+12I'm following this with interest:
http://9to5mac.com/2014/10/02/new-mac-botnet-malware-uses-reddit-to-find-out-what-servers-to-connect-to/
I made an extension attribute to detect the existence of the telltale /Library/Application Support/JavaW folder:
https://gist.github.com/homebysix/5f1e09b7a3e75c229ef1
Anybody seen this in the wild yet?
+16No. Hopefully one of the security companies tracks down the infection vector soon.
http://www.intego.com/mac-security-blog/iworm-botnet-uses-reddit-as-command-and-control-center/
+3I have not seen it yet but will be watching closely
( i did test the EA. It works well with my test environment so I will be monitoring my smart group.)
@elliotjordan Thanks for the post!!!!
+9@elliotjordan Thanks for posting this! I was looking closely at how to detect it. I was thinking about putting in a Software Restriction, but since the malware masquerades as a legitimate process, I'm worried about killing it. Anyone else thought of a way to put a software restriction in place to keep the process from running?
+26Sophos released a threat signature, so folks using Sophos Anti-Virus should be okay: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/OSX~iWorm-A.aspx
+10Thank you for posting this.
We use Sophos AV - I'll make sure the Sophos security team here gets this.
@elliotjordan, thank you for posting too.
EA and smart group work perfectly, thx @elliotjordan][/url. So far just my test machine reports positive. I'd be interested to hear what get placed in that javaw folder once someone sees an infection.
+6Currently using this EA. Thanks Elliot!
+13Looks like Apple released an XProtect update for this.
http://www.mactech.com/2014/10/06/apple-updates-xprotect-malware-list
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
