Mac users should take note of a new malware flavor, dubbed Mac.BackDoor.iWorm, or iWorm, that could let hackers steal data or use infected computers in denial of service attacks on other servers.
iWorm also uses Reddit.com as part of its system, although Reddit itself hasn’t been hacked.
iWorm botnet has hit 18,000 Macs so far.
Once the malware has infected your Mac, it searches Reddit for specific posts the include IP address for servers that can issue it commands. The server then sends instructions back to the infected computer, which could possibly include an additional malware payload.
Reddit has shut down the forum where the posts appeared, however the bad guys could have set up another forum or another service to deliver the server addresses.
iWorm was first reported by anti-virus maker Dr. Web. At this time, they know how it works, but have no idea how it get’s delivered to victim’s Macs.
It’s easy to find out if your Mac has been infected, as the malware stores its files in a directory called “JavaW” inside the “Application Support” folder. To check to see if the folder is present on your Mac, Select “Go” -> “Go to Folder” from the Finder Menu and then enter:
/Library/Application Support/JavaW
If your Mac tells you it can’t find the folder, then everything is cool, and your machine hasn’t been infected. If it does find the folder, then its time to drag out your favorite virus protection tool and clean your system.
Security company Intego suggests a way to watch for iWorm infection on your Mac by adding an alert action to the LaunchDaemons folder where the malware installs some of its payload. Follow these steps:
You’ll now receive an alert dialog any time something new is added to the LaunchDaemons folder. (Note: Other apps can legitimately add items to the folder.)
Until more is known about iWorm follow the usual rules for safe computing, and keep your computer away from places you really shouldn’t go.