The computer virus, first identified at the end of last month, has reportedly infected over 17,000 machines, allowing criminal hackers to execute a wide range of commands.
Discovered by security experts at Doctor Web, producers of the well-known Russian anti-virus software by the same name, the so-called “Mac.BackDoor.iWorm” software reportedly accepts commands from hackers through comments left on the social link-sharing website Reddit.
According to Doctor Web, when “iWorm” launches, the program quickly assumes control of an infected machine by re-writing configuration files located in the home directory of the Mac OS account its running under. After opening a port on the machine it connects to a remote control server and awaits instructions.
The most interesting part of the iWorm malware, however, is in how it acquires control server addresses. Doctor Who explains:
It is worth mentioning that in order to acquire a control server address list, the bot uses the search service at reddit.com, and—as a search query—specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date. The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd.
In other words, hackers are depositing the addresses of servers on Reddit able to issue commands to the infected Macs. Reddit user “vtnhiaovyd,” the user account allegedly tied to the malicious software, did not immediately respond to a request for comment.
Although current figures were not immediately available, as of Friday, Sept. 26, there were approximately 17,600 infected machines detected, with most, or nearly a third of them, located in the United States.
It’s unknown at this time what underhanded purpose the hackers had planned for the growing number of machines wrangled by their malware. Typically a botnet—an army of zombie computers under hackers’ control—are used to launch spam and distributed denial of service (DDoS) attacks over the Web.
At time of writing, Reddit had shuttered the dubious Minecraft subreddit being used by the hackers, presumably in response to widespread reports about iWorm. It’s not immediately clear if the infected machines can be taken over using other means.
Thankfully, there appears to be a simple way to check to see if your Mac has been infected by the iWorm virus. According to Safe Mac: “Go to the Finder and choose ‘Go to Folder’ from the ‘Go’ menu. Copy the following path and paste it into the window that opens—/Library/Application/Support/JavaW—then, click the ‘Go’ button.”
If you get a message in the bottom left corner that says the folder can’t be found, “then you should be okay,” Safe Mac says.