OSX_IWORM.A
Backdoor.OSX.iWorm.f (Kaspersky), OSX/iWorm (McAfee), Mac.OSX.iWorm.C (F-Secure), Mac.OSX.iWorm.C (BitDefender), OSX/Iservice.AG (ESET), OSX.Luaddit (Symantec)
Mac OSX
Threat Type: Backdoor
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It executes commands from a remote malicious user, effectively compromising the affected system.
TECHNICAL DETAILS
Varies
Mach-O
Yes
06 Oct 2014
Connects to URLs/IPs
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
This malware arrives via the following means:
- Disguised as a Legit Application Installer downloaded by user
Installation
This backdoor drops the following files:
- /Library/Application Support/JavaW/JavaW
- /Library/LaunchDaemons/com.JavaW.plist
- /Users/{user name}/.JavaW
- /private/var/root/.JavaW
Backdoor Routine
This backdoor executes the following commands from a remote malicious user:
- Execute scripts
- Download and execute arbitrary file
- Sleep
- Get node information
- Get Bot ID
Information Theft
This backdoor gathers the following data:
- UID
- Opened port
NOTES:
This malware queries the site Reddit to retrieve the list of command-and-control servers from posts:
- http://reddit.com/search?q={key} where {key} is the first 8 bytes of the hashed MD5 value of the current date.
The list of C&Cs are posted below:
SOLUTION
9.700
11.194.04
06 Oct 2014
11.195.00
07 Oct 2014
NOTES:
- Scan using Trend Micro product and take note of the folder where this malware is detected.
- Identify and terminate the malware process using the noted folder in the previous step:
- Open the Terminal. Click on Applications>Utilities>Terminal or type Terminal in Spotlight.
- Type the following in the terminal:
ps –A - Look for the detected files and take note of their PIDs. If the detected files are not found to be running, please proceed to the next step.
- In the same terminal, enter the following commands for each PIDs:
kill {PID}
- Delete the malware files/components.
- In the same Terminal, type the following commands and press enter per line:
sudo rm –R "/Library/Application Support/JavaW/JavaW"
sudo rm –R "/Library/LaunchDaemons/com.JavaW.plist"
sudo rm –R "/Users/{user name}/.JavaW"
sudo -s
rm –R "/private/var/root/.JavaW"
If the malware files/components are not found, please proceed to the next step.
- In the same Terminal, type the following commands and press enter per line:
- Scan your computer with your Trend Micro product to delete files detected as OSX_IWORM.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files.
Did this description help? Tell us how we did.