Incident Response, Malware, TDR

Researcher details iWorm infection vector, persistence mechanism, in paper

Mac users were infected by iWorm when they went to The Pirate Bay and downloaded infected pirated applications, such as Photoshop, Patrick Wardle, director of research at Synack, told in a Monday email correspondence, explaining that the downloaded installer is malicious.

“It first would surreptitiously install iWorm, and only then, install the program that the user was expecting, [such as Photoshop],” Wardle said. “End result, Photoshop would be installed, but so would the iWorm malware! I used the term persistently, since the malware will then be permanently installed and will automatically start each time the user's computer is rebooted.”

At the end of September, Doctor Web wrote about iWorm, a multi-purpose backdoor for Mac OS X with a Reddit-based command-and-control (C&C) server location mechanism. The Russian anti-virus company wrote at the time that iWorm had infected more than 17,000 systems.

The initial infection vector for iWorm – infected torrents on The Pirate Bay – was later reported on by Mac security website The Safe Mac, and on Friday, Wardle provided a more detailed analysis in a paper posted to Virus Bulletin.

Wardle told that he is not aware of the malware still spreading, and that spreading the malware now would be challenging since the Pirate Bay links are gone. Users could, however, directly share the infected applications, possibly without knowing the applications are malicious, he added.

Despite its name, iWorm shows no self-propagating mechanisms and is actually a classic trojan that spreads directly with user interaction, Wardle said, explaining that while users are generally not so much at risk anymore, there are still some issues.

“Apple still does not fully protect its users from the iWorm malware,” Wardle said. “The company, though unable to originally detect the malware, recently released several detection signatures for iWorm, but they are only for the malware's installer(s), leaving existing infections undetected.”

That is not all.

Apple's security features only scan files that have set a quarantine attribute and it is the job of the downloading application to set that quarantine attribute, so depending on what application downloaded the malware, the malware installer may not be detected, Wardle said.

Furthermore, Reddit is still hosting pages containing the addresses of C&C servers, which can be used and may enable new infections to function properly, Wardle said, adding that during analysis the malware was also seen communicating with Amazon's cloud.

“The main aim of my paper was to detail the infection vector and persistence mechanism of the OSX/iWorm malware,” Wardle said, going on to add, “More generically, I sought to show how OS X malware is a reality and how Apple's anti-malware mechanism [is] rather useless.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.