'iWorm' malware controls Macs via Reddit, more than 17K affected

Screenshot of Reddit.com post hosting iWorm's C&C server list. | Source: Dr. Web

Entered into the virus database of Russian research firm Dr. Web as "Mac.BackDoor.iWorm," the new threat is described as a complex multi-purpose backdoor capable of issuing a variety of commands to be carried out by an affected host Mac. Among the operations available to the malware are data gathering and limited system remote control.

After iWorm installs, it creates an operating file, opens a port to request a list of control servers and connects, awaiting further instructions. Unique to this particular piece of malware is its use of Reddit.com's search service to retrieve the botnet server list, which until recently was disguised in a comment to the post "minecraftserverlists."

The Reddit string has since been shut down, but iWorm's creators likely set up another server list through an alternate search service that has yet to be discovered.

Once iWorm connects with a command and control server, the backdoor pulls in instructions via binary data or the Lua programming language. Alternatively, connected servers can send over another bit of malware to further compromise the affected machine.

iWorm itself can gather and send off sensitive user information, set parameters in configuration files, perform GET queries, put a Mac to sleep, ban nodes and perform nested Lua scripts, among other backdoor operations.

Because iWorm extracts into a folder on OS X, users can check if their Mac is infected by navigating to "Go > Go to Folder" from the OS X Finder menu and typing in /Library/Application Support/JavaW. If OS X cannot find the folder, the computer is clear. If the folder is found, however, users are urged to employ an anti-virus program to wipe iWorm from their hard drive.

According to Dr. Web's statistical analysis of iWorm, the malware as infected some 17,658 Macs worldwide as of Sept. 26.