Detecting iWorm malware

elliotjordan
Contributor III

I'm following this with interest:
http://9to5mac.com/2014/10/02/new-mac-botnet-malware-uses-reddit-to-find-out-what-servers-to-connect...

I made an extension attribute to detect the existence of the telltale /Library/Application Support/JavaW folder:
https://gist.github.com/homebysix/5f1e09b7a3e75c229ef1

Anybody seen this in the wild yet?

9 REPLIES 9

Kaltsas
Contributor III

No. Hopefully one of the security companies tracks down the infection vector soon.

http://www.intego.com/mac-security-blog/iworm-botnet-uses-reddit-as-command-and-control-center/

etimothy44
New Contributor

I have not seen it yet but will be watching closely

( i did test the EA. It works well with my test environment so I will be monitoring my smart group.)

@elliotjordan Thanks for the post!!!!

adhuston
Contributor

@elliotjordan Thanks for posting this! I was looking closely at how to detect it. I was thinking about putting in a Software Restriction, but since the malware masquerades as a legitimate process, I'm worried about killing it. Anyone else thought of a way to put a software restriction in place to keep the process from running?

tadholyfamily
New Contributor

Maybe use the little script in the EA and only run the kill command on a positive result.

emily
Valued Contributor III
Valued Contributor III

Sophos released a threat signature, so folks using Sophos Anti-Virus should be okay: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/OSX~iWorm-A.aspx

lsmc08
Contributor

@emilykausalik,

Thank you for posting this.

We use Sophos AV - I'll make sure the Sophos security team here gets this.

@elliotjordan, thank you for posting too.

TomDay
Release Candidate Programs Tester

EA and smart group work perfectly, thx @elliotjordan][/url. So far just my test machine reports positive. I'd be interested to hear what get placed in that javaw folder once someone sees an infection.

farverk
New Contributor III

Currently using this EA. Thanks Elliot!

gskibum
Contributor III

Looks like Apple released an XProtect update for this.

http://www.mactech.com/2014/10/06/apple-updates-xprotect-malware-list