Surprise: Mac iWorm Spreads through Pirated Apps

| News

When news of Mac.BackDoor.iWorm for the Mac hit the Web last week, the way the  malware threat spread was still something of a mystery, but that's been uncovered now, too: pirated software. Like so many other malware threats, attackers are using the promise of free software as a trojan horse to trick victims trying to save a buck into installing the iWorm payload.

iWorm malware spreads through pirated software, so don't steal appsiWorm malware spreads through pirated software, so don't steal apps

Once installed, iWorm can use infected Macs to launch denial of service attacks on Internet-based servers, or steal data from victim's computers. The malware was using Reddit posts filled with server IP addresses to tell infected Macs where to look for instructions, but the subreddit attackers were using has been shut down.

iWorm was first reported by the security and anti-malware company Dr. Web. The Safe Mac has since found a pirated Photoshop installer that sneaks iWorm onto your Mac without any outward indication that anything suspicious is happening.

So far it looks like iWorm spreads through trojan horse installers and isn't self replicating, which means victims must install the malware to be infected. In other words, don't steal software because you may get far more than you bargained for.

The Mac Observer Spin The Mac Observer Spin is how we show you what our authors think about a news story at quick glance. Read More →

Using pirated software as a trojan horse to install iWorm doesn't come as a surprise at all. Using stolen software is bad not only because hard working developers don't get paid for their work, but also because you could infect your Mac with malware.

Popular TMO Stories


Bart B

Excellent - I was rather hoping this would be the final piece of this puzzel.

Mac Malware in pirated software has been around for years and years, so really, this whole story is now nothing more than a curiosity - the inovative CnC is noteworthy, but nothing for non-Pirate Mac users to lose any sleep over.

Lee Dronick

This trick has been going on for some time. What was it George Santayana said about history?


Was it Tim Cook who said “look at the numbers”?

There’s a claim that a botnet of 17,000 computers was created. In terms of botnet sizes, that’s nothing. The going rate for renting a botnet that size is less than $1,000. And there’s a good chance that the botnet will disappear quite quickly with XProtect updated. So if the idea was creating a botnet, there won’t be much money made from it.

However, there is a Russian company that nobody heard of detecting this malware and by happy coincidence offering anti-virus software protecting you from it. If they manage to sell just thousand copies, that will make them much more money than the malware ever did.

Bart B

If you accept the installed base numbers on this page:

That means alls this fuss was about 0.02% of Macs.

Philip Ershler

Are the pirated programs signed? Or are the people getting infected have the security set to install apps from anywhere?


Always practice safe hex.


I wondered how this was spreading. Most sites I’ve seen so far keep calling it a “virus” or a “worm” — neither terms apply in this case. This is the first report that indicates pirated software (trojan horse) was the attack vector.


This has been, and remains, a major issue in low and middle income countries where legitimate licensed software is often hard to come by from local vendors, even when you expressly ask for it.

When in need of software (uncommon but it happened) from a local vendor, in days past, whilst in the field, the only way I could guarantee the software was legit was for a local vendor to order the software on my behalf or hand carry it from a safe harbour, like Singapore. I was told by several local/regional vendors to assume that all software was otherwise pirated - ‘not original’ is the local term.

So common was/is this phenomenon that, many years ago shortly after we arrived, a neighbour of mine out here in Asia, who was from the UK, and understood the risks, was about to spend a few days in Bangkok and asked if I wanted him to pick up any software for me. When I asked him it would be pirated, he regarded me with a look that can only be described as ‘You poor newbie bastard’, and informed me that, ‘It’s all pirated, no matter what they tell you’.

Now thankfully to the expanded capacity of internet access and the Mac and iOS App Stores, not to mention their counterpart in the iTunes store for music, one can purchase and install safe and legitimate software whilst in the region. The same is not always true for the PC market, which is a veritable brothel of trafficking and infection.

It’s changing, but outside of the Apple ecosystem - and even then, only for those with access - painfully slowly.

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account