Slashdot Mirror

← Back to Stories (view on slashdot.org)

New OS X Backdoor Malware Roping Macs Into Botnet

Posted by timothy on from the sad-face-mac dept.

An anonymous reader writes New malware targeting Mac machines, opening backdoors on them and roping them into a botnet currently numbering around 17,000 zombies has been spotted. The malware, dubbed Mac.BackDoor.iWorm, targets computers running OS X and makes extensive use of encryption in its routines, Dr. Web researchers noted. What's even more interesting is that it gets the IP address of a valid command and control (C&C) server from a post on popular news site Reddit. The malware is capable of discovering what other software is installed on the machine, opening a port on it, and sending a query to a web server to acquire the addresses of the C&C servers.

1 of 172 comments (clear)

  1. Re:Quite useless article by Anubis+IV · · Score: 5, Informative

    The fact that they're referring to it as iWorm, suggesting it's self-propagating, yet not describing the method of propagation, seems incredibly irresponsible to me.

    I read through both articles, and there's no mention of the following either:
    1) Does the app use a registered Developer ID or not? If not, then the malware is only capable of running on Macs of individuals who have changed the default behavior of the system to allow apps from any source (default behavior is to either only allow apps from the Mac App Store or only allow apps from registered developers...can't remember which). If so, then Apple can revoke the Developer ID in a silent update to prevent it from executing on any machine using default settings.

    2) Has Apple issued a malware definition update yet? OS X has had XProtect, a silent, built-in malware removal tool since 2011 or so, that pulls down malware definition updates on a daily basis in the background and both works to prevent malware installations as well as removes them if they are found. By the time malware gets widely reported enough that sites like Slashdot are reporting it, Apple has usually already issued an update to prevent further infections and eliminates the existing ones. Given that those articles are from a few days ago, Apple may have already done so in this case.

    3) What systems does it infect? If it really is a worm that only has 17,000 computers, it may just be a case of exploiting a known bug in versions of the OS that haven't been supported for years. Or it may be that it's a brand new threat exploiting the latest version of the OS. We have no way of knowing, based on the shoddy reporting by the researchers.

    4) Do users still get the default prompt that they're executing an app for the first time, or does it circumvent that somehow?

    Basically, we know nothing about it or how dangerous is actually is, thanks to the researchers withholding everything about it.