
The Mac.BackDoor.iWorm threat in detail - ConceitedCode
http://news.drweb.com/show/?i=5977
======
nknighthb
All of the information I've seen about this "worm" comes from a single anti-
virus vendor I've never heard of, and the information is painfully thin --
most critically, there is no information at all on how it's spread.

This particular headline (which, to be fair, does not come from the linked
page) uses the word "exploit", but there is no evidence of what, if any, flaw
is being exploited.

"Worm" has a rather specific meaning. It's malware that self-propagates
through a network. Strictly construed, the only way this can happen is if
there is a security flaw being exploited. A looser definition includes things
like the infamous "ILOVEYOU" "worm", that automatically distributes itself,
but requires user interaction to infect a target.

In this case, neither means of distribution is in evidence.

At this point, I'm skeptical that this "worm" exists at all.

~~~
aespinoza
VirusTotal has the analysis here:
[https://www.virustotal.com/en/file/43a929c2059440ea899baf47e...](https://www.virustotal.com/en/file/43a929c2059440ea899baf47edcfb3ac764d3e0ef1bf4ba7917618e4821d9cb5/analysis/)

It does exist, and it is detected by several vendors, not just Dr.Web.

~~~
nknighthb
Well, that's not what I'd call an "analysis", and if that's really about the
same "worm", it's at least 22 months old, not "new".

    
    
        First submission 2012-11-11 16:21:18 UTC ( 1 year, 10 months ago )
        Last submission 2014-05-08 21:33:59 UTC ( 4 months, 3 weeks ago )
    

Sounds like a small-time vendor trying to make a name for itself by
"dissecting" an old trojan. Maybe they want some extra revenue for christmas
bonuses.

~~~
techrat
Yet the account mentioned in the article is 2 months old.

[http://www.reddit.com/user/vtnhiaovyd](http://www.reddit.com/user/vtnhiaovyd)

------
tonyplee
In Linux, one way I protected my webserver in the past was to just do:

    
    
       cd /; sudo git init; git add /etc /{bin,sbin,lib} /usr/{bin,sbin,lib,local} ...  ; sudo git commit 
    
       git clone / into another remote server, and I can git diff from time to time to see if anyone/code mod my system.   
       
       One very nice side effect of this system is that I got to know in details what files were modded and added when ever I did an "apt-get install ..." 
    
    

Questions for mac Guru:

    
    
       1.  Have anyone done this in Mac? 
    
       2.  Any pro/con on why, why not do this? 
    
       3.  Other than, /{bin,sbin,lib} /etc, /usr/{bin,sbin,lib}, 
           What other dirs should I add? 
           What's best way to handle /Applications/ (25GB ) ?
    
    
       4.  What other dirs can a worm,virus, hide in my Mac?
    
    
    
    
      Any good dtrace scripts to help monitor who/what is writing to those places?

~~~
patio11
Keep in mind that, if the attacker gets code execution on your box, everything
the box says is a lie if he wants it to be. You may catch some dumb attackers
who leave readily available evidence of compromise, but there exists off-the-
shelf ratware which is not amenable to discovery via simply diffing.

As to where else a worm/virus can hide in your Mac: everywhere. Got a hard
disk with writable firmware? It could be in the firmware. If you ask the
firmware "Hey, apropos of nothing, do you contain a virus?" it will say "No,
no, only totally authorized hard disk firmware here. Feel absolutely safe
about reading executable instructions from me."

~~~
atmosx
> Keep in mind that, if the attacker gets code execution on your box,
> everything the box says is a lie if he wants it to be.

Sure, but in real life that's extremely unlikely. I never seen such a
'rootkit', meaning a rk complete at every level that disguises EVERYTHING
(processes, connections, evades anti-rk software, etc.). It's been many years
since the last time I was interested in _security_ so things might have
changed, but given the amount, time and effort that such a rootkit would take
(to target specific OSes/versions) I'd say that it's highly unlikely unless
it's gov-founded.

~~~
walterbell
How would you know, unless you booted from read-only media that contained
signatures of known-good files?

~~~
atmosx
I can only judge by what I see, I can't judge real life applications by
theorising about _what 's possible_ and I remember playing around with
rootkits since adore-ng (by TT), which was fairly sophisticated back in the
day.

~~~
walterbell
If you're going to judge, that implies you have at least _looked_ for
information on which to base a judgement. In this case, "looking" is not
possible with a compromised OS, it requires booting from forensic media.

