Home > Threat descriptions >

Backdoor:OSX/Iworm

Classification

Category: Malware

Type: Backdoor

Aliases: Backdoor:OSX/Iworm.A, Trojan-Dropper:OSX/Iworm.A , Mac.BackDoor.iWorm, Mac.OSX.iWorm

Summary


Backdoor:OSX/Iworm connects affected Mac OS X machines to a botnet and is capable of a executing a range of commands. At the time of writing, there have been no reports of the IWorm botnet being used for malicious activities.

Removal


Automatic action

Once detected, the F-Secure security product will automatically handle a harmful program or file by either deleting or renaming it.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


Backdoor:OSX/Iworm is reportedly spread via pirated software downloads. Once present on a machine running the Mac OS X operating system, the malware installs a file in the Library directory and then connects to Reddit's search page.

An unusual feature of this malware and the botnet it connects to is that a specific subreddit was used to distribute the IP addresses of the botnet's command and control (C&C) servers to affected machines. The subreddit has since been cleared of this C&C-related data, and the account used to post the data was shut down.

If the affected machine does successfully connect to the botnet, it is able to carry out a range of instructions, including downloading a file, executing a system instruction and changing its own configuration file. At the time of writing, there have been no reports of the IWorm botnet being used for malicious activities.

Following public reports of the malware, Apple updated OS X's built-in XProtect component to include identification for this malware.