Apple Computers Hacked: 4,600 Macs in the U.S. Affected by iWorm
Russian anti-malware company Dr. Web has announced that its security researchers have discovered a malware infecting thousands of Macs worldwide. Labeled as the "Mac.BackDoor.iWorm" or simply "iWorm," the new threat to Mac's OS X allows criminals to program undesirable commands.
To date, Dr. Web announced that there are over 17,000 infected Macs--more than 4,600 of which were U.S. IP addresses. Described as "a complex multi-purpose backdoor," iWorm reportedly operates in the manner below:
1. The iWorm is launched.
2. The program saves its configuration data in a separate file.
3. It surveys /Library directory contents to filter "unwanted" installed applications.
4. Should unwanted directories be unavailable, the iWorm uses system queries to determine the home directory of the running Mac OS X account.
5. iWorm confirms the availability of its configuration file in the directory.
6. iWorm records the needed data to proceed operating.
7. iWorm opens a port and requests a list of control servers (through Reddit).
8. iWorm connects to the remote servers returned by Reddit.
9. It patiently waits for instructions.
10. Criminals publish the list of servers as comments to the post "minecraftserverlists" under the account "vtnhiaovyd."
11. iWorm locates the Reddit comments and connects to the servers listed.
12. Once a connection is made, criminals can now successfully send commands to botnet-infected computers.
Botnets send spam emails, mine Bitcoin and flood websites with destructive traffic, said Business Insider.
The malware was created using C++ and Lua, Dr. Web added, and it performs two types of commands: first are different directives consequent to the given binary data; second are Lua scripts.
Apple Insider reported that the Reddit thread had been taken down, but the criminals may be setting up another server list using another search service. The outlet added that the iWorm is capable of collecting and disclosing sensitive user information, setting parameters in configuration files, performing GET queries, switching a Mac into sleep mode and more.
According to MacRumors, Apple has responded to the new threat by updating its anti-malware system "Xprotect." The update can recognize the threat and prevent its installation on vulnerable devices.
To check if your Mac has been affected, Tech Times provided a walkthrough: OS X Finder tab > Go > Go to Folder > type "/Library/Application Support/JavaW." Inability to locate the folder means safety. If it is found, an anti-virus program may help remove the malware.