Backdoor.OSX.iWorm.f (Kaspersky), OSX/iWorm (McAfee), Mac.OSX.iWorm.C (F-Secure), Mac.OSX.iWorm.C (BitDefender), OSX/Iservice.AG (ESET), OSX.Luaddit (Symantec)

 PLATFORM:

Mac OSX

 OVER ALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE
Low
Medium
High
Critical

  • Threat Type:
    Backdoor

  • Destructiveness:
    No

  • Encrypted:
    Yes

  • In the wild:
    Yes

  OVERVIEW

INFECTION CHANNEL: Downloaded from the Internet, Dropped by other malware

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

  TECHNICAL DETAILS

File size: меняется
File type: Mach-O
Memory resident: Yes
INITIAL SAMPLES RECEIVED DATE: 06 October 2014
PAYLOAD: Connects to URLs/IPs

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

This malware arrives via the following means:

  • Disguised as a Legit Application Installer downloaded by user

Installation

This backdoor drops the following files:

  • /Library/Application Support/JavaW/JavaW
  • /Library/LaunchDaemons/com.JavaW.plist
  • /Users/{user name}/.JavaW
  • /private/var/root/.JavaW

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

  • Execute scripts
  • Download and execute arbitrary file
  • Sleep
  • Get node information
  • Get Bot ID

Information Theft

This backdoor gathers the following data:

  • UID
  • Opened port

NOTES:

This malware queries the site Reddit to retrieve the list of command-and-control servers from posts:

  • http://reddit.com/search?q={key} where {key} is the first 8 bytes of the hashed MD5 value of the current date.

The list of C&Cs are posted below:

  SOLUTION

Minimum scan engine: 9.700
First VSAPI Pattern File: 11.194.04
First VSAPI Pattern Release Date: 06 October 2014
VSAPI OPR PATTERN-VERSION: 11.195.00
VSAPI OPR PATTERN DATE: 07 October 2014

NOTES:

  1. Scan using Trend Micro product and take note of the folder where this malware is detected.
  2. Identify and terminate the malware process using the noted folder in the previous step:
    • Open the Terminal. Click on Applications>Utilities>Terminal or type Terminal in Spotlight.
    • Type the following in the terminal:
      ps –A
    • Look for the detected files and take note of their PIDs. If the detected files are not found to be running, please proceed to the next step.
    • In the same terminal, enter the following commands for each PIDs:
      kill {PID}
  3. Delete the malware files/components.
    • In the same Terminal, type the following commands and press enter per line:
      sudo rm –R "/Library/Application Support/JavaW/JavaW"
      sudo rm –R "/Library/LaunchDaemons/com.JavaW.plist"
      sudo rm –R "/Users/{user name}/.JavaW"
      sudo -s
      rm –R "/private/var/root/.JavaW"

      If the malware files/components are not found, please proceed to the next step.
  4. Scan your computer with your Trend Micro product to delete files detected as OSX_IWORM.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files.


Did this description help? Tell us how we did.