Jump to content

iWorm Method of Infection Found!

Builder
 Share

http://www.thesafemac.com/iworm-method-of-infection-found/

 

 

 

On Thursday, I wrote about new malware called iWorm. This morning I awoke to find an e-mail waiting for me in my Inbox from someone who wished to remain anonymous. This person indicated that he had found installers for the new iWorm malware. He pointed me to the downloads offered by a user named “aceprog” on PirateBay.

On this user’s PirateBay page, I found installers for a number of different commercial products, such as Adobe Photoshop, Adobe Illustrator, Microsoft Office and Parallels. Actually downloading one of these things was a maze of clicks and redirects to adware sites, but I finally settled on installing a torrent client and using the torrent download link, which gave me a stolen copy of Photoshop CC 2014.

The item that got downloaded included some unsavory items that could be installed or opened to allow the stolen copy of Photoshop to run without a valid license, and although you couldn’t pay me to use any of these things on a real system, none of them turned out to be the problem. It turned out that the official-looking Photoshop installer had been modified:

iWorm-installer.png

TL;DR The iWorm spreads through a modified copy of the Photoshop CC installer found on The Pirate Bay.

 

 

 

Submitting the three executable files inside the installer to VirusTotal revealed that the one titled “0” was detected by only a small handful (3) of anti-virus engines. The other two were not detected as malicious at all. Presumably the “Install” executable is legit, but I’m left wondering about the “1” item.

I wasn’t sure what to expect when opening the file. One would hope that modifications to the app would result in the app being identified by Mac OS X as damaged, since the installer was signed. (The cryptographic signature on Mac OS X apps is meant to verify that the app was made by a particular developer and that it has not been modified.) However, opening the Install app resulted in a different warning:

iWorm-installer-2.png

@LAwLz a great example of Gatekeeper doing its job. Basically OS X's Gatekeeper security feature stopped this thing at the door.

 

WOT incoming.

 

 

 

This is further puzzling, since the app appears to have a code signature. However, running
codesign -vv
on the Install app reported that the app was not signed. At this point, I overrode the Gatekeeper restrictions for this app and forced Mac OS X to run it anyway.

The very first thing that happened when I opened the app was that I was asked for my admin password. I provided it, and an official-looking Adobe installer started up, but by then the damage was done. The instant I provided the password, the iWorm malware was installed.

Looking at fs_usage output (which provides detailed information on file system activity – such as file and folder creation), it appears that the only things added to the system by the “0” executable are the following items:

/Library/Application Support/JavaW/JavaW/Library/LaunchDaemons/com.JavaW.plist
The com.JavaW.plist file simply runs the JavaW process at startup, ensuring that the malware is constantly running in the background.

I reset my test system to a clean state, then ran the installer again, but this time I clicked the Cancel button when asked for my admin password. In this case, the malware was not installed at all.

There has been some speculation that a Java vulnerability may be involved, probably based on the “JavaW” name. However, at this point, it looks like this is far more prosaic. It’s just a trojan in the form of pirated software that has been modified.

The moral of the story? Never engage in software piracy. This single piece of malware is FAR from the only thing you can get infected with while installing stolen software. Torrents and sites like PirateBay should be avoided at all costs. If you cannot afford to pay for a piece of software or a movie or something similar, do without. Downloading such things for free often come with LOTS of strings attached.

I am also submitting this to Apple’s product security team… hopefully we will see an update to XProtect shortly.

The app is not signed by an authorized developer. (surprise, surprise) It suspiciously asks you for your admin password immediately upon opening. It creates two folders that start a process called JavaW on boot so that it's always running. If you click the cancel button the malware does not install, even if you've opened the tainted package.

 

XProtect was updated earlier this morning to throw up an alert for this infection which I wrote a thread about here.

"You have got to be the biggest asshole on this forum..."

