Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

New "Mac.BackDoor.iWorm" worm discovered & affecting 17000 Macs

supertonic said:
http://news.drweb.com/show/?i=5976
http://news.drweb.com/show/?i=5977

http://finance.yahoo.com/news/hackers-found-flaw-macs-using-121808264.html

If the JavaW folder exists in this location, you're infected:
/Library/Application Support/JavaW
Click to expand...

Thanks for this. That would appear to be the critical check.
This folder suggests the Mac has been infected:/Library/Application Support/JavaW

The method of replication doesn't seem to be mentioned in those links, but it's highly likely that the Mac.BackDoor.iWorm is not self replicating and requires some action to install it, such as installing software from untrusted sources. But perhaps it exploits a browser flaw or uses some other method and visiting an infected site is enough. Just to be on the safe side, now would be a good time for everyone to make sure they have recent backups of everything on their Mac.
 
Last edited:
When I first saw the headline, on AppleInsider, I assumed it was an April Fool's joke –

'iWorm' malware controls Macs via Reddit, more than 17K affected

– then I noticed the date, 2014-10-03.

The Mac.BackDoor.iWorm threat in detail — Dr.Web - innovation anti-virus security technologies. Comprehensive protection from Internet threats. (2014-09-29)

Unless I'm missing something, there's no explanation of how the directory is created –

/Library/Application Support/JavaW

Bear in mind, the Application Support directory in that domain is owned by root (System), read-only to other users:

Code: 
sh-3.2$ ls -@adel /Library/Application\ Support/
drwxr-xr-x  154 root  admin  5236 14 Sep 07:25 /Library/Application Support/
sh-3.2$ sw_vers ; date
ProductName:	Mac OS X
ProductVersion:	10.9.5
BuildVersion:	13F34
Sat  4 Oct 2014 05:32:13 BST
sh-3.2$

I agree with some of the comments under the AppleInsider article. For Mac.BackDoor.iWorm to be a threat, it appears that the user must authorise its installation.

The usual advice: installing software from untrusted sources can have unexpected consequences.
 
grahamperrin said:
I agree with some of the comments under the AppleInsider article. For Mac.BackDoor.iWorm to be a threat, it appears that the user must authorise its installation.

The usual advice: installing software from untrusted sources can have unexpected consequences.
Click to expand...

True, even the recent bash bug can only damage/write to those areas with write permissions of the user (or group) that runs bash (most often a web server run as a low privileged user). Hopefully we will learn more about the infection method soon.
 
Last edited:
alex0002 said:
Thanks for this. That would appear to be the critical check.
This folder suggests the Mac has been infected:/Library/Application Support/JavaW

The method of replication doesn't seem to be mentioned in those links, but it's highly likely that the Mac.BackDoor.iWorm is not self replicating and requires some action to install it, such as installing software from untrusted sources. But perhaps it exploits a browser flaw or uses some other method and visiting an infected site is enough. Just to be on the safe side, now would be a good time for everyone to make sure they have recent backups of everything on their Mac.
Click to expand...

The malware and adware I find on OSX seems to be coming through mostly via exploit from outdated versions of Oracle's Java SE 7&8. Apple's supported SE 6 is disabled in the browser by default whereas Oracle's plugins are not.

Other suspected attack vectors may come from Acrobat, Flash and possibly Silverlight too which is getting exploited on the Windows platform a lot more nowadays.

As OSX gains market share which post Yosemite I can only see increasing by a lot the days of having no protection on the Mac is beginning to come to an end if the user has plug-ins installed which are susceptible to exploits.

If you run none of the above you'll be ok for now, but new users to OSX coming from Windows will be a gullible as they always were clicking on the wrong link and filling in a password prompt.
 
Gav Mack said:
The malware and adware I find on OSX seems to be coming through mostly via exploit from outdated versions of Oracle's Java SE 7&8. Apple's supported SE 6 is disabled in the browser by default whereas Oracle's plugins are not. …
Click to expand...

Did you mean that enabling by default was a problem with some of the versions that are outdated?

There should be no such problem with current versions. Please view security preferences for the browser, and the Java Control Panel, for a new user of OS X; compare with your own preferences.

(For me, the plug-in for Java 8 Update 20 is not allowed by default. For a new user of Safari 7.1 (9537.85.10.17.1) on OS X 10.9.5, the security preference for Java is to ask the user; see below.)
 

Attachments

  • Safari.png
    Safari.png
    143.8 KB · Views: 143
Last edited:
grahamperrin said:
Did you mean that enabling by default was a problem with some of the versions that are outdated?

There should be no such problem with current versions. Please view security preferences for the browser, and the Java Control Panel, for a new user of OS X; compare with your own preferences.

(For me, the plug-in for Java 8 Update 20 is not allowed by default. For a new user of Safari 7.1 (9537.85.10.17.1) on OS X 10.9.5, the security preference for Java is to ask the user; see below.)
Click to expand...

I don't use Oracle's JVM on my Macs, only SE6 which i have to have installed for Adobe CS6. Due a lot to Oracle taking too long patching their VM nowhere near fast enough with updates which already have exploits out in the wild, and if you have found an exploit in Windows it's much easier to port that across to the Mac it's my number one app I remove off any clients computer, Mac or Windows if I find out they don't have a true specific use for it. It's been the number one backdoor target for malware coders for years now and I can't see it changing.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back