Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/6/2014
01:55 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Apple Makes Move To Shut Down Mac Botnet

Cupertino engineers move swiftly to contain a Trojan outbreak reportedly propagated through pirated software.

Just days after the discovery of a botnet composed of thousands of Macs, Apple released an update to its OS X antimalware component that combats the malware associated with the infections. Updated over the weekend, the little publicized XProtect feature in OS X now includes definitions to prevent three variations of the Mac.BackDoor.iWorm malware from installing on new machines.

The weekend also yielded more research that showed The Pirate Bay likely played a big role in the propagation of iWorm on affected machines. Acting on a tip from a different anonymous researcher, the independent researcher Thomas Reed confirmed on his The Safe Mac blog that the iWorm installer was found in a pirated Photoshop install package modified to hide the malicious executable. In his tests, Reed found that he first had to override the Apple Gatekeeper restrictions, which warns users installing the malicious executable that the application they are attempting to run contains unsigned code. However, this warning message would likely do nothing to deter users knowingly installing pirated software; they would expect the contraband software to be modified to get around anti-piracy measures.

"The very first thing that happened when I opened the app was that I was asked for my admin password," Reed explained. "I provided it, and an official-looking Adobe installer started up, but by then the damage was done. The instant I provided the password, the iWorm malware was installed."

In spite of the name, though, the malware itself exhibits no worm-like functions.

"At this point, it looks like this is far more prosaic," Reed says. "It's just a Trojan in the form of pirated software that has been modified."

The botnet came to light last week when researchers with Dr. Web released details showing that iWorm helped its authors herd more than 18,000 infected machine into its zombie network. Once the attackers infect a system with the malware, they use a novel system for command and control (C&C) of that system to avoid exposing the location of centralized C&C servers. Rather than directly specifying IP addresses in the code, they post the information as encoded comments in Reddit forums based on an MD5 hash of the current date. Infected systems then are directed to use the Reddit search functions to be directed to the list of servers and ports.

Utilized to stop threats like iWorm and to push out mandatory updates of Flash, XProtect is a very basic anti-malware system that isn't on a scheduled or even public update schedule. Details about additions to the system can be found only by looking at a file called XProtect.plist hidden deep in systems folders. Testing by Reed and other Mac users online found that XProtect's latest automatic update of the plist file includes mentions of iWorm and prevents the installation of the malware. However, Mac Rumors forum users warn that the malware does have some countermeasures that may interfere with infected machines' ability to communicate with Apple's update servers.

Users can check if they've been infected with the trojan by looking for a folder at /Library/Application Support/JavaW dropped by iWorm's installer, Reed says.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/10/2014 | 3:08:09 PM
Re: Mac is becoming target
@Robert McDougal, It was something I came across by accident, but it is a timely data pont, which didn't get too much media play.   
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
10/10/2014 | 3:00:10 PM
Re: I know I'm being snarky, but...
@Dr.T I think this just goes back to what we said 5 years ago.  Mac's are vulnerable, they just have a smaller user base, making them a less profitable target.  However, since then more people have adopted Mac's making the platform appear much more lucrative.  
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
10/10/2014 | 2:57:46 PM
Re: Mac is becoming target
@Marilyn Thanks for sharing!  I have not seen that quote before.  Based on my own experience I have seen more and more vulnerabilities designed for the mac platform but haven't had any hard facts to back it up.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
10/10/2014 | 2:56:05 PM
Re: Mac is becoming target
@Dr.T I have to agree with you.  Apple is playing from behind in the realm of vulnerability response because historically it hasn't been something they have had to worry about.  However, the game has now changed and Apple needs to catch up.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/10/2014 | 9:48:41 AM
Re: Mac is becoming target
Coincidently, Kaspersky Lab recently calculated the chances of a malicious programme making it onto a Mac OS X devi ce at about 3%. compared to the 21% infection risk facing Windows users. According to Eugene Kaspersky, Chairman and CEO at Kaspersky Lab, in a September 29 press release:

"In the past four years, the Mac threat landscape has significantly changed – from isolated cases to the global epidemic caused by Flashback worm, which infected 700,000 Mac devices across the globe in 2011. That was a tipping point; after that we saw hundreds of new malicious programs for Macs each year. Moreover, Mac OS X was in the focus of headline-making spy operations such as The Mask/Careto and Icefog

Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/9/2014 | 7:42:23 PM
Re: I know I'm being snarky, but...
True in my view, that was the impression, we can not really claim that any more I would say. Mac is as vulnerable as other OSs.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/9/2014 | 7:40:43 PM
Re: I know I'm being snarky, but...
I partially agree. Users are the main initiators of security issues, however OSs may not have enough countermeasures to minimize the impact. There is no really solutions to the problems if we consider users are the problems.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/9/2014 | 7:34:51 PM
Mac is becoming target
Obviously Mac becomes target more and more every day and we are seeing more vulnerabilities in Mac too. We were hoping and thinking that Mac is more secure competing other OSs, we can not really claim that anymore.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
10/6/2014 | 4:44:38 PM
Re: I know I'm being snarky, but...
Indeed, Macs are not invincible, but in my experience they're not often involved in security incidents unless the user is careless (or the individual is specifically targeted by a skilled attacker). I recently had to clean an adware popup extension from my wife's version of Chrome on a MacBook Pro that she had been duped into installing. I've been running Macs at home since 1984 and this is the first time I've ever seen actual adware/malware on a Mac. I downloaded ClamXav and it did find one other piece of malware, written for Windows, in an email attachment. One incident in 30 years...
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/6/2014 | 2:39:56 PM
I know I'm being snarky, but...
...are people beginning to change their beliefs that Macs are more secure than PCs? Or at least, that Macs aren't entirely invincible? 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-18112
PUBLISHED: 2020-08-05
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.
CVE-2020-15109
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipm...
CVE-2020-16847
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before 8.5.0.169 allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
CVE-2020-15135
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...
CVE-2020-13522
PUBLISHED: 2020-08-04
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability.