Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

'iWorm' malware controls Macs via Reddit, more than 17K affected

Screenshot of Reddit.com post hosting iWorm's C&C server list. | Source: Dr. Web

Last updated

Security researchers recently discovered that more than 17,000 Macs around the world have been infected by a new OS X malware threat called "iWorm," which at one point used Reddit.com as a go-between to cull user data, perform various system actions and execute Lua scripts.

Entered into the virus database of Russian research firm Dr. Web as "Mac.BackDoor.iWorm," the new threat is described as a complex multi-purpose backdoor capable of issuing a variety of commands to be carried out by an affected host Mac. Among the operations available to the malware are data gathering and limited system remote control.

After iWorm installs, it creates an operating file, opens a port to request a list of control servers and connects, awaiting further instructions. Unique to this particular piece of malware is its use of Reddit.com's search service to retrieve the botnet server list, which until recently was disguised in a comment to the post "minecraftserverlists."

The Reddit string has since been shut down, but iWorm's creators likely set up another server list through an alternate search service that has yet to be discovered.

Once iWorm connects with a command and control server, the backdoor pulls in instructions via binary data or the Lua programming language. Alternatively, connected servers can send over another bit of malware to further compromise the affected machine.

iWorm itself can gather and send off sensitive user information, set parameters in configuration files, perform GET queries, put a Mac to sleep, ban nodes and perform nested Lua scripts, among other backdoor operations.

Individual ISPs affected by iWorm as of late September.

Because iWorm extracts into a folder on OS X, users can check if their Mac is infected by navigating to "Go > Go to Folder" from the OS X Finder menu and typing in /Library/Application Support/JavaW. If OS X cannot find the folder, the computer is clear. If the folder is found, however, users are urged to employ an anti-virus program to wipe iWorm from their hard drive.

According to Dr. Web's statistical analysis of iWorm, the malware as infected some 17,658 Macs worldwide as of Sept. 26.



118 Comments

thewhitefalcon 10 Years · 4444 comments

This never would have happened if Steve were still here. This never would have happened if Apple hadnt ditched PPC. This is all Tim Cook's fault, he's killing Apple. /s There, I got the potential stupidity out of the way. Now, my MBA is too slow to take advantage of (2008 model) and my Mac Pro is off 97% of the time. Unless they infected my G4 Cube I think I'm safe. :D

cali 10 Years · 3494 comments

wow Macs being infected by something. how is this even happening?

applesauce007 17 Years · 1703 comments

It's a Java bug. I don't have this JavaW folder on my Mac running Yosemite.

cali 10 Years · 3494 comments

[quote name="TheWhiteFalcon" url="/t/182663/iworm-malware-controls-macs-via-reddit-more-than-17k-affected#post_2612578"]This never would have happened if Steve were still here. This never would have happened if Apple hadnt ditched PPC. This is all Tim Cook's fault, he's killing Apple. /s There, I got the potential stupidity out of the way. [/quote] forgot one: because 3B Apple paid for stupid Beats!! /s

bsenka 17 Years · 801 comments

By "infected", you mean people installed it on their own Macs thinking it was pirated software, right?