OS X ‘iWorm’ trojan spreads via pirated software

“On Thursday, I wrote about new malware called iWorm. This morning I awoke to find an e-mail waiting for me in my Inbox from someone who wished to remain anonymous,” The Safe Mac reports. “This person indicated that he had found installers for the new iWorm malware. He pointed me to the downloads offered by a user named ‘aceprog’ on PirateBay.”

“On this user’s PirateBay page, I found installers for a number of different commercial products… but I finally settled on installing a torrent client and using the torrent download link, which gave me a stolen copy of Photoshop CC 2014,” The Safe Mac reports. “The item that got downloaded included some unsavory items that could be installed or opened to allow the stolen copy of Photoshop to run without a valid license, and although you couldn’t pay me to use any of these things on a real system, none of them turned out to be the problem. It turned out that the official-looking Photoshop installer had been modified.”

“There has been some speculation that a Java vulnerability may be involved, probably based on the ‘JavaW’ name. However, at this point, it looks like this is far more prosaic. It’s just a trojan in the form of pirated software that has been modified,” The Safe Mac reports. “I woke up this morning to find that Apple had released an XProtect update overnight. It now includes definitions for iWorm.A, iWorm.B and iWorm.C. The iWorm.A hash matches the “install” executable file in my sample, and testing shows that my sample will no longer install on a system with up-to-date XProtect definitions. I don’t know what the other two definitions match yet.”

Read more in the full article here.

MacDailyNews Take: Trojan horse, not a worm. As usual, only OS X users who grant permission to infect themselves get infected.

Related article:
New Mac malware discovered; how to check your Mac for ‘iWorm’ malware – October 3, 2014


  1. What I fscking hate when this happens, every time, is all the asshole anti-Apple trolls who crawl out of the woodwork to taunt us: “Ha ha! I thought you said OS X never gets malware!!”

    Of course, Apple fans have NEVER said that. We say OS X is more secure than Windows (because it is), and that OS X doesn’t get viruses (because it doesn’t). But these idiot trolls invent their own idea of the smug Apple user who thinks his Mac is perfect in every way and then gloat when this straw man they’ve created gets knocked down.


      1. No, I’m sorry: I don’t think I’ve ever heard anyone say OS X never gets malware – full stop. Any person who said that would have to be a moron. If that was true, surely we’d hear such people at this site, which is Apple Fanatic Central.

        As for iOS, what malware is there for non-jailbroken iOS devices?


    1. TPB already removed all his stuff, or the name posted wasn’t the real one..
      Odds are nothing will happen to the guy, sad but it’s the way it is. More people will get in trouble for downloading Pirated software/etc than those that actually upload it. (Easier to go after the dipshits then the guy behind an anonymous VPN)

      Unless you *need* Photoshop for work.. Buy Pixelmator.

  2. Interesting mix of reactions above. It seems denial runs deep on this site.

    The DrWeb site offers a lot of insight on how the worm has been spreading, and it isn’t just on pirated Photoshop distributions. It appears also to have been spread via Reddit and MineCraft as well. It would be wise to remain vigilant instead of pretending that Apple systems are totally infallible. If Apple was perfect, we wouldn’t have software security updates, would we?

    another article:

    1. Go away, “Mike”. Nobody here is buying your stupid DrWeb software.

      Also, this trojan IS only spread via pirated software. Not Reddit or Minecraft. You need to improve your English skills, my Russian friend.

    2. You should read the articles that you link to, at least the first paragraph. It’s not being spread via Reddit or MineCraft.

      The only reports of the method by which it was spread was through pirated software.

      To be absolutely perfectly clear… Reddit is safe. MineCraft is safe. Pirating software and granting that software access has never been safe on any system.

      1. The first paragraph:

        “The Russian antivirus vendor Dr. Web has reported the spread of a new botnet that exclusively targets Apple computers running Mac OS X. According to a survey of traffic conducted by researchers at Dr. Web, over 17,000 Macs worldwide are part of the Mac.BackDoor.iWorm botnet—and almost a quarter of them are in the US. One of the most curious aspects of the botnet is that it uses a search of Reddit posts to a Minecraft server list subreddit to retrieve IP addresses for its command and control (CnC) network. That subreddit now appears to have been expunged of CnC data, and the account that posted the data appears to be shut down.”

        1. Mike,

          You should read the comments you write in addition to the articles you quote:

          You wrote:
          ” It appears also to have been spread via Reddit and MineCraft as well. ”

          Now, read what the article says… specifically the part you quoted in your comment.

          It’s one thing to ask questions about an article you don’t understand, but it’s another thing to spread FUD based on having no understanding of the subject.

          To be clear, according to the article, the worm utilized Reddit and Minecraft to receive IP addresses for its CnC. It did not spread via Reddit or Minecraft as you stated.

          Think of it this way…

          Someone pirates software like Adobe CC. The installer for that has been hacked and installs iWorm. The user allows this to happen because “an installer needs permission, right?”. The infected machine then calls out to Reddit and essentially searches for instructions for what to do. The person or group who orchestrated this set it up so that they could control a number of computers and give them instructions through Reddit.

          As I mentioned in my first response to you. Visiting Reddit is perfectly safe. Even if you were infected, visiting Reddit would have no impact one way or the other since iWorm connected to Reddit on its own.