-GingerbreadPK

sudo rm -rf /

Link to comment
Share on other sites

Link to post
Share on other sites

finally a good news post

My Rig  

 
PCPartPicker part list: http://ca.pcpartpicker.com/p/kGNksY

 

CPU: Intel Core i7-4770 3.4GHz Quad-Core Processor  ($379.00 @ shopRBC) 

CPU Cooler: RAIJINTEK THEMIS 65.7 CFM Sleeve Bearing CPU Cooler  ($34.99 @ NCIX) 

Motherboard: MSI CSM-H87M-G43 Micro ATX LGA1150 Motherboard  ($78.83 @ DirectCanada) 

Memory: Kingston HyperX 16GB (4 x 4GB) DDR3-1600 Memory  ($139.99 @ Memory Express) 

Storage: Kingston Fury 120GB 2.5" Solid State Drive  ($71.34 @ DirectCanada) 

Storage: Seagate Barracuda 2TB 3.5" 7200RPM Internal Hard Drive  ($92.95 @ Vuugo) 

Video Card: Gigabyte Radeon R9 280X 3GB Video Card  ($298.98 @ Newegg Canada) 

Case: Fractal Design Define R4 w/Window (Black Pearl) ATX Mid Tower Case  ($125.98 @ Newegg Canada) 

Power Supply: Corsair CX 600W 80+ Bronze Certified Semi-Modular ATX Power Supply  ($66.99 @ NCIX) 

Operating System: Microsoft Windows 8.1 - 64-bit (OEM) (64-bit)  ($116.00 @ shopRBC) 

Case Fan: Cougar Turbine 120 (4-Pack) 60.4 CFM 120mm  Fans  ($23.99 @ NCIX) 

Monitor: HP 22xi 60Hz 21.5" Monitor  ($187.11 @ Amazon Canada) 

Monitor: HP 22xi 60Hz 21.5" Monitor  ($187.11 @ Amazon Canada) 

Keyboard: Logitech G710 Wired Gaming Keyboard  ($114.99 @ NCIX) 

Mouse: Razer DeathAdder 2013 Wired Optical Mouse  ($76.99 @ Amazon Canada) 

Headphones: Kingston HyperX Cloud Pro Headset  ($78.98 @ DirectCanada) 

Total: $2074.22

Prices include shipping, taxes, and discounts when availableGenerated by PCPartPicker 2015-04-10 15:33 EDT-0400Build log http://linustechtips.com/main/topic/303263-the-dell-from-hell/#entry4121100 

Phone Compassion Spreadsheet https://docs.google.com/spreadsheets/d/1EN6s426gyxqPloIqT4wQ7Y7yovkkQy_5B3djVN-N-R8/edit#gid=0


Gta V Pc Online Crew http://linustechtips.com/main/topic/344773-unofficial-linus-tech-tips-gta-v-crew-pc/

Link to comment
Share on other sites

Link to post
Share on other sites

Just goes to show that the best 'anti virus' is common sense. Who in their right mind would run unsigned applications distributed via shady P2P release groups?

Also, I'm glad to see Gatekeeper being on top of threats. Although sadly, there isn't a Linux alternative that I know of that works in a similar fashion.

 

Yes Linux has AppArmor and SELinux, but they are far from perfect.

▶ Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning. - Einstein◀

Please remember to mark a thread as solved if your issue has been fixed, it helps other who may stumble across the thread at a later point in time.

Link to comment
Share on other sites

Link to post
Share on other sites

Yeah unsigned stuff is asking for trouble.

cpu: intel i5 4670k @ 4.5ghz Ram: G skill ares 2x4gb 2166mhz cl10 Gpu: GTX 680 liquid cooled cpu cooler: Raijintek ereboss Mobo: gigabyte z87x ud5h psu: cm gx650 bronze Case: Zalman Z9 plus


Listen if you care.

Cpu: intel i7 4770k @ 4.2ghz Ram: G skill  ripjaws 2x4gb Gpu: nvidia gtx 970 cpu cooler: akasa venom voodoo Mobo: G1.Sniper Z6 Psu: XFX proseries 650w Case: Zalman H1

Link to comment
Share on other sites

Link to post
Share on other sites

Did we really need two threads about this?

