iWorm Method of Infection Found!

[Builder]

http://www.thesafemac.com/iworm-method-of-infection-found/

 

 

 

On Thursday, I wrote about new malware called iWorm. This morning I awoke to find an e-mail waiting for me in my Inbox from someone who wished to remain anonymous. This person indicated that he had found installers for the new iWorm malware. He pointed me to the downloads offered by a user named “aceprog” on PirateBay.

On this user’s PirateBay page, I found installers for a number of different commercial products, such as Adobe Photoshop, Adobe Illustrator, Microsoft Office and Parallels. Actually downloading one of these things was a maze of clicks and redirects to adware sites, but I finally settled on installing a torrent client and using the torrent download link, which gave me a stolen copy of Photoshop CC 2014.

The item that got downloaded included some unsavory items that could be installed or opened to allow the stolen copy of Photoshop to run without a valid license, and although you couldn’t pay me to use any of these things on a real system, none of them turned out to be the problem. It turned out that the official-looking Photoshop installer had been modified:

TL;DR The iWorm spreads through a modified copy of the Photoshop CC installer found on The Pirate Bay.

 

 

 

Submitting the three executable files inside the installer to VirusTotal revealed that the one titled “0” was detected by only a small handful (3) of anti-virus engines. The other two were not detected as malicious at all. Presumably the “Install” executable is legit, but I’m left wondering about the “1” item.

I wasn’t sure what to expect when opening the file. One would hope that modifications to the app would result in the app being identified by Mac OS X as damaged, since the installer was signed. (The cryptographic signature on Mac OS X apps is meant to verify that the app was made by a particular developer and that it has not been modified.) However, opening the Install app resulted in a different warning:

@LAwLz a great example of Gatekeeper doing its job. Basically OS X's Gatekeeper security feature stopped this thing at the door.

 

WOT incoming.

 

 

 

This is further puzzling, since the app appears to have a code signature. However, running

codesign -vv

on the Install app reported that the app was not signed. At this point, I overrode the Gatekeeper restrictions for this app and forced Mac OS X to run it anyway.

The very first thing that happened when I opened the app was that I was asked for my admin password. I provided it, and an official-looking Adobe installer started up, but by then the damage was done. The instant I provided the password, the iWorm malware was installed.

Looking at fs_usage output (which provides detailed information on file system activity – such as file and folder creation), it appears that the only things added to the system by the “0” executable are the following items:

/Library/Application Support/JavaW/JavaW/Library/LaunchDaemons/com.JavaW.plist

The com.JavaW.plist file simply runs the JavaW process at startup, ensuring that the malware is constantly running in the background.

I reset my test system to a clean state, then ran the installer again, but this time I clicked the Cancel button when asked for my admin password. In this case, the malware was not installed at all.

There has been some speculation that a Java vulnerability may be involved, probably based on the “JavaW” name. However, at this point, it looks like this is far more prosaic. It’s just a trojan in the form of pirated software that has been modified.

The moral of the story? Never engage in software piracy. This single piece of malware is FAR from the only thing you can get infected with while installing stolen software. Torrents and sites like PirateBay should be avoided at all costs. If you cannot afford to pay for a piece of software or a movie or something similar, do without. Downloading such things for free often come with LOTS of strings attached.

I am also submitting this to Apple’s product security team… hopefully we will see an update to XProtect shortly.

The app is not signed by an authorized developer. (surprise, surprise) It suspiciously asks you for your admin password immediately upon opening. It creates two folders that start a process called JavaW on boot so that it's always running. If you click the cancel button the malware does not install, even if you've opened the tainted package.

 

XProtect was updated earlier this morning to throw up an alert for this infection which I wrote a thread about here.

[patrickjp93]

Ah the power of Unix and the stupidity of man. If you're gonna pirate something, run the executable through objdump first.

[Thebman712]

finally a good news post

[Builder]

finally a good news post

Why thank you!

[ionbasa]

Just goes to show that the best 'anti virus' is common sense. Who in their right mind would run unsigned applications distributed via shady P2P release groups?

Also, I'm glad to see Gatekeeper being on top of threats. Although sadly, there isn't a Linux alternative that I know of that works in a similar fashion.

 

Yes Linux has AppArmor and SELinux, but they are far from perfect.

[brownninja97]

Yeah unsigned stuff is asking for trouble.

[LAwLz]

Did we really need two threads about this?