          Reddit deleted the CnC data and killed the account that posted it, so a computer infected with iWorm can no longer use Reddit to receive instructions, but may be able to get instructions elsewhere as well as continue to operate autonomously in as much as it was designed to do.

          There’s a lot of information about iWorm on Reddit including specific reports of what pirated software was involved and how to remove and block iWorm along with the status of Apple’s reaction to the situation. Instead of referring people to this source of information, your original comment did the opposite, scare them away due to your complete misunderstanding of the situation.

    3. Back in the 90’s there was a ‘worm’ that went through the Mac-using graphic-arts/prepress community, it caused all sorts of mayhem.
      It was passed around on infected Photoshop files, and had been developed in Russia.
      Not much seems to have changed, then…

    4. Why do you insist on spinning everything in the worst way, Mike? You are always accusing people of avoiding the truth and covering for Apple’s flaws.

      The “denial” that you ascribe to the “reactions above” is simply a discussion of the proper designation of this malware – that it appears to be a trojan horse rather than a true worm. No one denied that it is malware or that it has infected some small number of Macs.

    5. how does mike’s post have anything above a 1 star? Mike are you running to every computer you can find to up vote yourself?

      The link you posted CONTRADICTS your comment… if you had any ability to understand the situation.. well, i’ll leave it at that. Cause it’s obvious you have no clue and are just wanting to bash Apple and praise Dr.Web.

      Note that the easiest way to hack/bypass ANY OS… is the path of least resistance:
      The USER.

      No matter how “secure” an OS is, the user can always be compromised.

  3. 2014 is my 27th year using only Macs at home. In that time I’ve had an SE, an LC, an iMac SE, a G4 tower, a G5 tower, multiple iMacs, PowerBooks, Mac Books, and who knows what all else. I’ve been online the whole time.

    One Mac got infected. Once. It was a harmless worm embedded in a CD-ROM from MacAddict. Mac is more secure than Windows. Always has been.

    1. I also have to point out that there is a wonderful gestalt of Mac users and professionals who volunteer their time to identify, isolate and eradicate malware for FREE. That’s a very Mac thing to do. We had exactly the same spirit with Mac OS back in the day. The particular gestalt, of which Thomas Reed (and I) are part, circles around Mark Allan, who writes ClamXav, the donationware anti-malware program for Macs, based on the open source ClamAV project. Mark has been a terrific catalyst and it shows in the work done this past week regarding ‘iWorm’.


  4. Windows users love a good Mac malware article. Sorry, Windows users. Only Windows still wins with the ability to have thing install for no fucking reason whatsoever. I have to purposely jab my Mac with an HIV needle to infect it.

  5. MDN said: Trojan horse, not a worm.

    EXCELLENT catch. Beats me why it was ever named a ‘worm’. But that was during the period no one knew (or was telling!) how it was spread. I’ve never found the commercial anti-malware business to be particularly professional, except in some rare exceptions. (I’m an Intego fanatic myself).

    What’s actually surprising is that the entire anti-malware business community settled on just ONE name for this malware, which is a rarity, AND it was an inaccurate name. (o_O)

    To be a bit more scrutinizing, this malware might more accurately be called Trojan.OSX.iServices.D-F strains. Some anti-malware apps actually identified it initially as iServices. It spreads in exactly the same way. The current theory is that it really is iServices merely packed up differently so as to fool at least some anti-malware applications. As such, it’s not a particularly inventive or original Trojan. But that’s actually the status quo for Mac malware. These Trojans are typically either written for another platform (Windows, Android) then rewritten for Mac as an after thought, OR they’re revamped old Mac malware, as in this case.

    In any case, it’s fascinating that a substantial number of Mac users are WAREZ pirates, resulting in their Macs being PWNed into HUGE botnets. We’re still waiting to get a solid figure on how large the ‘iWorm’ (iTrojan!) botnet has grown.

    And again: Be happy! Apple has used their XProtect system to send out protection against this malware into every Mac running 10.6.x through 10.10 beta. Fast work by Apple!

    Meanwhile: Don’t be naughty. Don’t install WAREZ or it may bite you.

    1. Keep in mind that “mac” users can be using Hackintosh systems as well, and/or can be PC users converted to Mac, and still keep the “old” ways of acquiring software.

      I’ve “Acquired” software in the past, most of it I purchased later. (Pixelmator to name names)

      The level of stupidity of the average computer user has increased over the years sadly.
      And I think pirates used to keep things “quiet” in years past.. now it’s all in the open, and people see the ease in which things can be acquired now.. and the hackers see how easily they can distribute their crap as well.

      1. Way back in 1992, when I decided to learn digital imaging, I will be forever grateful for a certain CD full of professional Mac software provided by a fellow employee. I could never have learned Mac tech as quickly without it. I’ve also found (ahem) cereal box (sic) to be useful from time to time when I needed to learn something new in a hurry.

        But my slogan is to always pay for software that earns you money. Otherwise, you’re just another parasite.

        In any case, downloading warez is a really bad idea these days. In 2009 the iServices Trojan was implicated in a botnet of about 20,000 Macs. It will be interesting to see how many Macs got infected this time.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.