New Mac malware discovered; how to check your Mac for ‘iWorm’ malware

“Dr. Web announced the discovery of a new piece of Mac malware on Monday, which they are calling Mac.Backdoor.iWorm. According to their report, they believe the malware is affecting ‘more than 17,000 unique IP addresses,'” The Safe Mac reports. “Of course, this may not correlate well with the number of infected Macs, since most Macs do not have static IP addresses, but the number of infected Macs should at least be on the same order of magnitude.”

“It’s unclear from Dr. Web’s report exactly how the malware gets installed,” The Safe Mac reports. “The name ‘iWorm’ suggests some kind of virus-like behavior. According to the report, the ‘dropper’ (ie, the program that installs the malware) puts the executable in a folder named JavaW in the /Library/Application Support/ folder, but this does not necessarily mean that Java is involved in any way. The name could simply be chosen as camouflage.”

“To check to see if you are infected, go to the Finder and choose Go to Folder from the Go menu,” The Safe Mac reports. “Copy the following path and paste it into the window that opens – /Library/Application Support/JavaW – then, click the Go button. If you just get a beep, and the window displays a message in the bottom left corner that the folder can’t be found, then you should be okay.”

More info and links in the full article here.

[Thanks to MacDailyNews Reader “elder norm” for the heads up.]


    1. I don’t believe this even exists. Dr. Web is notorious for this. How do they claim the exact number of infected Macs they do. . . 17,586, and the countries they are located in? If it doesn’t make sense, it’s a lie.—Judge Judy.

    1. I wouldn’t mind the idiotic ads here if MDN at least carried a few more legit Mac-related ads; you know, ads for hard drives. But a lot of MDN’s ads are those stupid ones featuring Photoshopped pictures of muscle bodies with teensy heads and captions like “New legal steroid substitute has people talking.” Such ads reminds me of the back of an old comic book, with ads like X-ray glasses.

  1. As some articles posted, the big question is how can you get this virus? No one is currently saying but some computers do seem infected.

    I am going to keep my eyes open for more info.

    1. Tnx Darkness!

      The initial method of infection is STILL not defined. Meanwhile:

      Developer Jacob Salmela has posted instructions on how to create a set of OS X folder actions that will alert a user if their system becomes infected.

      Note: The problem with rigging up tests for specific folders is that the bot wrangler can EASILY change the folders for infection both pre- and post- infection. This is a quick short term solution until the actual source of the nasty malware is detected and eradicated. That’s not here yet.

  2. Oi, I thought Macs were virus-free? You once called a writer a “moron” for suggesting that, one day, the Mac’s bubble of invulnerability would pop.

    Who are the morons now, MDN? Moron Daily News?

    1. Cam, you anonymous coward, go fsck yourself! People such as myself have been working with Mac security flaws for YEARS. My Mac-Security blog has been running since 2007. I have a list of over 100 Mac malware. Only a DOLT would ever say ‘Macs are virus-free’, oh and dickhead Mac-HATERS like you who love to invent nonsense so you can point at it and laugh.

      HERE is a great catalogue list of Mac malware over time by Thomas Reed with contributions from a GANG of us around the world who work on finding and stomping on all Mac malware, a cooperative gestalt of great people who VOLUNTEER their time to the cause. Beat that! Then go beat yourself, moron.

    1. The anti-malware commercial business sadly encourages people to think that all malware are ‘viruses’. Whereas, viruses are only one kind of MANY kinds of malware. Technically speaking, OS X has never had an actual ‘virus’. But it has had worms, Trojan horses, spyware, adware, scamware….

      If you want to specifically nail Apple for any software security holes, check out the history of QuickTime. Other than that, nearly ALL other OS X malware has either been installed by way of social engineering (aka con-job!) or 3rd party schlock like Adobe freeware or Oracle’s Internet Java plugin (the single most dangerous software on the Internet).

    1. AND! 💥💕💥

      Apple has the samples of 3 variants of iWorm (A, B & C) and is, as I type, rolling out updates to Xprotect, the anti-malware system built into OS X. These updates are automatic via the Internet. All Macs, going back to OS X 10.6 Snow Leopard, are being protected from iWorm right NOW! Bravo Apple!!! 😀

        1. Are you looking specifically into the settings for XProtect? I can write up how to open up its settings file and read it. There is also a way to force OS X (10.6 – 10.10) to update XProtect.

          Apple has made XProtect an automatically updating anti-malware system that the user never sees. The problem of course is that the user has to be connected to the Internet for it to work, and who knows when it’s going to be triggered to get updates? It’s iffy in that respect. But it works well in the long term.

          Let me know if you’d like to write up something. Thomas Reed may well have written up something already. I can check and post if he has.

          1. Thanks, to be honest I was just wondering why I did not see the update in App Store, so I checked for updates and there was no mention. But I gather from what you are saying that this would be a “silent” update that does not get acknowledged in the App Store as such. Every now and then I check out your pages and links there to the other in “your team”, but I am not as knowledgeable as you guys are in that field. Would not be a bad idea for Apple to show the updated XProtect, would it?

            1. The team would more accurately be called Mark Allan’s Team, he being the developer of ClamXav, the ClamAV implementation for Mac users. Mark is terrific.

              As for being knowledgable, collaborating with others allows sharing skills, talent and knowledge with others. Teams are incredibly more effective than single minds, as long as the teammates get along and get into collaborating. I’m a total dummy at dealing with Virus Total, which is THE place to seek and find active malware these days. I’m good at research in other respect and translating the nebulous and diffuse in to the specific and useful.

              Yes, I’d personally enjoy Apple having just a simple window relevant to XProtect. Have it look for updates and immediately install them. Have it show a green icon if its up-to-date. Have it list each malware species and variety is recognizes. Have links to the CVE documentation for each…. Well maybe not that obsessive! But I think most folks are up for understanding malware on at least a superficial level, rather than having Apple hide everything. But I’m one of the people who has been screaming at Apple for years to get rid of Safari’s opening of ‘safe’ files entirely and to force the Firewall to be ON at all times on OS X, not simply if the user figures out how to turn it on themselves. Apple is primitive in this respect. I’ve never claimed they were perfect.

            2. As always, true words and passion. I read most of your comments on security and know that you are passionate about Apple revealing more about what they are doing with security (as far as responsibly possible).

            3. I was just listening to last week’s Security Now podcast. 🙄 Apple have some iOS security promises they have yet to live up to. But iOS 8 has had enough criticism for the week. Let’s just say I’m looking forward to iOS 8.1.

    2. Apple Updates Malware Definitions to Protect Against Botnet Threat Coordinated Via Reddit …AKA iWorm.

      First introduced with OS X Snow Leopard, Xprotect is a rudimentary anti-malware system that recognizes and alerts users to the presence of various types of malware. Given the relative rarity of malware targeting OS X, the malware definitions are updated infrequently, although users’ machines automatically check for updates on a daily basis. Apple also uses the Xprotect system on occasion to enforce minimum version requirements for plug-ins such as Flash Player and Java, forcing users to upgrade from older versions known to carry significant security risks.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.