Apple Updates Malware Definitions to Protect Against Botnet Threat Coordinated Via Reddit

[tywebb13]

.

 

[mertyz]

reddit is such a ****** website

This has nothing to do with reddit. They could use any website for this.

 

[tywebb13]

.

 

[slattery69]

No offence, but it's from apple.

Does that make it safe? Unless you ask an iphone 6 or 6+ user with ios 8.0.1 (not to be rude) I'd say yes.

However I'd just reiterate that there may still be a danger since it does not yet address the issue of the osx.iworm.d variant. When (and if) it does, I'll post an updated link.

just checking given the topic. looking at the url I can see its from apple now. odd that it hasn't updated automatically , if id not seen this thread id have not even thought to look assuming it auto updated.

 

[paulbele]

Please keep in mind if you think you have this issue, check your /etc/hosts file for something similar to this :

127.0.0.1 swscan.apple.com
127.0.0.1 swquery.apple.com
127.0.0.1 swdownload.apple.com
127.0.0.1 swcdn.apple.com
127.0.0.1 swdist.apple.com

And remove it .

In this way, the malware tries to block access to xprotect updates ( as far as i know )

 

[gnasher729]

Okay. Just to be clear here, this is not a virus? A virus is something that can manipulate/alter specific programs and spread itself, whereas a worm can do the same but not limited to specific softwares? So that makes this just another Trojan, and by trojan I mean malware that was somehow authenticated by the user and will collect sensitive information. Bottom line is, OS X is still as secure as it ever was, and non-pirate users have zilch to worry about?

Did I just answer my own question?

You did

Well, you first have to go to a website that distributes pirated software. At that point we could just say that you got what you deserved and not worry any further about it.

But you don't just try to install pirated software. When you install it, MacOS X will tell you that you are installing software by an unknown developer. If that pirated software was _original_ Adobe or Microsoft software, it would just install, you wouldn't get a warning. (Surely Adobe and Microsoft are not "unknown developers" to Apple, right? ) If you proceed at that step, you don't only try to install pirated software which means your are criminal, you are also trying to install software that you should know has been manipulated, making you criminally stupid.

----------

Can you recommend a safe pirate site?

<kidding>

He just did. It's absolutely safe that your computer will be infected Or did you mean some other kind of safe?

----------

Le reddit army unite!!

Anyway, if you install pirated software from shady websites, it's your own fault.

Install software from shady websites AND ignore some severe warnings that MacOS X gives you.

 

[yansun]

The update applies to yosemite pb4, yosemite gm and for mavericks.

Hm, when I take a look at the Xprotect.plist there are no OSX.iWorm entries.

 

[tywebb13]

.

 

[yansun]

That's because you haven't updated it yet. You can get the update in the link I posted earlier: https://forums.macrumors.com/posts/20014686/

I would suggest closing the file before updating it though.

The user Parasprite mentioned xprotect would be updated automatically in the background. So I was wondering. Thanks for the information.

You won't find it in either because the update is via xprotect, which is updated automatically. I know there used to be a way to force an update using a terminal command, but iirc there isn't a way to do this in Mavericks (yet).

 

[djgamble]

Good update - a lot of the "Hey look! Mac malware!" hue and cry has, of course, come from the usual places, namely antivirus software houses - and that hue and cry has not mentioned how the damn thing gets in your Mac in the first place.

That was a glaring omission, and it was right for MacRumors to hold off until now.

Sums up Reddit really... bunch of tools who are all about trending and thinking they are elite $hizzle when they are really a bunch of kids who love putting double spaces at the end of the line AND HAVING ALL SLEDGING IN CAPITALS.

 

[brdeveloper]

Well, I'm stuck with Gimp because I'm adult and don't support piracy, and Photoshop is just too expensive for amateur photography, unless it's your main and single hobby. It's not my case, since I'm a multi-interest hobbyist. I even use the buggy Audacity for recording stuff I play with my guitar.

However there's a thing that really annoys me when installing software: allowing administrator rights. Ok, let's give administrator rights so the app can copy stuff to some system folders, but since it should not be the standard behavior of any app, why OSX doesn't give a more detailed explanation of what will be done with the root access I'm giving? It could throw that warning popup with a button providing additional details of the operation, don't you agree?

 

[Switchback666]

I actually don't have an answer to that. However, there is an indirect way to do it. Go to Finder->Go->Go To Folder. Copy this into the box:

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/​

Scroll to the bottom to a file called "xprotect.meta.plist". The date it was last changed will be the last time it was modified. Mine shows 9/18/14 (I think that was when I installed 10.9.5) but yours may be different. Apple doesn't update it very often so I wouldn't be that surprised if it looks more out-of-date than this. You can check back periodically to see if it gets modified.

