Here’s how to tell if your Mac is infected with the new iWorm Botnet

There’s a new strain of malware that specifically targets OS X.

Virus hunters have discovered a sophisticated botnet targeting Mac OS X computers and using a novel technique to operate. The malware has infected about 18,500 Macs, according to recent statistical analysis.

The Mac malware, called iWorm, uses a complex multi-purpose backdoor, through which criminals can issue commands that get the malicious program to carry out a wide range of instructions on the infected Macs.

According to researchers, the backdoor makes extensive use of encryption in its routes. It is capable of discovering what other software is installed on the infected machine and sending out information about it (operating system), opening a port on it, downloading additional files, relaying traffic, and sending a query to a web server to acquire the addresses of the C&C servers, essentially turning your Mac into a zombie.

To see if you are infected, go into the Finder and Select Go > Go to Folder…. When the Go to folder sheet appears, enter this folder name:

/Library/Application Support/JavaW

Now click the Go button. If the Finder tells you the folder can’t be found, you should be OK. If the folder is found, you are likely infected and should consider some anti-virus software or a trip to the Apple Store.

The linked article is definitely worth a read. [Hat Tip Stu Mark]



  • Sigivald

    Interesting that there’s no mention of what the infection vector has been… does anyone even know?

    • Sigivald

      I mean, I’m assuming it’s the usual trojan thing, but…

    • lucascott

      From various articles it sounds like it was a link off of one or more Reddit forums. Probably posing as an image site or such.

      My guess is that it popped up a notice about needing to install/update flash or java to view and less than savvy users clicked the given link and downloaded a tainted installer

      • Sigivald

        So, yeah, trojan.

  • ^ this

  • shazbat

    Completely inexcusable that they answer the question “How do I get rid of it?” with “Buy our software.”

    • GFYantiapplezealots

      A lot of these anti-virus companies actually write the viruses, and then pretend to be the first ones to find it so they’ll get the press coverage. Kaspersky comes to mind.

    • Pretty much what I’ve said on every single one of the Android malware posts here.

      Reading these comments are so funny in comparison to Android being targeted (not even infected). 😀

  • Both the linked Intego site and the Dr. Web site don’t have much information on what this thing does other than download and upload files and system info. And they still have no info on how you initially get infected.

    Files are bad enough, but there is no information on if your system is encrypted if the bot is getting anything useful or not.

    Guess I’ll check my Mac, but overall we need a lot more info than to buy antivirus software because of one infection in how many years? (I.E. is it truly a virus or is it from downloaded pirate software trojans and such?)

  • Scruffi

    From the Symantec tech details page: “The Trojan is shared through BitTorrent and is bundled in a .zip file as a crack with a copy of the Adobe Photoshop application.”

    http://www.symantec.com/security_response/writeup.jsp?docid=2009-012620-2836-99&tabid=2

    • Scruffi

      derp – sorry, that might not be the right item, actually. I did a search on Symantec and that’s what came up. But it’s from 2009… durr

      • James Hughes

        No derp… From my research it seems to be the same thing or a variant. Like all these malware installers, the user has to install using their admin password. I doubt this will turn out to be any different. Probably 18,500 people trying to install some “free” or cracked software.

  • Geek Life 3.0

    I’m not sure why anyone is suggesting a trip to the Apple Store. Eradicating this is dead easy – just burn the offending .plist file in your LaunchDaemons folder, and the remove the JavaW folder after a restart. As far as protecting yourself, the easiest way is to create your OWN JavaW folder and give it zero access (chmod 000) – the bot that creates the offending file isn’t sophisticated enough to get around that and will fall when it tries to write it’s files.

    BTW – instead of dicking around with a search string, just hold down OPTION when clicking on the “Go” menu in the finder. “Library” will now be one of the menu choices. Select it, then just click into Application Support and then look for the JavaW folder yourself. Typing in a search string leaves you open to getting a “file not found” if you make a typo, leading to a possible false sense of security.

    • Chris Brzozowski

      GL 3.0, Thanks for the tips, they are very handy for a new user like me. (I’ve had my MBP for ten days now).

      How do I assign “zero access (chmod 000)”? Would locking the folder under Get Info accomplish the same thing?

      Cheers, Chris

      • BC2009

        1) Open Terminal app 2) cd /Library/”Application Support” 3) sudo mkdir JavaW 4) [enter your password] 5) sudo chmod 000 JavaW 6) [enter your password again if prompted] 7) quit Terminal

        I think that will do it. Somebody correct me if I missed something.

        • Really?

          You missed the part where it’s a really bad idea to create random zero-access folders in the system Library folder.

          Here’s a better idea – don’t install dodgy Photoshop cracks you downloaded from BitTorrent and you won’t need to worry about trojans and malware.

    • Dork Life 1.4

      Errr. If you choose Option > Go > Library it takes you to the library folder in your home folder.

      /Library/Application Support/JavaW would take you to the root library folder instead.

  • Please don’t advise people to take a trip to the Apple Store unless you’re including that they first make an appointment with the Genius Bar. Otherwise you’re going to wind up with a lot of people making return trips after a Specialist helps them book their appointment.

    • VaricoseVain

      Please don’t advise people to make a trip to the Apple Store period.

  • Tinfoil

    Let me guess. Samsung did it.