Apple updates definitions to prevent “iWorm” botnet malware on Macs

Among other items, the XProtect list now includes several iWorm variants.
Andrew Cunningham

In case you missed it over the weekend, MacRumors reports that Apple has updated OS X's built-in XProtect malware definitions list to include the Mac.BackDoor.iWorm malware we reported on late last week. The iWorm malware allegedly managed to infect more than 17,000 Macs worldwide, and it was apparently using a (now closed) Minecraftserverlists board on reddit to distribute the IP addresses of control servers to infected Macs.

XProtect was first introduced to OS X in Snow Leopard in response to the MacDefender malware that managed to infect some OS X systems back in 2011. While the complete list is only 40 items long as of this writing, OS X silently checks for XProtect updates daily, and Apple also uses the list to mandate the usage of up-to-date versions of Java and Flash. While XProtect doesn't do anything to clean existing infections, it can prevent new ones by telling users explicitly that they're attempting to install known malware.

Dr. Web, the antivirus vendor that first reported the existence of both the malware and the botnet, recommends that you buy its products to scan for and delete malware that may already be on your computer—researchers at antivirus companies can get the word out about new vulnerabilities, but they don't do it out of the goodness of their hearts. Developer Jacob Salmela has some instructions that can help you delete the malware manually.

Read on Ars Technica | Comments

More Mac malware – top tips for avoiding infection

More Mac scareware appeared overnight, with the cybercrooks following the same sort of strategy which has worked so well on Windows: regularly change the look and feel of the fake anti-virus software; use legitimate-sounding brand names (or steal genuine product names); stick to a price-point between $50 and $100; keep the fear factor high; but keep the core programming very similar so development costs are negligible.

Scareware, or fake anti-virus, is fake security software which pretends to find dangerous security threats – such as viruses – on your computer. The initial scan is free, but if you want to clean up the fraudulently-reported “threats”, you need to pay.

Once you’ve paid, the scareware stops lying to you about the non-existent threats, as though it really did clean them up. This means that many victims of this sort of fraud don’t even realise they’ve been duped. Until next time.

These latest OS X scareware variants come from the MacDefender stable, though they identify themselves during startup as Mac Shield:

Once activated, the software pretends to look through your files, pretends to find malware, and invites you to clean up:

But the cleanup isn’t free – you’re required to register:

Registration means payment. The minimum you can get away with is $59.95. But for just $40 more, you can get a lifetime software licence and lifetime support – which would be a good deal, were it not for the fact that the software is completely fraudulent, that the “lifetime” of the software ends tomorrow when the crooks move on to the next bogus brand name, and that there’s nothing to support, since there was no malware in the first place.

You even get a 30-day money back guarantee. Good luck claiming it.

Here are some top anti-scareware tips for Apple users:

* If you use Safari, turn OFF the open “safe” files after downloading option. This stops files such as the ZIP-based installers favoured by scareware authors from running automatically if you accidentally click their links.

* Don’t rely on Apple’s built-in XProtect malware detector. It’s better than nothing, but it only detects viruses using basic techniques, and under a limited set of conditions. For example, malware on a USB key would go unnoticed, as would malware already on your Mac. And it only updates once in 24 hours, which probably isn’t enough any more.

* Install genuine anti-virus software. Ironically, the Apple App Store is a bad place to look – any anti-virus sold via the App Store is required by Apple’s rules to exclude the kernel-based filtering component (known as a real-time or on-access scanner) needed for reliable virus prevention.

* Religiously refuse any anti-malware software which offers a free scan but forces you to pay for cleanup. Reputable brands don’t do this – an anti-virus evaluation should let you try out detection and disinfection before you buy.

Macworld's Editor's ChoiceIn a recent Sophos poll, 89% of respondents said they’d recommend their Mac-owning friends and family to use anti-virus software. Why not take their advice, and get Sophos Anti-Virus for Mac Home Edition today?

DownloadFree Anti-Virus for Mac
Download Sophos Anti-Virus for Mac Home Edition

It’s free – no registration, no signup, and no password needed. It detects, prevents and cleans up malware infections.

Note: the Mac Shield scareware described here was detected proactively by Sophos Anti-Virus as OSX/FakeAV-DWN. Apple subsequently added detection to the XProtect system, using the name “OSX.MacDefender.F”.

Apple to malware authors: Tag, you’re It!

Apple XLast night the malware authors behind the Mac Guard fake anti-virus changed their methods again to bypass the updates Apple released yesterday afternoon to protect OS X Snow Leopard users.

Apple fired back shortly after 2 p.m. Pacific Daylight Time today with a new update to XProtect. Computers that have Apple update 2011-003 for Snow Leopard now check for updates every 24 hours.

XProtect update stamp

As the cat-and-mouse game continues it will be interesting to see how the attackers proceed. The major change to bypass Apple’s detection yesterday was to use a small downloader program to do the initial infection, then have that program retrieve the actual malware payload.

This approach may be successful as it will be easier for the malware authors to continually make small changes to the downloader program to evade detection while leaving the fake anti-virus program largely unchanged.

Why is this important? Apple’s XProtect is not a full anti-virus product with on-access scanning. XProtect only scans files that are marked by browsers and other tools as having been downloaded from the internet.

If the bad guys can continually mutate the download, XProtect will not detect it and will not scan the files downloaded by this retrieval program. Additionally, XProtect is a very rudimentary signature-based scanner that cannot handle sophisticated generic update definitions.

Apple now detects this malware as OSX.MacDefender.C. Sophos Anti-Virus for Mac detects individual components of this malware as OSX/FakeAV-DWK, OSX/FakeAV-DWN, OSX/FakeAvDl-A and OSX/FakeAVZp-C.

OSX.MacDefender.C detection

It also appears that this malware is using the tried-and-true affiliate distribution method. The writers recruit other people to perform black-hat SEO, infect web pages and post blog spam and assign each one a unique affiliate ID to use in the URL for their traffic.

This allows the criminals to track which affiliate referred the victim and pay them a commission upon purchase of the fake software, enabling the criminals to cast a much wider net by sharing a portion of the profits with their “affiliates.”

Considering that XProtect only updates once a day, and only on OS X 10.6 Snow Leopard, I recommend users install a proper anti-virus tool. If you want to make sure Apple’s solution is up to date you can open a terminal on your Mac and type the following command:


Even if I didn’t work for a security company, I would install a proper anti-virus tool rather than hope that Apple provides an update every time a new threat appears. We make our Sophos Anti-Virus for Mac Home Edition available absolutely free. No registrations, no email, just free protection.

Thank you to Naked Security reader Patrick Fergus for the tip about Apple’s update to XProtect and Mrs. W. for carving our delicious apple with a perfect X.