I chuckled when the guy who wrote that had trouble downloading the torrent. Probably clicked on all of those ads which says "download".

So the iWorm was just a Trojan in the end? Kind of a misleading name... It's nice to see that Apple has already added it to their built in anti-malware protection.

 

 

Ah the power of Unix and the stupidity of man. If you're gonna pirate something, run the executable through objdump first.

I don't really see how "the power of Unix" has anything to do with it, but I agree that the blame is on the users.

Moral of the story? Don't give admin privilege to shady software.

[Builder]

Did we really need two threads about this?

One's about Apple, the other's about the infection method.

 

I thought it was warranted, yes.

[Legion]

 

I chuckled when the guy who wrote that had trouble downloading the torrent. Probably clicked on all of those ads which says "download".

 

Sadly this was my main take away from this story. I don't understand how he struggled to download from a torrent site as mainstream as TPB.

 

Doesn't SmartScreen on Windows 8 do something similar to gatekeeper? I wouldn't know as I disabled it but I'd imagine its roll is something similar it certainly seemed to function that way right before I disabled it .

I'm not sure but it would seem like a great feature to keep amateur PC users safer.

 

As usual though it seems any decent security practice would have kept you safe from this and Apple did pretty much everything by the book kudos to them.

Great post @Builder

[Valentyn]

Sadly this was my main take away from this story. I don't understand how he struggled to download from a torrent site as mainstream as TPB.

 

Doesn't SmartScreen on Windows 8 do something similar to gatekeeper? I wouldn't know as I disabled it but I'd imagine its roll is something similar it certainly seemed to function that way right before I disabled it .

I'm not sure but it would seem like a great feature to keep amateur PC users safer.

 

As usual though it seems any decent security practice would have kept you safe from this and Apple did pretty much everything by the book kudos to them.

Great post @Builder

 

 

Yup, although what can also happen is someone needs to disable gatekeeper for a legitimate reason, and then just forget to turn it back on.

Same as Smartscreen and UAC in Windows.

 

User error the majority of the time.

[Builder]

Sadly this was my main take away from this story. I don't understand how he struggled to download from a torrent site as mainstream as TPB.

 

As usual though it seems any decent security practice would have kept you safe from this and Apple did pretty much everything by the book kudos to them.

Great post @Builder

I have to say even I know how to torrent from TPB and I'm not a pirate. I've used it to download LaTeX on Windows once.

[Techhog]

TIL people who download from Pirate Bay leave on a security feature that blocks downloads from Pirate Bay

 

So... This is why I don't pirate. Okay then.

[Majinferno]

I don't really see this as much of an issue due to reading the comments of each torrent and looking at the user feedback. However, I do see how this could be a concern for mac osx users who don't usually encounter such things. If you must pirate, go with the trusted distributors that are known to give out 'clean' torrents.

[Builder]

I don't really see this as much of an issue due to reading the comments of each torrent and looking at the user feedback. However, I do see how this could be a concern for mac osx users who don't usually encounter such things. If you must pirate, go with the trusted distributors that are known to give out 'clean' torrents.

It's not a concern anymore because both Gatekeeper and XProtect block it.

[LAwLz]

It's not a concern anymore because both Gatekeeper and XProtect block it.

That's like saying Trojan horses aren't a concern on Windows because UAC blocks them.

It's still a concern because:

1) Apple discourages things like anti-virus software and Mac users often think of themselves as invulnerable to malware.

2) People who pirate things will probably ignore warnings like this because "it's just them trying to make me buy the product".

 

Trojans are still a concern on OS X, but Apple can't really do anything more than they have already done (on the OS side). The only thing left is educate their users and that's sadly something Apple has actively been fighting against for the past years (their marketing department shouting that there are no viruses for OS X and such).

[Builder]

That's like saying Trojan horses aren't a concern on Windows because UAC blocks them.

It's still a concern because:

1) Apple discourages things like anti-virus software and Mac users often think of themselves as invulnerable to malware.

2) People who pirate things will probably ignore warnings like this because "it's just them trying to make me buy the product".

 

Trojans are still a concern on OS X, but Apple can't really do anything more than they have already done (on the OS side). The only thing left is educate their users and that's sadly something Apple has actively been fighting against for the past years (their marketing department shouting that there are no viruses for OS X and such).

I don't believe they've ever said you can't get viruses...just that you won't.

