18K Macs Hit with iWorm Botnet

Over 18,000 Macs around the world have been hit with a new malware threat called Mac.BackDoor.iWorm, or iWorm, that could let hackers steal data or use victim's computers in denial of service attacks on other servers. iWorm also uses Reddit.com as part of its system, although Reddit itself hasn't been hacked.

iWorm botnet has hit 18,000 Macs so fariWorm botnet has hit 18,000 Macs so far

Once installed, iWorm searches Reddit for specific posts that include IP address for servers that can issue it commands. The server then sends its instructions back to the victim's computer, which could also include another malware payload.

Reddit has since shut down the forum where the posts appeared, but that doesn't mean the attackers can't set up another forum or use another service to deliver the server addresses.

iWorm was first reported by the security company Dr. Web. The company detailed how iWorm works, but didn't have any details about how it gets delivered to victim's Macs. The malware stores files in a directory called JavaW inside Application Support. You can check to see if the folder is there by choosing Go > Go to Folder in the Finder, then enter:

/Library/Application Support/JavaW

If your Mac reports that the folder can't be found, then you haven't been hit by iWorm. If your Mac finds the folder, however, iWorm is there and it's time to use your favorite virus protection tool to clean your system.

Intego suggested a clever way to watch for telltale signs that iWorm has found a way onto your Mac by adding an alert action to the LaunchDaemons folder where the malware installs some of its payload. Here's how:

  • In the Finder, choose Go > Go to Folder
  • Enter /Library/LaunchDaemons
  • Right-click on the LaunchDaemons folder, then choose Services > Folder Actions Setup
  • Select add – new item alert.scpt
  • Check Enable Folder Actions

Now you'll see an alert dialog any time something new is added to the LaunchDaemons folder. You'll need to check to see what was added because some apps will legitimately place items in the folder.

Since there isn't any word yet on just how iWorm finds its way onto Macs, the usual rules for safe computing apply: don't visit websites you aren't sure are trustworthy, and don't open files from strangers.