is still as secure as it ever was, and non-pirate users have zilch to worry about?

Did I just answer my own question?

My only other concern is if OS X's gain in popularity may have caused this, but if I did answer my own question, then OS X is as secure as it ever was and these trojans are just another exploit that will soon byte the dust. :apple:
Click to expand...

See here:

mikethebigo said:
It has been discovered how the botnet is installed. You have to download a pirated app, such as Photoshop, and then give the pirated installer administrator privileges.

No amount of malware security can fix stupid.

EDIT: Link to evidence: http://www.thesafemac.com/iworm-method-of-infection-found/
Click to expand...
 
T

the-msa

macrumors 6502
Oct 24, 2013
425
210
Le reddit army unite!!

Anyway, if you install pirated software from shady websites, it's your own fault.
 
D

dtich

macrumors regular
May 27, 2007
205
88
Parasprite said:
I actually don't have an answer to that. However, there is an indirect way to do it. Go to Finder->Go->Go To Folder. Copy this into the box:
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/​

Scroll to the bottom to a file called "xprotect.meta.plist". The date it was last changed will be the last time it was modified. Mine shows 9/18/14 (I think that was when I installed 10.9.5) but yours may be different. Apple doesn't update it very often so I wouldn't be that surprised if it looks more out-of-date than this. You can check back periodically to see if it gets modified.
Click to expand...

i have definitions for iworm a, b and c. plist was updated yesterday it seems....
 
S

slattery69

macrumors regular
Jun 16, 2009
194
11
Paid Shill
Neither of my macs have updated with one showing a file last updated in may2014 and the other june 2014. Can't seem to see a way to force an update either .
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom