Apple Updates Malware Definitions to Protect Against Botnet Threat Coordinated Via Reddit

by

Last week, Russian anti-virus firm Doctor Web disclosed a newly discovered piece of OS X malware known as Mac.BackDoor.iWorm that at the time had affected roughly 17,000 machines around the world. While the exact mechanism of infection was unclear, an interesting twist to the story involves compromised machines running search queries on Reddit to obtain instructions about which command and control servers should be used to manage the botnet.

It is worth mentioning that in order to acquire a control server address list, the bot uses the search service at reddit.com, and -- as a search query -- specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date. The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd.

Once connected to a command and control server, the backdoor opened by the malware on the user's system can receive instructions to perform a variety of tasks, from stealing sensitive information to receiving or spreading additional malware.

In an effort to address the threat, Apple has now updated its "Xprotect" anti-malware system to recognize two different variants of the iWorm malware and prevent them from being installed on users' machines.

xprotect_iworm
First introduced with OS X Snow Leopard, Xprotect is a rudimentary anti-malware system that recognizes and alerts users to the presence of various types of malware. Given the relative rarity of malware targeting OS X, the malware definitions are updated infrequently, although users' machines automatically check for updates on a daily basis. Apple also uses the Xprotect system on occasion to enforce minimum version requirements for plug-ins such as Flash Player and Java, forcing users to upgrade from older versions known to carry significant security risks.

Popular Stories

iPhone 17 Pro Render Front Page Tech

iPhone 17 Pro Launching Later This Year With These 10 New Features

Sunday March 23, 2025 10:00 am PDT by
While the iPhone 17 Pro and iPhone 17 Pro Max are not expected to launch until September, there are already plenty of rumors about the devices. iPhone 17 Pro's alleged design via Front Page Tech Below, we recap key changes rumored for the iPhone 17 Pro models as of March 2025: Aluminum frame: iPhone 17 Pro models are rumored to have an aluminum frame, whereas the iPhone 15 Pro and iPhone...
Read Full Article236 comments
iCloud General Feature Redux

iPhone Users Who Pay for iCloud Storage Receive a New Perk

Thursday March 20, 2025 12:01 am PDT by
If you pay for iCloud storage on your iPhone, Apple has a new perk for you, at no additional cost. The new perk is the ability to create invitations in the Apple Invites app for the iPhone, which launched in the App Store last month. In the Apple Invites app, iCloud+ subscribers can create invitations for any occasion, such as birthday parties, graduations, baby showers, and more. Anyone ...
Read Full Article30 comments
Generic iOS 18

Apple Seeds iOS 18.4 and iPadOS 18.4 Release Candidate With Priority Notifications, Ambient Music and More

Monday March 24, 2025 10:07 am PDT by
Apple today seeded the release candidate versions of upcoming iOS 18.4 and iPadOS 18.4 updates to developers for testing purposes, with the software coming a week after Apple released the fourth betas. iOS 18.4 and iPadOS 18.4 can be downloaded from the Settings app on a compatible device by going to General > Software Update. With iOS 18.4, Apple is adding the Priority Notifications...
Read Full Article52 comments
airpods max 2024 colors

Don't Buy Into Apple's Hype About AirPods Max Gaining Lossless Audio

Monday March 24, 2025 4:24 pm PDT by
Apple today announced that AirPods Max with a USB-C port will be gaining support for lossless audio and ultra-low latency audio with a firmware update next month, alongside the release of iOS 18.4, iPadOS 18.4, and macOS 15.4. For context, audio files are typically compressed to keep file sizes smaller. There are lossy compression standards like MP3 and AAC (Advanced Audio Codec), which...
Read Full Article266 comments
Generic iOS 18

iOS 18.4 Coming Soon With These New Features for Your iPhone

Tuesday March 25, 2025 6:45 am PDT by
Apple is expected to release iOS 18.4 to the general public as soon as next week, following more than a month of beta testing. Apple's website says some iOS 18.4 features will be released in "early April," so the update should be out as early as Tuesday, April 1. Apple this week seeded the iOS 18.4 Release Candidate, which is typically the final beta version, barring the discovery of any...
Read Full Article14 comments
iOS 18

Top 5 New Features Coming in iOS 18.4

Friday March 21, 2025 3:26 pm PDT by
We're not getting new Siri Apple Intelligence features in iOS 18.4 as expected, but the upcoming update does have quite a few new additions that will be worth upgrading for. We've rounded up the five best features to look forward to, and if you're not running the beta, you can expect to get access to these in early April. Priority Notifications If you have an iPhone or iPad that supports...
Read Full Article93 comments
Foldable iPhone 2023 Feature Iridescent Search

Foldable iPhone Expected to Launch Next Year, Costing Around $2,000

Monday March 24, 2025 3:43 am PDT by
Apple will launch its long-rumored foldable iPhone next year with a ~$2,000 premium price tag attached, expects well-connected Bloomberg reporter Mark Gurman. Gurman's comments on Apple's launch plans for its first foldable device appeared in the Q&A section of his latest Power On newsletter. Earlier this month, the reporter said Apple's foldable iPhone could be arriving "as early as 2026,"...
Read Full Article155 comments
ios 19 messages app

Here's What Apple's iOS 19 Messages App Might Look Like

Tuesday March 25, 2025 11:52 am PDT by
Leaker Jon Prosser today shared a mockup of what he says the Messages app will look like in iOS 19, demoing an interface with rounded, translucent bubble-shaped navigation buttons at the top and softer, rounder corners for the keyboard and word suggestions. Jon Prosser's Messages app mockup The return button, a button for going back to the Messages list, and the FaceTime button have a deeper...
Read Full Article93 comments

Top Rated Comments

mikethebigo Avatar
mikethebigo
137 months ago
It has been discovered how the botnet is installed. You have to download a pirated app, such as Photoshop, and then give the pirated installer administrator privileges.

No amount of malware security can fix stupid.

EDIT: Link to evidence: http://www.thesafemac.com/iworm-method-of-infection-found/ (http://www.thesafemac.com/iworm-method-of-infection-found/)
Score: 45 Votes (Like | Disagree)
smithrh Avatar
smithrh
137 months ago
It has been discovered how the botnet is installed. You have to download a pirated app, such as Photoshop, and then give the pirated installer administrator privileges.

No amount of malware security can fix stupid.

Good update - a lot of the "Hey look! Mac malware!" hue and cry has, of course, come from the usual places, namely antivirus software houses - and that hue and cry has not mentioned how the damn thing gets in your Mac in the first place.

That was a glaring omission, and it was right for MacRumors to hold off until now.
Score: 21 Votes (Like | Disagree)
Parasprite Avatar
Parasprite
137 months ago
I will have to check and see if this update is via the store or the site.

You won't find it in either because the update is via xprotect, which is updated automatically. I know there used to be a way to force an update using a terminal command, but iirc there isn't a way to do this in Mavericks (yet).
Score: 16 Votes (Like | Disagree)
brdeveloper Avatar
brdeveloper
137 months ago
Well, I'm stuck with Gimp because I'm adult and don't support piracy, and Photoshop is just too expensive for amateur photography, unless it's your main and single hobby. It's not my case, since I'm a multi-interest hobbyist. I even use the buggy Audacity for recording stuff I play with my guitar.

However there's a thing that really annoys me when installing software: allowing administrator rights. Ok, let's give administrator rights so the app can copy stuff to some system folders, but since it should not be the standard behavior of any app, why OSX doesn't give a more detailed explanation of what will be done with the root access I'm giving? It could throw that warning popup with a button providing additional details of the operation, don't you agree?
Score: 12 Votes (Like | Disagree)
slattery69 Avatar
slattery69
137 months ago
Download and install the xprotect update I posted before in https://forums.macrumors.com/showpost.php?p=20014686&postcount=12

No offence but is the file safe? not to be rude but this thread is about downloading files from unknown sources and just installing them
Score: 10 Votes (Like | Disagree)
nagromme Avatar
nagromme
137 months ago
You can NAME your trojan “worm,” but that does not make it a worm. (It does make good attention-bait for security firms’ PR departments.)

IF this bad software actually did spread BY ITSELF, then it would seem to be the first real-world successful OS X “virus.” (Technically, “worm” is the better term: a “virus” specifically infects/alters apps, while a “worm” is less specific: any malware that spreads on its own.)

But that doesn’t appear to be the case—making this just another trojan.

Any OS is vulnerable to lies, and that’s what a trojan is: someone lies to you and says “trust this program with your system!” Luckily, OS X makes trojans pretty hard to get these days: you have to go to some very specific effort to run un-trusted, unsigned code. If you know how to do that, you should know better! (Signed code can be remotely shut down by Apple if it's determined to be bad--even outside the App Store.)

Pirates beware: don’t trust shady downloads.
Score: 10 Votes (Like | Disagree)
Read All Comments