Apple anti-malware update blocks new 'iWorm' Mac botnet
Apple has updated its malware blacklisting system, known as XProtect, to block a Mac attack thought to have infected over 18,500 Macs.
Last week Russian antivirus firm Dr Web reported the emergence of a new network being built off the back of malware exclusively targeting OS X machines. Dubbed 'iWorm' by the security company, the malware disguises itself as an application called 'com.JavaW' and sets itself to automatically launch on infected machines.
MacRumours on Saturday reported that Apple had updated its XProtect.plist to detect and block iWorm. ZDNet confirmed a plist update on October 4 includes definitions for three variants of iWorm, labelled OSX.iWorm.A, OSX.iWorm.B, and OSX.iWorm.C.
While it's not known how iWorm's creators have been distributing the malware, it does have a particularly intriguing feature: it uses a Reddit search function to enlist infected Macs in the botnet. The search on Reddit returns a list of botnet servers that an infected machine could connect with and, once a connection is made, it awaits instructions from its operators.
According to Dr Web, by 29 September there were 18,519 unique IP addresses connecting to the botnet, with around a quarter beaconing in from the US, followed by over 1,200 Macs each in the UK and Canada.
Incidentally, Dr Web was the company that discovered the last major Mac malware outbreak in 2012, dubbed Flashback, which infected Mac users through a combination of fake Adobe Flash installers and compromised websites containing exploits for Java flaws. Flashback had infected about 600,000 Macs by the time Apple responded with a malware removal tool — a full week after Dr Web first reported it.
Alongside removal tools, another way Apple responds to new malware threats for Macs is by updating XProtect, a basic anti-malware feature built in to OS X that Apple doesn’t talk about. Apple doesn't tell Mac users when it adds new definitions to its 'plist', nor what the list contains, however they can be found with a bit of digging. Currently, plist contains definitions for 40 or so threats to Macs.
Apple uses the same feature to force Mac users off outdated versions of plugins for Flash and Java, both of which are often targeted by hackers.
The iWorm botnet is not anywhere near as significant in scale as Flashback, but it's good news for Mac users that Apple's response to the report from Dr Web was more prompt than its first dealing with the Russian company.