Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/6/2014
01:55 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Apple Makes Move To Shut Down Mac Botnet

Cupertino engineers move swiftly to contain a Trojan outbreak reportedly propagated through pirated software.

Just days after the discovery of a botnet composed of thousands of Macs, Apple released an update to its OS X antimalware component that combats the malware associated with the infections. Updated over the weekend, the little publicized XProtect feature in OS X now includes definitions to prevent three variations of the Mac.BackDoor.iWorm malware from installing on new machines.

The weekend also yielded more research that showed The Pirate Bay likely played a big role in the propagation of iWorm on affected machines. Acting on a tip from a different anonymous researcher, the independent researcher Thomas Reed confirmed on his The Safe Mac blog that the iWorm installer was found in a pirated Photoshop install package modified to hide the malicious executable. In his tests, Reed found that he first had to override the Apple Gatekeeper restrictions, which warns users installing the malicious executable that the application they are attempting to run contains unsigned code. However, this warning message would likely do nothing to deter users knowingly installing pirated software; they would expect the contraband software to be modified to get around anti-piracy measures.

"The very first thing that happened when I opened the app was that I was asked for my admin password," Reed explained. "I provided it, and an official-looking Adobe installer started up, but by then the damage was done. The instant I provided the password, the iWorm malware was installed."

In spite of the name, though, the malware itself exhibits no worm-like functions.

"At this point, it looks like this is far more prosaic," Reed says. "It's just a Trojan in the form of pirated software that has been modified."

The botnet came to light last week when researchers with Dr. Web released details showing that iWorm helped its authors herd more than 18,000 infected machine into its zombie network. Once the attackers infect a system with the malware, they use a novel system for command and control (C&C) of that system to avoid exposing the location of centralized C&C servers. Rather than directly specifying IP addresses in the code, they post the information as encoded comments in Reddit forums based on an MD5 hash of the current date. Infected systems then are directed to use the Reddit search functions to be directed to the list of servers and ports.

Utilized to stop threats like iWorm and to push out mandatory updates of Flash, XProtect is a very basic anti-malware system that isn't on a scheduled or even public update schedule. Details about additions to the system can be found only by looking at a file called XProtect.plist hidden deep in systems folders. Testing by Reed and other Mac users online found that XProtect's latest automatic update of the plist file includes mentions of iWorm and prevents the installation of the malware. However, Mac Rumors forum users warn that the malware does have some countermeasures that may interfere with infected machines' ability to communicate with Apple's update servers.

Users can check if they've been infected with the trojan by looking for a folder at /Library/Application Support/JavaW dropped by iWorm's installer, Reed says.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/10/2014 | 3:08:09 PM
Re: Mac is becoming target
@Robert McDougal, It was something I came across by accident, but it is a timely data pont, which didn't get too much media play.   
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
10/10/2014 | 3:00:10 PM
Re: I know I'm being snarky, but...
@Dr.T I think this just goes back to what we said 5 years ago.  Mac's are vulnerable, they just have a smaller user base, making them a less profitable target.  However, since then more people have adopted Mac's making the platform appear much more lucrative.  
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
10/10/2014 | 2:57:46 PM
Re: Mac is becoming target
@Marilyn Thanks for sharing!  I have not seen that quote before.  Based on my own experience I have seen more and more vulnerabilities designed for the mac platform but haven't had any hard facts to back it up.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
10/10/2014 | 2:56:05 PM
Re: Mac is becoming target
@Dr.T I have to agree with you.  Apple is playing from behind in the realm of vulnerability response because historically it hasn't been something they have had to worry about.  However, the game has now changed and Apple needs to catch up.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/10/2014 | 9:48:41 AM
Re: Mac is becoming target
Coincidently, Kaspersky Lab recently calculated the chances of a malicious programme making it onto a Mac OS X devi ce at about 3%. compared to the 21% infection risk facing Windows users. According to Eugene Kaspersky, Chairman and CEO at Kaspersky Lab, in a September 29 press release:

"In the past four years, the Mac threat landscape has significantly changed – from isolated cases to the global epidemic caused by Flashback worm, which infected 700,000 Mac devices across the globe in 2011. That was a tipping point; after that we saw hundreds of new malicious programs for Macs each year. Moreover, Mac OS X was in the focus of headline-making spy operations such as The Mask/Careto and Icefog

Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/9/2014 | 7:42:23 PM
Re: I know I'm being snarky, but...
True in my view, that was the impression, we can not really claim that any more I would say. Mac is as vulnerable as other OSs.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/9/2014 | 7:40:43 PM
Re: I know I'm being snarky, but...
I partially agree. Users are the main initiators of security issues, however OSs may not have enough countermeasures to minimize the impact. There is no really solutions to the problems if we consider users are the problems.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/9/2014 | 7:34:51 PM
Mac is becoming target
Obviously Mac becomes target more and more every day and we are seeing more vulnerabilities in Mac too. We were hoping and thinking that Mac is more secure competing other OSs, we can not really claim that anymore.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
10/6/2014 | 4:44:38 PM
Re: I know I'm being snarky, but...
Indeed, Macs are not invincible, but in my experience they're not often involved in security incidents unless the user is careless (or the individual is specifically targeted by a skilled attacker). I recently had to clean an adware popup extension from my wife's version of Chrome on a MacBook Pro that she had been duped into installing. I've been running Macs at home since 1984 and this is the first time I've ever seen actual adware/malware on a Mac. I downloaded ClamXav and it did find one other piece of malware, written for Windows, in an email attachment. One incident in 30 years...
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/6/2014 | 2:39:56 PM
I know I'm being snarky, but...
...are people beginning to change their beliefs that Macs are more secure than PCs? Or at least, that Macs aren't entirely invincible? 
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Why AI Will Create Far More Jobs Than It Replaces
John DiLullo, CEO, Lastline,  5/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Talk about vendor lock in...
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11816
PUBLISHED: 2019-05-20
Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 allows remote authenticated users to escalate privileges to administrator via a specially crafted request.
CVE-2019-10076
PUBLISHED: 2019-05-20
A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
CVE-2019-10077
PUBLISHED: 2019-05-20
A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
CVE-2019-10078
PUBLISHED: 2019-05-20
A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.
CVE-2019-12239
PUBLISHED: 2019-05-20
The WP Booking System plugin 1.5.1 for WordPress has no CSRF protection, which allows attackers to reach certain SQL injection issues that require administrative access.