I chuckled when the guy who wrote that had trouble downloading the torrent. Probably clicked on all of those ads which says "download".

So the iWorm was just a Trojan in the end? Kind of a misleading name... It's nice to see that Apple has already added it to their built in anti-malware protection.

 

 

Ah the power of Unix and the stupidity of man. If you're gonna pirate something, run the executable through objdump first.

I don't really see how "the power of Unix" has anything to do with it, but I agree that the blame is on the users.

Moral of the story? Don't give admin privilege to shady software.

Link to comment
Share on other sites

Link to post
Share on other sites

Did we really need two threads about this?

One's about Apple, the other's about the infection method.

 

I thought it was warranted, yes.

"You have got to be the biggest asshole on this forum..."

-GingerbreadPK

sudo rm -rf /

Link to comment
Share on other sites

Link to post
Share on other sites

 

I chuckled when the guy who wrote that had trouble downloading the torrent. Probably clicked on all of those ads which says "download".

 

Sadly this was my main take away from this story. I don't understand how he struggled to download from a torrent site as mainstream as TPB.

 

Doesn't SmartScreen on Windows 8 do something similar to gatekeeper? I wouldn't know as I disabled it but I'd imagine its roll is something similar it certainly seemed to function that way right before I disabled it xD.

I'm not sure but it would seem like a great feature to keep amateur PC users safer.

 

As usual though it seems any decent security practice would have kept you safe from this and Apple did pretty much everything by the book kudos to them.

Great post @Builder

Like E-Sports? Check out the E-Sports forum for competitive click click pew pew

Like Anime? Check out Heaven Society the forums local Anime club

I was only living because it was too much trouble to die.

 

Link to comment
Share on other sites

Link to post
Share on other sites

Sadly this was my main take away from this story. I don't understand how he struggled to download from a torrent site as mainstream as TPB.

 

Doesn't SmartScreen on Windows 8 do something similar to gatekeeper? I wouldn't know as I disabled it but I'd imagine its roll is something similar it certainly seemed to function that way right before I disabled it xD.

I'm not sure but it would seem like a great feature to keep amateur PC users safer.

 

As usual though it seems any decent security practice would have kept you safe from this and Apple did pretty much everything by the book kudos to them.

Great post @Builder

 

 

Yup, although what can also happen is someone needs to disable gatekeeper for a legitimate reason, and then just forget to turn it back on.

Same as Smartscreen and UAC in Windows.

 

User error the majority of the time.

5950X | NH D15S | 64GB 3200Mhz | RTX 3090 | ASUS PG348Q+MG278Q

 

Link to comment
Share on other sites

Link to post
Share on other sites

Sadly this was my main take away from this story. I don't understand how he struggled to download from a torrent site as mainstream as TPB.

 

As usual though it seems any decent security practice would have kept you safe from this and Apple did pretty much everything by the book kudos to them.

Great post @Builder

I have to say even I know how to torrent from TPB and I'm not a pirate. I've used it to download LaTeX on Windows once.

"You have got to be the biggest asshole on this forum..."

-GingerbreadPK

sudo rm -rf /

Link to comment
Share on other sites

Link to post
Share on other sites

TIL people who download from Pirate Bay leave on a security feature that blocks downloads from Pirate Bay

 

So... This is why I don't pirate. Okay then.

Link to comment
Share on other sites

Link to post
Share on other sites

I don't really see this as much of an issue due to reading the comments of each torrent and looking at the user feedback. However, I do see how this could be a concern for mac osx users who don't usually encounter such things. If you must pirate, go with the trusted distributors that are known to give out 'clean' torrents.

Link to comment
Share on other sites

Link to post
Share on other sites

I don't really see this as much of an issue due to reading the comments of each torrent and looking at the user feedback. However, I do see how this could be a concern for mac osx users who don't usually encounter such things. If you must pirate, go with the trusted distributors that are known to give out 'clean' torrents.

It's not a concern anymore because both Gatekeeper and XProtect block it.

"You have got to be the biggest asshole on this forum..."

