Blog        Forum        Spam        Check & Secure                      
Articles > The iWorm Botnet

The iWorm Botnet

Systems Affected

Mac OS X

Overview

A zombie network that exclusively targets Apple computers running Mac OS X across the globe has compromised over 18,000 machines so far, giving hackers backdoor access to infected computers, researchers at Russian antivirus firm Dr.Web warned.

The Mac malware, called iWorm, uses a complex multi-purpose backdoor, through which criminals can issue commands that get the malicious program to carry out a wide range of instructions on the infected Macs.

Description

According to researchers, the backdoor makes extensive use of encryption in its routes. It is capable of discovering what other software is installed on the infected machine and sending out information about it (operating system), opening a port on it, downloading additional files, relaying traffic, and sending a query to a web server to acquire the addresses of the C&C servers, essentially turning your Mac into a zombie. The most interesting thing to notice about this botnet is that it uses a special method of spreading via a search service of Reddit posts to a Minecraft server list subreddit to collect the IP addresses for its command and control (CnC) network. The user who had posted that subreddit data has now been shut down though the malware creators are likely to form another server list.

"It is worth mentioning that in order to acquire a control server address list, the bot uses the search service at reddit.com, and – as a search query – specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date," the Russian company said in a statement on its website.

"The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd."

Though the researchers did not mention how Mac.BackDoor.iWorm spreads, but they shared that the "dropper" program of the malware allows it to be installed in the Library directory within the affected user’s account home folder, disguised as an Application Support directory for "JavaW" and sets itself to autostart.Though the researchers did not mention how Mac.BackDoor.iWorm spreads, but they shared that the "dropper" program of the malware allows it to be installed in the Library directory within the affected user’s account home folder, disguised as an Application Support directory for "JavaW" and sets itself to autostart.

Once a Mac has been infected, the software establishes a connection with the command and control server. The backdoor on the user's system can be used to receive instructions in order to perform a variety of tasks, from stealing sensitive information to receiving or spreading other malicious software. It could also change configuration or put a Mac to sleep.

"Criminals developed this malware using C++ and Lua. It should also be noted that the backdoor makes extensive use of encryption in its routines. During installation it is extracted into /Library/Application Support/JavaW, after which the dropper generates a p-list file so that the backdoor is launched automatically," the company added.

Impact

Researchers say almost a quarter of iWorm botnet are located in the US.

The Mac.BackDoor.iWorm is likely to send spam emails, flood websites with traffic, or mine bitcoins. Most of the compromised machines are located in the US, Canada ranked second, with 1,235 comprised addresses, followed by the United Kingdom with 1,227 addresses and the rest is in Europe, Australia, the Russian Federation, Brazil and Mexico.

Information collected by Doctor Web’s researchers shows that most of the infected Macs—4,610, representing 26.1% of the botnet—reside in the United States. Canada ranks second, and the United Kingdom ranks third in terms of infected Macs.

Installing iWorm

During installation, the malware first installs a backdoor into the directory /Library/Application Support/JavaW, after which the dropper generates a p-list file, so that the backdoor is launched automatically. Furthermore, it disguises itself as the application com.JavaW and sets itself to autostart via /Library/LaunchDaemons/.

Analysis indicates that the malware begins to seed itself into your Mac upon initial launch, saving its configuration data in a separate file and attempts to read the contents of the /Library directory to determine which of the installed applications the malware won’t be interacting with. If the bot cannot find ‘unwanted’ directories, according to reports, it uses system queries to determine the home directory of the Mac OS X account under which it is running, checks the availability of its configuration file in the directory, and writes the data needed for it to continue to operate into the file.

How to check if you are infected

According to research, the iWorm botnet installs itself to the following two locations:

  • /Library/Application Support/JavaW
  • /Library/LaunchDaemons

To check to see if you are infected, open the Finder window and select the Go menu, and then choose “Go to Folder.”

Copy and past the following into the window that opens:

  • /Library/Application Support/JavaW

Then, click the Go button. If the window displays the message, “The folder can’t be found,” in the bottom left corner, then you should be safe.

However, as mentioned by Thomas Reed over at The Safe Mac, if a Finder window opens showing the contents of this folder, then you are infected.

Stay a step ahead

If after running the test above you find that you are not infected, you can take precautionary steps that enable you to receive a pop-up alert if a new item gets added to any of the locations that the iWorm malware installs itself to.

To do so, open the Finder, choose Go to Folder from the Go menu, and then copy and paste the following path into the window that pops up:

  • /Library/LaunchDaemons

Then, click the Go button.

You will be taken to the LaunchDaemons folder; right-click on the folder, and choose Folder Actions Setup.

Choose the script “add – new item alert.scpt” and click the Attach button. Then, select the checkbox to Enable Folder Actions.

If possible, repeat these steps for /Library/Application Support/JavaW.

Now, if a new item gets added to any of these locations, you will get a pop-up alert. Note that when adding alerts to the folders, not every file added is an indication of iWorm or malware in general. You need to inspect the file and see if there's any references to JavaW.

If after inspecting the file you come to find a reference to JavaW, take immediate measures to eradicate the malware.

How to eradicate iWorm malware

Apple has updated its malware blacklisting system, known as XProtect, to block a Mac attack thought to have infected over 18,500 Macs.

As the Mac security threat landscape evolves, it’s ever so important to protect your computer using a layered approach to security. Yes, Macs get malware, so you should invest in Mac anti-virus software to protect your computer. In fact, it’s a good idea to get anti-virus and a firewall, as a layered defense will protect you much more effectively than any one layer by itself.

Intego VirusBarrier with up-to-date virus definitions detects and eradicates this malware, which it identifies as OSX/iWorm.

References

Regarding the security of your computer please consider the following basic rules:

  1. Check your computer for infection.
  2. Install current Service Packs and Security Updates for your system. Activate automatic updates.
  3. Check your internet browser and the embedded plugins (e.g. Java, Flash, Shockwave, Quicktime) regularly for Actuality.
  4. Install a virus scanner and update it regularly.
  5. Use a Firewall e.g. Windows built-in Firewall or a Router.

Good to know

Inform
Find out what botnets are, the damage they cause, and how they threaten the data on your computer.

Clean
Here you can find small programs and tutorials which enable you to remove a botnet infection from your computer.

Protect
In this section you will find many tips on how to protect your computer from infection.

Copyright © 2014-2015 CERT-RO. All rights reserved.