[NewsPoster]

[Updated with corrected information and further details] A new Trojan threat, possibly disguised as a fake unauthorized build of OS X 10.10 Yosemite, is making the rounds by taking in users who attempt to pirate software. The new malware, dubbed "iWorm" by Russian research firm "Dr. Web," has supposedly been installed by duped users on over 17,000 unique IP addresses worldwide thus far. Users would have had to have downloaded and installed the software in order to be victimized by the Trojan, which is mostly aimed at gathering user data.

The number of actual Macs that have installed the malware is unknown, since Macs rarely use static IP addresses. Such networks can potentially send email spam, mine for Bitcoins, brute-force attack password of other machines, or launch denial-of-service attacks. No attacks of any kind are underway, but the botnet appears to be growing. By last Friday, 17,658 unique IP addresses were infected worldwide, of which 4,610 were in the US. Other affected countries include Australia, Brazil, Canada, Mexico, Spain, France, Russia, Sweden, the Netherlands, and the UK.

Map of affected machines as of September 26

The malware could be Java-based, and can be detected on a Mac by doing a search from the "Go" menu, by using the "Go to Folder" command to look for a folder called "JavaW" in the user's Library/Application Support folder (users should use the "Go" menu, as the user Library folder is normally hidden by default). From the Go menu, users would type or paste /Library/Application Support/JavaW, and would most likely see the message "file not found," meaning the machine is unaffected by the malware.

If genuinely Java-based, Macs that don't have Java installed at all (the default for most recent Macs) are likely unaffected, which might explain the very low number of machines affected. Although the primary command-and-control servers and pathways have already been neutered, variations may exist that are still functional, according to BitDefender.

The Trojan, once installed by the user, opens a port to request a list of control servers and connects, awaiting further instructions, reports AppleInsider. It had originally connected to Reddit.com's search service to retrieve the botnet server list, which was hidden in a comment to the post "minecraftserverlists," but has now been disabled.

Former Reddit list of C-and-C servers for iWorm

The iWorm program then downloads instructions using the Lua programming language or binary data, which opens the door to the servers potentially sending more malware that could further compromise the machine, though this hasn't been seen in the affected machines thus far. By itself, the program is limited to sending out sensitive user information, setting parameters in configuration files, peforming GET queries, banning nodes running Lua-based scripts, or putting the Mac to sleep.

As usual, avoiding the malware is easily accomplished by not downloading pirated software or other software from an unknown provider that promises tantilizing or unauthorized abilities. Should users discover that their machine is among those with the "JavaW" folder, simply removing it disables the threat.

Apple may potentially be able to disrupt the botnet through OS X's silent malware definition updates. So far, though, iWorm has gone unchecked.

[DiabloConQueso]

It seems that the reddit minecraft forum used by this worm has been disabled and/or banned.

I wonder how that affects the worm's efficacy, and whether the worm has the ability to change where it gets instructions from -- how would the hackers send the worms a new command to change servers if the server that the hackers used to send commands is unavailable?

[I-ku-u]

Hackers have long coded fallback CnC methods. The crux of the issue for them to maintain control involves hiding the communication channels they use - ideally (from their perspective) they want the infected machines to be able to receive new commands at a future time without there being any ability for the good guys to predict what channel might be used.

The crucial disadvantage they have is that their code runs on machines the good guys have physical control over, which means it will always be technically possible to crack the prediction problem. Without that fundamental "flaw", the hackers would easily win by virtue of good cryptography and pseudo-random number generation.

[AlenShapiro]

I don't see this as a vulnerability in OS X. By all accounts it's a worm. Someone had to install it and provide their admin password for it to be able to create its signature directory etc.

[Charles Martin]

We've updated the original article with considerable amounts of new info. Early media reports have widely mischaracterized this, but it is still a concern.

[lkrupp]

Too late MacNN staff. The media has already taken this and run with it. It's being reported as a vulnerability in OS X and NOT malware or trojan. It's all about reporting on Apple in a negative way and you guys incompetently foster the notion. In your haste to report Apple news you screwed Apple over. You do it all the time.

[paulvail]

pirates get infections? cry me a river

[Mike Wuerthele]

Originally Posted by lkrupp 

Too late MacNN staff. The media has already taken this and run with it. It's being reported as a vulnerability in OS X and NOT malware or trojan. It's all about reporting on Apple in a negative way and you guys incompetently foster the notion. In your haste to report Apple news you screwed Apple over. You do it all the time.

We updated the article with more details three hours after original publication on Friday, well before mainstream media even reported on the issue.

Apple isn't gold-plated. They mess things up and they do it all the time. We call them on it, and when we get more information, we report that too. We're not negative against Apple, and I'm nearly certain that we didn't "screw Apple over."