-GingerbreadPK

sudo rm -rf /

Link to comment
Share on other sites

Link to post
Share on other sites

It's not a concern anymore because both Gatekeeper and XProtect block it.

That's like saying Trojan horses aren't a concern on Windows because UAC blocks them.

It's still a concern because:

1) Apple discourages things like anti-virus software and Mac users often think of themselves as invulnerable to malware.

2) People who pirate things will probably ignore warnings like this because "it's just them trying to make me buy the product".

 

Trojans are still a concern on OS X, but Apple can't really do anything more than they have already done (on the OS side). The only thing left is educate their users and that's sadly something Apple has actively been fighting against for the past years (their marketing department shouting that there are no viruses for OS X and such).

Link to comment
Share on other sites

Link to post
Share on other sites

That's like saying Trojan horses aren't a concern on Windows because UAC blocks them.

It's still a concern because:

1) Apple discourages things like anti-virus software and Mac users often think of themselves as invulnerable to malware.

2) People who pirate things will probably ignore warnings like this because "it's just them trying to make me buy the product".

 

Trojans are still a concern on OS X, but Apple can't really do anything more than they have already done (on the OS side). The only thing left is educate their users and that's sadly something Apple has actively been fighting against for the past years (their marketing department shouting that there are no viruses for OS X and such).

I don't believe they've ever said you can't get viruses...just that you won't.

 

That's mostly true. There are far fewer infections for OS X period and short of that an even smaller number of them have been actual exploits and not just trojans. Apple created XProtect because it was basically the only affliction of their system so they figured they'd try to get rid of it.

 

You can't override XProtect. If it detects a trojan, it overrides user input and securely deletes the file. It works really well when they update the definitions in a timely fashion. They didn't use to update them quick enough but I'm hoping this means they'll speed it up in the future.

 

I honestly don't have sympathy for people who get viruses from pirated content. You break the law, you pay the price. If you don't want to pay for content it's a risk that should always be kept in mind. Apple can't make people stop pirating shit so they just have to do their best at stopping it when bad shit happens.

 

I don't consider myself invulnerable to malware on a Mac, I had to run an Adware uninstalling script once but that's my fault because BitTorrent is a piece of shit and makes it look like you have to install "Spigot" to use the product. 

 

Obviously I don't personally believe there's much more they can do. It's completely reasonable to expect few to none infections on an OS X install.

"You have got to be the biggest asshole on this forum..."

-GingerbreadPK

sudo rm -rf /

Link to comment
Share on other sites

Link to post
Share on other sites

I don't believe they've ever said you can't get viruses...just that you won't.

They word for word said "It doesn't get PC viruses. A Mac isn't susceptible to the thousands of viruses plaguing Windows-based computers. That's thanks to built-in defenses in Mac OS X that keeps you safe, without any work on your part".

They also had a headline which said "download with peace of mind" and then talked about not having to worry about which files you download. After the flashback incident they changed this to "it's built to be safe".

sophos.jpg

While none of their statements are strictly wrong if you read them word for word, I think it's pretty obvious that it has made your average Mac user think of their computer as an impenetrable fortress.

That's why I said Apple have been fighting against educating their users. Microsoft has published hundreds of articles about viruses on their own website. How to protect yourself, what they are and how to remove them. As far as I can see, the only things Apple have said about viruses is how secure OS X is. It gives people a false sense of security, which is very dangerous. They also got a really short summary of "what is malware" on their website which just tells you to delete something you think is malware. Not that helpful.

Hell, Apple even told their employees to not help customers that were infected with MacDefender.

Link to comment
Share on other sites

Link to post
Share on other sites

i only have Photoshop Lightroom on my Mac, got it for free when i bought my Samsung NX2000, should I be worried?

2017 Macbook Pro 15 inch

Link to comment
Share on other sites

Link to post
Share on other sites

i only have Photoshop Lightroom on my Mac, got it for free when i bought my Samsung NX2000, should I be worried?

No, this is only affects just some pirated versions.