Great info man ! mine was modified yesterday

 

[atlatnesiti]

Sums up Reddit really... bunch of tools who are all about trending and thinking they are elite $hizzle when they are really a bunch of kids who love putting double spaces at the end of the line AND HAVING ALL SLEDGING IN CAPITALS.

What it really sums up, is stupidity and ignorance of the common Apple user.

 

[heimo]

Can you recommend a safe pirate site?

<kidding>

Pirates.lego.com should be relatively safe.

 

[madsci954]

Can you recommend a safe pirate site?

<kidding>

http://pirates.disney.com is another.

 

[Traverse]

Will X-Protect update on 10.9.2 or just 10.9.5? My mother won't update her system.

 

[diegogaja]

Actually..

Actually, what it really sums up is the stupidity and/or ignorance of the average computer user.

What it really sums up, is stupidity and ignorance of the common Apple user.

 

[scoobydoo99]

just checking given the topic. looking at the url I can see its from apple now. odd that it hasn't updated automatically , if id not seen this thread id have not even thought to look assuming it auto updated.

You were right to be suspicious. Following a link from a post in an online forum is exactly the kind of risky behavior that this thread addresses. Don't be lulled into a false sense of security just because you "can see its from apple". I doubt you'd click on a link in an email from Nigeria, even if the link has "citibank" in it. Faking URLs is trivial.

 

[ArtOfWarfare]

Just curious, has a "good botnet" ever existed? IE, one that automatically and without your knowledge adds you to FOLDING@home or some similar organization? How much computing power is out there that could be used for these projects, but isn't either because the owner doesn't know or the owner doesn't care? How much of it could you trick them into contributing through this?

Not saying someone actually should do this, but it's an interesting idea I've had for awhile.

 

[plokoonpma]

Thats an OTA update of definition. No actual update link or dmg to download. As long the computer has internet it will be updated automatically.

I will have to check and see if this update is via the store or the site.

How many mac users could have been compromised trying to get the Fappening over reddit? hehehe

 

[gnasher729]

What it really sums up, is stupidity and ignorance of the common Apple user.

Say again? People going to pirate sites are not exactly the common Apple user.

 

[Parasprite]

However there's a thing that really annoys me when installing software: allowing administrator rights. Ok, let's give administrator rights so the app can copy stuff to some system folders, but since it should not be the standard behavior of any app, why OSX doesn't give a more detailed explanation of what will be done with the root access I'm giving? It could throw that warning popup with a button providing additional details of the operation, don't you agree?

Reminds me of installing Microsoft Office...

"I know this is gonna **** up my fonts, this is gonna **** up my fonts...*breathes* *looks away and clicks*"

----------

Just curious, has a "good botnet" ever existed? IE, one that automatically and without your knowledge adds you to FOLDING@home or some similar organization? How much computing power is out there that could be used for these projects, but isn't either because the owner doesn't know or the owner doesn't care? How much of it could you trick them into contributing through this?

Not saying someone actually should do this, but it's an interesting idea I've had for awhile.

I just imagine someone spreading a virus that silently installs legitimate antivirus software which would then run in the background and automatically update itself without your knowledge.

 

[V.K.]

It has been discovered how the botnet is installed. You have to download a pirated app, such as Photoshop, and then give the pirated installer administrator privileges.

No amount of malware security can fix stupid.

EDIT: Link to evidence: http://www.thesafemac.com/iworm-method-of-infection-found/

Thanks a lot for this link. That site (not just the page you linked) is well worth reading for good advice and explanation about OS X, malware and antivirus programs.
http://www.thesafemac.com/mmg/

How do I check if xprotect is running properly (installed and not disabled) on my Mac? Thanks in advance.

I don't know how to do with absolute certainty but as was suggested you can check the modification dates on the xprotect plists. in finder do shift+command+G and enter

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources

this will open this directory in Finder. check the modification dates for XProtect.meta.plist and XProtect.plist

If they are recent (like in the last 24 hours) you should be fine.


BTW, if you want to see the list of all malware XProtector detects you can run this in terminal

cat /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist |grep OSX

To put some perspective on the amount of OS X malware out there, that's 41 items total including variations of the same malware like iWorm.A, iWorm.B and iWorm.C.

 

[Solomani]

You won't find it in either because the update is via xprotect, which is updated automatically. I know there used to be a way to force an update using a terminal command, but iirc there isn't a way to do this in Mavericks (yet).

So this is a silent "in-the-background" update that Apple pushes to my Internet-connected iMac?

 

[V.K.]

So this is a silent "in-the-background" update that Apple pushes to my Internet-connected iMac?

yes.