“On Thursday, I wrote about new malware called iWorm. This morning I awoke to find an e-mail waiting for me in my Inbox from someone who wished to remain anonymous,” The Safe Mac reports. “This person indicated that he had found installers for the new iWorm malware. He pointed me to the downloads offered by a user named ‘aceprog’ on PirateBay.”
“On this user’s PirateBay page, I found installers for a number of different commercial products… but I finally settled on installing a torrent client and using the torrent download link, which gave me a stolen copy of Photoshop CC 2014,” The Safe Mac reports. “The item that got downloaded included some unsavory items that could be installed or opened to allow the stolen copy of Photoshop to run without a valid license, and although you couldn’t pay me to use any of these things on a real system, none of them turned out to be the problem. It turned out that the official-looking Photoshop installer had been modified.”
“There has been some speculation that a Java vulnerability may be involved, probably based on the ‘JavaW’ name. However, at this point, it looks like this is far more prosaic. It’s just a trojan in the form of pirated software that has been modified,” The Safe Mac reports. “I woke up this morning to find that Apple had released an XProtect update overnight. It now includes definitions for iWorm.A, iWorm.B and iWorm.C. The iWorm.A hash matches the “install” executable file in my sample, and testing shows that my sample will no longer install on a system with up-to-date XProtect definitions. I don’t know what the other two definitions match yet.”
Read more in the full article here.
MacDailyNews Take: Trojan horse, not a worm. As usual, only OS X users who grant permission to infect themselves get infected.
Related article:
New Mac malware discovered; how to check your Mac for ‘iWorm’ malware – October 3, 2014