Link to comment
Share on other sites

Link to post
Share on other sites

A very interesting post, and part of the reason why I don't pirate things anymore. Although if I had better knowledge of things like this, I might.

Ketchup is better than mustard.

GUI is better than Command Line Interface.

Dubs are better than subs

Link to comment
Share on other sites

Link to post
Share on other sites

They word for word said "It doesn't get PC viruses. A Mac isn't susceptible to the thousands of viruses plaguing Windows-based computers. That's thanks to built-in defenses in Mac OS X that keeps you safe, without any work on your part".

They also had a headline which said "download with peace of mind" and then talked about not having to worry about which files you download. After the flashback incident they changed this to "it's built to be safe".

While none of their statements are strictly wrong if you read them word for word, I think it's pretty obvious that it has made your average Mac user think of their computer as an impenetrable fortress.

That's why I said Apple have been fighting against educating their users. Microsoft has published hundreds of articles about viruses on their own website. How to protect yourself, what they are and how to remove them. As far as I can see, the only things Apple have said about viruses is how secure OS X is. It gives people a false sense of security, which is very dangerous. They also got a really short summary of "what is malware" on their website which just tells you to delete something you think is malware. Not that helpful.

Hell, Apple even told their employees to not help customers that were infected with MacDefender.

If this is any indication it's pretty clear that all of those statements are true. They don't get PC viruses because PC viruses only work on Windows. Notice with this XProtect updated silently in the background and now the issue is resolved. There are tons of help articles on malware provided by Apple.

 

The bottom line of this is that it is far more difficult to infect yourself on a Mac than on a PC. You can deny this all you'd like but it is a fact of my experience with the matter and the experience of many fellow Mac users that infections simply don't happen on Macs. You have Flashback, sure. That's an isolated case, and admittedly they handled it badly but it's one case. There are so many more cases of it happening on Windows PCs that comparing them is silly. 

 

Here's what I'll say about Apple and security:

-Historically and currently, it is more difficult to get an infection on a machine running Apple OS X than Microsoft Windows.

-That being said, Apple has never been fantastic at updating things speedily. I hope their speedy response to this and the iCloud leak is a sign that this is changing.

-They tell their users that their products are not susceptible to PC viruses, which is completely true.

-They do have great built-in security features that it is very easy to educate yourself on.

 

At this point you're attacking Apple for not educating their customers about trojans. They've already gone about as far as they can technologically speaking while still maintaining a convenient system, you yourself admitted this earlier. Customers do not want to educate themselves about this kind of thing. If they did "password" would not still be the most popular password. They do in fact offer materials on the subject of protecting yourself from malware, what malware is, and even how to harden your OS X install so it's nearly impenetrable. (that last one does cut out a lot of convenience, which is why it's not a default)

 

They can't force their customers to read the stuff they already have out on the subject. I can tell you right now that almost nobody normal reads those Microsoft articles either. They do not need to educate their users on malware as much because statistically speaking it's still far more difficult to infect yourself on OS X. If you're going to deny that at this point there's honestly not much more I can say.

"You have got to be the biggest asshole on this forum..."

-GingerbreadPK

sudo rm -rf /

Link to comment
Share on other sites

Link to post
Share on other sites

If this is any indication it's pretty clear that all of those statements are true. They don't get PC viruses because PC viruses only work on Windows. Notice with this XProtect updated silently in the background and now the issue is resolved. There are tons of help articles on malware provided by Apple.

 

The bottom line of this is that it is far more difficult to infect yourself on a Mac than on a PC. You can deny this all you'd like but it is a fact of my experience with the matter and the experience of many fellow Mac users that infections simply don't happen on Macs. You have Flashback, sure. That's an isolated case, and admittedly they handled it badly but it's one case. There are so many more cases of it happening on Windows PCs that comparing them is silly. 

 

Here's what I'll say about Apple and security:

-Historically and currently, it is more difficult to get an infection on a machine running Apple OS X than Microsoft Windows.

-That being said, Apple has never been fantastic at updating things speedily. I hope their speedy response to this and the iCloud leak is a sign that this is changing.

