In the wake of an attack thought to have infected more than 18,500 Macs, Apple has updated its XProtect malware blacklisting system to block the bug responsible.
The so-called iWorm was disclosed last week by Russian antivirus firm Doctor Web. Interestingly, compromised machines were found to be running searches on Reddit to obtain instructions about which command and control (C&C) servers should be used.
Once it hooks up with the appropriate C&C, it opens up a back door and gets to work stealing sensitive information or installing more malware.
“This isn’t really Reddit’s fault of course,” independent security researcher Graham Cluley noted in a blog. “They’ve done nothing wrong as such, and even if they shut down the accounts that are communicating with the botnet, there would be nothing to stop the hackers behind the campaign from creating new accounts or using an alternative service (Twitter, perhaps?) to communicate with the compromised computers.”
In other words, Reddit isn’t spreading the infection – it’s simply providing a platform that is helping the botmasters communicate with the Mac computers they have managed to infect. So it hasn’t been successful in preventing the spread of the iWorm.
In fact, the botnet had claimed 18,519 unique IP addresses by September 29, according to Dr. Web—even though it’s still unclear just how, exactly, the worm replicates and spreads. It’s clearly targeted to the English-speaking world: about a quarter of the zombie machines were found to be located in the US, followed by about 1,200 Macs each in the UK and Canada.
While the infection isn’t nearly as massive as the 2012 Flashback scourge, which infected about 600,000 Macs via fake Adobe Flash installers and compromised websites containing exploits for Java flaws, the bug is still concerning in its exponential growth and the fact that it targets the closed Apple ecosystem.
To combat the issue, Apple has now updated Xprotect to recognize three different variants of the iWorm malware, labeled OSX.iWorm.A, OSX.iWorm.B and OSX.iWorm.C.
Because Mac malware is quite rare compared to their Windows-focused cousins, Xprotect updates are infrequent and, as Mac Rumours noted, quite rudimentary, with only about 40 threats addressed. Nonetheless, the fixes should prevent iWorm from burrowing in on updated machines.