iWorm Malware Goes After Mac OS X Users

Apple moves quickly in a bid to limit the risk of the Mac.BackDoor.iWorm malware, which may have already infected 17,000 Macs.


A new malware family known as the Mac.BackDoor.iWorm is taking aim at Apple's Mac OS X users, and Apple isn't hesitating in providing its users with a defensive response. The Mac.BackDoor.iWorm malware was first reported by antivirus vendor Dr. Web and may have already infected 17,000 Macs.

Of particular note with the iWorm malware is the command and control (C&C) server infrastructure that is used to transmit instructions to infected Mac hosts. The iWorm malware leverages the popular Reddit (reddit.com) news discussion site to find the C&C servers.

Apple has already taken steps to limit any potential risk from the new iWorm. An Apple spokesperson confirmed to eWEEK that Apple has updated its XProtect anti-malware system to block iWorm. The XProtect anti-malware application has been an integrated part of Mac OS X since the Snow Leopard release in 2009.

As different malware threats against OS X have emerged over the years, Apple has updated XProtect with new detection capabilities. In 2011, Apple used XProtect to limit the risk from the MacDefender malware, which was a fake Mac antivirus (AV) program. In 2012, XProtect was leveraged by Apple to defend against the Mac Flashback Trojan, which may have impacted up to 1 million Apple users.

Overall, the volume of Apple Mac OS X malware is still small in comparison to malware that targets Microsoft Windows.

"It is still relatively small, but it has increased as the market share of Macs has increased," Ben Johnson, chief evangelist at Bit9, told eWEEK. "The quick win is still Windows, so the majority of malware targets that."

The iWorm appears to be more sophisticated than past malware that has been seen on OS X, Dmitri Alperovitch, CTO at CrowdStrike, told eWEEK.

"Apple and AV vendors have released signatures for detection of existing binaries, but the malware will almost certainly mutate in the near future to avoid detection," Alperovitch said.

Greg Wasson, malicious code program manager at ICSA Labs, told eWEEK that he isn't surprised by the iWorm, noting that there is nothing in OS X that necessarily keeps the operating system virus-free.

While Apple has provided an update for its XProtect system, Johnson noted that an antivirus program alone is never enough, and XProtect is not a particularly advanced product.

"The two main approaches these days are locking a system down so that only trusted software can run, which is what Apple does with the App Store, or to have a higher level of monitoring and auditing so you can see what is occurring and respond to suspicious or malicious behavior," Johnson said.

For as long as Macs have existed, there has been an active debate on whether or not there is a need for users to install a third-party antivirus tool.

"OS X has some good privilege separation and other hardening built into the OS, but it's still often in the hands of the user as to whether or not new software can run," Johnson said.

It's now getting to point where a stand-alone AV product is necessary on Mac, according to Wasson.

"Users still need to be careful of which sites they go to and which links they click on, as those same best practices apply across the board, regardless of which OS you're operating on," he said.

OS X users are increasingly finding that targeted adversaries can get to them if they are an attractive target, Alperovitch added.

"Traditional AV software offers very little protection on OS X, but enterprises are increasingly turning to next-generation endpoint threat detection and response solutions that do exist on Mac," he said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.