[Updated with corrected information and further details] A new Trojan threat, possibly disguised as a fake unauthorized build of OS X 10.10 Yosemite, is
making the rounds by taking in users who attempt to pirate software. The new malware, dubbed "iWorm" by Russian research firm "Dr. Web," has supposedly been installed by duped users on over 17,000 unique IP addresses worldwide thus far. Users would have had to have downloaded and installed the software in order to be victimized by the Trojan, which is mostly aimed at gathering user data.
The number of actual Macs that have installed the malware is unknown, since Macs rarely use static IP addresses. Such networks can potentially send email spam, mine for Bitcoins, brute-force attack password of other machines, or launch denial-of-service attacks. No attacks of any kind are underway, but the botnet
appears to be growing. By last Friday, 17,658 unique IP addresses were infected worldwide, of which 4,610 were in the US. Other affected countries include Australia, Brazil, Canada, Mexico, Spain, France, Russia, Sweden, the Netherlands, and the UK.
Map of affected machines as of September 26
The malware could be Java-based, and can be detected on a Mac by doing a search from the "Go" menu, by using the "Go to Folder" command to look for a folder called "JavaW" in the user's Library/Application Support folder (users should use the "Go" menu, as the user Library folder is normally hidden by default). From the Go menu, users would type or paste /Library/Application Support/JavaW, and would most likely see the message "file not found," meaning the machine is unaffected by the malware.
If genuinely Java-based, Macs that don't have Java installed at all (the default for most recent Macs) are likely unaffected, which might explain the very low number of machines affected. Although the primary command-and-control servers and pathways have already been neutered, variations may exist that are still functional, according to BitDefender.
The Trojan, once installed by the user,
opens a port to request a list of control servers and connects, awaiting further instructions, reports
AppleInsider. It had originally connected to Reddit.com's search service to retrieve the botnet server list, which was hidden in a comment to the post "minecraftserverlists," but has now been disabled.
Former Reddit list of C-and-C servers for iWorm
The iWorm program then downloads instructions using the Lua programming language or binary data, which opens the door to the servers potentially sending more malware that could further compromise the machine, though this hasn't been seen in the affected machines thus far. By itself, the program is limited to sending out sensitive user information, setting parameters in configuration files, peforming GET queries, banning nodes running Lua-based scripts, or putting the Mac to sleep.
As usual, avoiding the malware is easily accomplished by not downloading pirated software or other software from an unknown provider that promises tantilizing or unauthorized abilities. Should users discover that their machine is among those with the "JavaW" folder, simply removing it disables the threat.
Apple may potentially be able to disrupt the botnet through OS X's silent malware definition updates. So far, though, iWorm has gone unchecked.