-They tell their users that their products are not susceptible to PC viruses, which is completely true.

-They do have great built-in security features that it is very easy to educate yourself on.

 

At this point you're attacking Apple for not educating their customers about trojans. They've already gone about as far as they can technologically speaking while still maintaining a convenient system, you yourself admitted this earlier. Customers do not want to educate themselves about this kind of thing. If they did "password" would not still be the most popular password. They do in fact offer materials on the subject of protecting yourself from malware, what malware is, and even how to harden your OS X install so it's nearly impenetrable. (that last one does cut out a lot of convenience, which is why it's not a default)

 

They can't force their customers to read the stuff they already have out on the subject. I can tell you right now that almost nobody normal reads those Microsoft articles either. They do not need to educate their users on malware as much because statistically speaking it's still far more difficult to infect yourself on OS X. If you're going to deny that at this point there's honestly not much more I can say.

Yes I know all those statements are technically true, but you are ignoring the fact that they are deliberately made to give their customers a false sense of security. That's very very bad.

The more people think they are invincible, the more stupid things they will make. The more people know about the dangers, the more careful they will be.

 

I like how you say I "admitted" that they have gone as far as they can on the OS side, as if I was trying to hide it or something (since admit implies reluctance). I have absolutely no problem giving Apple credit for good things. I have absolutely no problem giving any company credit if I think they deserve it, when I look at it as objectively as I can. I don't have any problem giving any company crap if I think they have done something bad either. So please stop implying that I am on some kind of crusade against Apple, since I don't treat them any differently than any other company.

 

I agree that you can't force consumers to read about this stuff, but telling them that they don't have to worry and that OS X will keep them safe without them having to think about it does more harm than good to the consumers.

There is a difference between educating people, and encouraging people to not educate themselves.

Link to comment
Share on other sites

Link to post
Share on other sites

Yes I know all those statements are technically true, but you are ignoring the fact that they are deliberately made to give their customers a false sense of security. That's very very bad.

The more people think they are invincible, the more stupid things they will make. The more people know about the dangers, the more careful they will be.

 

I agree that you can't force consumers to read about this stuff, but telling them that they don't have to worry and that OS X will keep them safe without them having to think about it does more harm than good to the consumers.

There is a difference between educating people, and encouraging people to not educate themselves.

I don't think they're encouraging people not to educate themselves. I guess that's where we disagree. I don't think the sense of security is false either. Even with this it's largely true that you didn't have to do anything about it, those that were infected should now know, (XProtect will tell them) and then the problem will be almost resolved.

 

I think they have a long way to go too. They need to be more transparent about their security practices and they need to get on stuff like this iWorm as fast as they did this time every time. The guy who writes for TheSafeMac submits all his signatures to them and only recently have they really gotten on it. I think Apple is far from perfect, but where we differ is that I think they still have more to do besides educating their users.

"You have got to be the biggest asshole on this forum..."

-GingerbreadPK

sudo rm -rf /

Link to comment
Share on other sites

Link to post
Share on other sites

Reason I don't visit TPB. Or really any torrent sites for that matter.

Someone told Luke and Linus at CES 2017 to "Unban the legend known as Jerakl" and that's about all I've got going for me.

Link to comment
Share on other sites

Link to post
Share on other sites

Yes I know all those statements are technically true, but you are ignoring the fact that they are deliberately made to give their customers a false sense of security. That's very very bad.

The more people think they are invincible, the more stupid things they will make. The more people know about the dangers, the more careful they will be.

 

 

If you try to deactivate security measures, they warn you, that this makes your Mac less secure. How is this giving their customers a false sense of security?

It is impossible to stop simple malware like "iworm" to be installed, when a user has to actively deactivate security measures and enter their admin password to confirm the installation.

 

You don't blame your car manufacturer, when your car has been stolen, after you left it open and the key in the ignition, that their cars are insecure.

Mini-Desktop: NCASE M1 Build Log
Mini-Server: M350 Build Log

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share


×