Just days after the discovery of a botnet composed of thousands of Macs, Apple released an update to its OS X antimalware component that combats the malware associated with the infections. Updated over the weekend, the little publicized XProtect feature in OS X now includes definitions to prevent three variations of the Mac.BackDoor.iWorm malware from installing on new machines.
The weekend also yielded more research that showed The Pirate Bay likely played a big role in the propagation of iWorm on affected machines. Acting on a tip from a different anonymous researcher, the independent researcher Thomas Reed confirmed on his The Safe Mac blog that the iWorm installer was found in a pirated Photoshop install package modified to hide the malicious executable. In his tests, Reed found that he first had to override the Apple Gatekeeper restrictions, which warns users installing the malicious executable that the application they are attempting to run contains unsigned code. However, this warning message would likely do nothing to deter users knowingly installing pirated software; they would expect the contraband software to be modified to get around anti-piracy measures.
"The very first thing that happened when I opened the app was that I was asked for my admin password," Reed explained. "I provided it, and an official-looking Adobe installer started up, but by then the damage was done. The instant I provided the password, the iWorm malware was installed."
In spite of the name, though, the malware itself exhibits no worm-like functions.
"At this point, it looks like this is far more prosaic," Reed says. "It's just a Trojan in the form of pirated software that has been modified."
The botnet came to light last week when researchers with Dr. Web released details showing that iWorm helped its authors herd more than 18,000 infected machine into its zombie network. Once the attackers infect a system with the malware, they use a novel system for command and control (C&C) of that system to avoid exposing the location of centralized C&C servers. Rather than directly specifying IP addresses in the code, they post the information as encoded comments in Reddit forums based on an MD5 hash of the current date. Infected systems then are directed to use the Reddit search functions to be directed to the list of servers and ports.
Utilized to stop threats like iWorm and to push out mandatory updates of Flash, XProtect is a very basic anti-malware system that isn't on a scheduled or even public update schedule. Details about additions to the system can be found only by looking at a file called XProtect.plist hidden deep in systems folders. Testing by Reed and other Mac users online found that XProtect's latest automatic update of the plist file includes mentions of iWorm and prevents the installation of the malware. However, Mac Rumors forum users warn that the malware does have some countermeasures that may interfere with infected machines' ability to communicate with Apple's update servers.
Users can check if they've been infected with the trojan by looking for a folder at /Library/Application Support/JavaW dropped by iWorm's installer, Reed says.