Edit: to downvoter, you may want to read Phrack April 2014,
[http://www.phrack.org/papers/revisiting-mac-os-x-kernel-
root...](http://www.phrack.org/papers/revisiting-mac-os-x-kernel-
rootkits.html)

------
X-Istence
Alright, now how does this spread? How would I get this piece of malware onto
my computer? Do I need to browse the web? Do I need to install a piece of
software that is vulnerable?

That's what I care about, how can I protect myself against this, and saying
"Buy Anti Virus software" is NOT the right answer.

All I see so far from other reports is that you would have had to install
software, bypass the signing requirement and that software had to come from a
less than legitimate location to carry with it the malware ...

~~~
coldcode
Yea how is this useful or even meaningful without mentioning the how it gets
in? Worthless analysis otherwise.

~~~
meowface
You probably don't work as a malware analyst. This is a perfectly fine
analysis.

Malware has been spreading the same way it always has: phishing, social
engineering, application exploits. It's very rare that you actually see a new
infection mechanism or a new zero-day just for a particular piece of malware.
That's what makes malware like Stuxnet extremely exceptional.

------
ricardobeat
The reported signature goes back to a backdoor found in 2009:
[http://www.symantec.com/security_response/writeup.jsp?docid=...](http://www.symantec.com/security_response/writeup.jsp?docid=2009-012620-2836-99)

Looks like you have to install an unsigned app plus give it admin permissions,
so not a worm.

------
pebbleduc
[http://appleinsider.com/articles/14/10/03/iworm-malware-
cont...](http://appleinsider.com/articles/14/10/03/iworm-malware-controls-
macs-via-reddit-more-than-17k-affected)

Because iWorm extracts into a folder on OS X, users can check if their Mac is
infected by navigating to "Go > Go to Folder" from the OS X Finder menu and
typing in /Library/Application Support/JavaW. If OS X cannot find the folder,
the computer is clear. If the folder is found, however, users are urged to
employ an anti-virus program to wipe iWorm from their hard drive.

~~~
lloeki
> users are urged to employ an anti-virus program to wipe iWorm
    
    
        rm -rf /Library/Application Support/JavaW
        rm -rf /Library/LaunchDaemons/whatever
        killall -9 com.JavaW
    

Of course, compromised system, so all bets are off and anything else may be
installed. Hope is not a plan, and using an antivirus is only asking for
hopeful solutions. I fear for the return of the scareware.

Users are urged to reinstall OS X from scratch and restore only user data from
a Time Machine backup from the user setup dialog.

------
rnovak
I would really love to submit this encryption method to the PCI auditors....
"uses encryption extensively".

Edit: seriously? The first example is a shift cipher and a one time pad of all
'M'.

~~~
isomorphic
Perhaps you'd be happier with the term "obfuscation." But the code does meet
the textbook definition of "encryption." Maybe not _strong_ encryption...

~~~
rnovak
Where did I say it wasn't encryption? I said I'd like to submit it to my PCI
auditor as _my_ method of encryption, much easier than proper applied crypto.

------
super_mario
Guys, this is such obvious scare propaganda to sell you their anti-virus
software (which I would be more scared about installing).

Basically their pitch is: Be afraid, be a afraid, there is this malware we
have no idea how it gets to your computer, but we have it and have analyzed
what it does. And did you know that if you had our antivirus program you would
be completely safe.

And as it turns out it's just another trojan horse that has to be installed by
user to work.

[http://www.thesafemac.com/iworm-method-of-infection-
found/](http://www.thesafemac.com/iworm-method-of-infection-found/)

------
aespinoza
More information here: [http://www.thesafemac.com/dr-web-announces-new-iworm-
malware...](http://www.thesafemac.com/dr-web-announces-new-iworm-malware/)

------
joshkpeterson
The reddit thread [1] explains that the worm was posting information on
/r/minecraftserverlists, presumably as a way to easily, anonymously, and
publicly store and retrieve information.

Just last week in the thread on the twitter image bots [2] someone postulated:

>I wonder if you could build some kind of distributed neural net on top of
twitter or another social network. Find some way to get nodes with very little
computation power hidden within a free app, webpage, screensaver or
something[1], and use twitter as a communications channel instead of IRC or
whatever.

...

> Or a botnet, if you're feeling evil.

[1][http://www.reddit.com/r/news/comments/2i6rte/hackers_have_fo...](http://www.reddit.com/r/news/comments/2i6rte/hackers_have_found_a_flaw_in_macs_and_are_using/ckzdvf4)

[2][https://news.ycombinator.com/item?id=8377985](https://news.ycombinator.com/item?id=8377985)

~~~
AlyssaRowan
Both Twitter and simple Google searches have been extensively used for basic
C&C techniques.

