Dr. Web announced the discovery of a new piece of Mac malware on Monday, which they are calling Mac.Backdoor.iWorm. According to their report, they believe the malware is affecting “more than 17,000 unique IP addresses.” Of course, this may not correlate well with the number of infected Macs, since most Macs do not have static IP addresses, but the number of infected Macs should at least be on the same order of magnitude.
It’s unclear from Dr. Web’s report exactly how the malware gets installed. The name “iWorm” suggests some kind of virus-like behavior. According to the report, the “dropper” (ie, the program that installs the malware) puts the executable in a folder named JavaW in the /Library/Application Support/ folder, but this does not necessarily mean that Java is involved in any way. The name could simply be chosen as camouflage. I sought out some samples on VirusTotal, but found nothing that would shed light on this question. We’ll all just have to wait for further developments.
The dropper is also reported to create “a p-list file so that the backdoor is launched automatically,” which probably refers to a LaunchAgent or LaunchDaemon created to keep the executable running. This is a pretty standard malware behavior on Mac OS X.
Once installed, the malware does a search on Reddit to find a page containing the addresses of the command & control servers, then contacts one of those servers. Once connected to a command & control server, the Mac becomes a part of a “botnet” – a worldwide network of infected computers. This botnet can respond to a number of different commands sent by the hackers who “own” it. Botnets are typically used for attacks on servers. These attacks could take the form of DDoS (distributed denial of service) attacks, which attempt to take a server temporarily offline. They could also be attempts to hack user accounts through a brute-force attack on user passwords. There are many other possibilities, none of them nice.
To check to see if you are infected, go to the Finder and choose Go to Folder from the Go menu. Copy the following path and paste it into the window that opens:
Then, click the Go button. If you just get a beep, and the window displays a message in the bottom left corner that the folder can’t be found, then you should be okay.
If a Finder window opens showing the contents of this folder, you are infected. At this time, I don’t know what files get installed where, and the backdoor could allow the hackers to install custom code on your Mac anyway. So, the best thing you can do if infected is erase your Mac’s hard drive and reinstall everything from scratch, or restore from a backup made prior to the infection.
At this time, there are no XProtect updates that will prevent installation of this malware. In fact, because we still don’t really know how it gets installed, XProtect may or may not be able to protect against it anyway.
This morning I awoke to find an e-mail waiting for me in my Inbox from someone who wished to remain anonymous. This person indicated that he had found installers for the new iWorm malware. He pointed me to the downloads offered by a user named “aceprog” on PirateBay.
On this user’s PirateBay page, I found installers for a number of different commercial products, such as Adobe Photoshop, Adobe Illustrator, Microsoft Office and Parallels. Actually downloading one of these things was a maze of clicks and redirects to adware sites, but I finally settled on installing a torrent client and using the torrent download link, which gave me a stolen copy of Photoshop CC 2014.
The item that got downloaded included some unsavory items that could be installed or opened to allow the stolen copy of Photoshop to run without a valid license, and although you couldn’t pay me to use any of these things on a real system, none of them turned out to be the problem. It turned out that the official-looking Photoshop installer had been modified:
Submitting the three executable files inside the installer to VirusTotal revealed that the one titled “0” was detected by only a small handful (3) of anti-virus engines. The other two were not detected as malicious at all. Presumably the “Install” executable is legit, but I’m left wondering about the “1” item.
I wasn’t sure what to expect when opening the file. One would hope that modifications to the app would result in the app being identified by Mac OS X as damaged, since the installer was signed. (The cryptographic signature on Mac OS X apps is meant to verify that the app was made by a particular developer and that it has not been modified.) However, opening the Install app resulted in a different warning:
This is further puzzling, since the app appears to have a code signature. However, running “codesign -vv” on the Install app reported that the app was not signed. At this point, I overrode the Gatekeeper restrictions for this app and forced Mac OS X to run it anyway.
The very first thing that happened when I opened the app was that I was asked for my admin password. I provided it, and an official-looking Adobe installer started up, but by then the damage was done. The instant I provided the password, the iWorm malware was installed.
Looking at fs_usage output (which provides detailed information on file system activity – such as file and folder creation), it appears that the only things added to the system by the “0” executable are the following items:
/Library/Application Support/JavaW/JavaW /Library/LaunchDaemons/com.JavaW.plist
The com.JavaW.plist file simply runs the JavaW process at startup, ensuring that the malware is constantly running in the background.
I reset my test system to a clean state, then ran the installer again, but this time I clicked the Cancel button when asked for my admin password. In this case, the malware was not installed at all.
There has been some speculation that a Java vulnerability may be involved, probably based on the “JavaW” name. However, at this point, it looks like this is far more prosaic. It’s just a trojan in the form of pirated software that has been modified.
The moral of the story? Never engage in software piracy. This single piece of malware is FAR from the only thing you can get infected with while installing stolen software. Torrents and sites like PirateBay should be avoided at all costs. If you cannot afford to pay for a piece of software or a movie or something similar, do without. Downloading such things for free often come with LOTS of strings attached.
I am also submitting this to Apple’s product security team… hopefully we will see an update to XProtect shortly.