New "Mac.BackDoor.iWorm" worm discovered & affecting 17000 Macs

Discussion in 'macOS' started by supertonic, Oct 3, 2014.

  1. supertonic, Oct 3, 2014
    Last edited: Oct 3, 2014
  2. alex0002, Oct 3, 2014
    Last edited: Oct 3, 2014

    alex0002 macrumors 6502

    Joined:
    Jun 19, 2013
    Location:
    New Zealand
    #2
    Thanks for this. That would appear to be the critical check.
    This folder suggests the Mac has been infected:/Library/Application Support/JavaW

    The method of replication doesn't seem to be mentioned in those links, but it's highly likely that the Mac.BackDoor.iWorm is not self replicating and requires some action to install it, such as installing software from untrusted sources. But perhaps it exploits a browser flaw or uses some other method and visiting an infected site is enough. Just to be on the safe side, now would be a good time for everyone to make sure they have recent backups of everything on their Mac.
     
  3. grahamperrin macrumors 601

    grahamperrin

    Joined:
    Jun 8, 2007
    #3
    When I first saw the headline, on AppleInsider, I assumed it was an April Fool's joke –

    'iWorm' malware controls Macs via Reddit, more than 17K affected

    – then I noticed the date, 2014-10-03.

    The Mac.BackDoor.iWorm threat in detail — Dr.Web - innovation anti-virus security technologies. Comprehensive protection from Internet threats. (2014-09-29)

    Unless I'm missing something, there's no explanation of how the directory is created –

    /Library/Application Support/JavaW

    Bear in mind, the Application Support directory in that domain is owned by root (System), read-only to other users:

    Code:
    sh-3.2$ ls -@adel /Library/Application\ Support/
    drwxr-xr-x  154 root  admin  5236 14 Sep 07:25 /Library/Application Support/
    sh-3.2$ sw_vers ; date
    ProductName:	Mac OS X
    ProductVersion:	10.9.5
    BuildVersion:	13F34
    Sat  4 Oct 2014 05:32:13 BST
    sh-3.2$ 
    I agree with some of the comments under the AppleInsider article. For Mac.BackDoor.iWorm to be a threat, it appears that the user must authorise its installation.

    The usual advice: installing software from untrusted sources can have unexpected consequences.
     
  4. alex0002, Oct 3, 2014
    Last edited: Oct 3, 2014

    alex0002 macrumors 6502

    Joined:
    Jun 19, 2013
    Location:
    New Zealand
    #4
    True, even the recent bash bug can only damage/write to those areas with write permissions of the user (or group) that runs bash (most often a web server run as a low privileged user). Hopefully we will learn more about the infection method soon.
     
  5. alex0002 macrumors 6502

    Joined:
    Jun 19, 2013
    Location:
    New Zealand
    #5
  6. Gav Mack macrumors 68020

    Gav Mack

    Joined:
    Jun 15, 2008
    Location:
    Sagittarius A*
    #6
    The malware and adware I find on OSX seems to be coming through mostly via exploit from outdated versions of Oracle's Java SE 7&8. Apple's supported SE 6 is disabled in the browser by default whereas Oracle's plugins are not.

    Other suspected attack vectors may come from Acrobat, Flash and possibly Silverlight too which is getting exploited on the Windows platform a lot more nowadays.

    As OSX gains market share which post Yosemite I can only see increasing by a lot the days of having no protection on the Mac is beginning to come to an end if the user has plug-ins installed which are susceptible to exploits.

    If you run none of the above you'll be ok for now, but new users to OSX coming from Windows will be a gullible as they always were clicking on the wrong link and filling in a password prompt.
     
  7. grahamperrin, Oct 4, 2014
    Last edited: Oct 4, 2014

    grahamperrin macrumors 601

    grahamperrin

    Joined:
    Jun 8, 2007
    #7
    Did you mean that enabling by default was a problem with some of the versions that are outdated?

    There should be no such problem with current versions. Please view security preferences for the browser, and the Java Control Panel, for a new user of OS X; compare with your own preferences.

    (For me, the plug-in for Java 8 Update 20 is not allowed by default. For a new user of Safari 7.1 (9537.85.10.17.1) on OS X 10.9.5, the security preference for Java is to ask the user; see below.)
     

    Attached Files:

  8. Gav Mack macrumors 68020

    Gav Mack

    Joined:
    Jun 15, 2008
    Location:
    Sagittarius A*
    #8
    I don't use Oracle's JVM on my Macs, only SE6 which i have to have installed for Adobe CS6. Due a lot to Oracle taking too long patching their VM nowhere near fast enough with updates which already have exploits out in the wild, and if you have found an exploit in Windows it's much easier to port that across to the Mac it's my number one app I remove off any clients computer, Mac or Windows if I find out they don't have a true specific use for it. It's been the number one backdoor target for malware coders for years now and I can't see it changing.
     

Share This Page