 

That's mostly true. There are far fewer infections for OS X period and short of that an even smaller number of them have been actual exploits and not just trojans. Apple created XProtect because it was basically the only affliction of their system so they figured they'd try to get rid of it.

 

You can't override XProtect. If it detects a trojan, it overrides user input and securely deletes the file. It works really well when they update the definitions in a timely fashion. They didn't use to update them quick enough but I'm hoping this means they'll speed it up in the future.

 

I honestly don't have sympathy for people who get viruses from pirated content. You break the law, you pay the price. If you don't want to pay for content it's a risk that should always be kept in mind. Apple can't make people stop pirating shit so they just have to do their best at stopping it when bad shit happens.

 

I don't consider myself invulnerable to malware on a Mac, I had to run an Adware uninstalling script once but that's my fault because BitTorrent is a piece of shit and makes it look like you have to install "Spigot" to use the product. 

 

Obviously I don't personally believe there's much more they can do. It's completely reasonable to expect few to none infections on an OS X install.

[LAwLz]

I don't believe they've ever said you can't get viruses...just that you won't.

They word for word said "It doesn't get PC viruses. A Mac isn't susceptible to the thousands of viruses plaguing Windows-based computers. That's thanks to built-in defenses in Mac OS X that keeps you safe, without any work on your part".

They also had a headline which said "download with peace of mind" and then talked about not having to worry about which files you download. After the flashback incident they changed this to "it's built to be safe".

While none of their statements are strictly wrong if you read them word for word, I think it's pretty obvious that it has made your average Mac user think of their computer as an impenetrable fortress.

That's why I said Apple have been fighting against educating their users. Microsoft has published hundreds of articles about viruses on their own website. How to protect yourself, what they are and how to remove them. As far as I can see, the only things Apple have said about viruses is how secure OS X is. It gives people a false sense of security, which is very dangerous. They also got a really short summary of "what is malware" on their website which just tells you to delete something you think is malware. Not that helpful.

Hell, Apple even told their employees to not help customers that were infected with MacDefender.

[pit5000]

i only have Photoshop Lightroom on my Mac, got it for free when i bought my Samsung NX2000, should I be worried?

[LAwLz]

i only have Photoshop Lightroom on my Mac, got it for free when i bought my Samsung NX2000, should I be worried?

No, this is only affects just some pirated versions.

[Trik'Stari]

A very interesting post, and part of the reason why I don't pirate things anymore. Although if I had better knowledge of things like this, I might.

[Builder]

They word for word said "It doesn't get PC viruses. A Mac isn't susceptible to the thousands of viruses plaguing Windows-based computers. That's thanks to built-in defenses in Mac OS X that keeps you safe, without any work on your part".

They also had a headline which said "download with peace of mind" and then talked about not having to worry about which files you download. After the flashback incident they changed this to "it's built to be safe".

While none of their statements are strictly wrong if you read them word for word, I think it's pretty obvious that it has made your average Mac user think of their computer as an impenetrable fortress.

That's why I said Apple have been fighting against educating their users. Microsoft has published hundreds of articles about viruses on their own website. How to protect yourself, what they are and how to remove them. As far as I can see, the only things Apple have said about viruses is how secure OS X is. It gives people a false sense of security, which is very dangerous. They also got a really short summary of "what is malware" on their website which just tells you to delete something you think is malware. Not that helpful.

Hell, Apple even told their employees to not help customers that were infected with MacDefender.

If this is any indication it's pretty clear that all of those statements are true. They don't get PC viruses because PC viruses only work on Windows. Notice with this XProtect updated silently in the background and now the issue is resolved. There are tons of help articles on malware provided by Apple.

 

The bottom line of this is that it is far more difficult to infect yourself on a Mac than on a PC. You can deny this all you'd like but it is a fact of my experience with the matter and the experience of many fellow Mac users that infections simply don't happen on Macs. You have Flashback, sure. That's an isolated case, and admittedly they handled it badly but it's one case. There are so many more cases of it happening on Windows PCs that comparing them is silly. 

 

Here's what I'll say about Apple and security:

-Historically and currently, it is more difficult to get an infection on a machine running Apple OS X than Microsoft Windows.

-That being said, Apple has never been fantastic at updating things speedily. I hope their speedy response to this and the iCloud leak is a sign that this is changing.

-They tell their users that their products are not susceptible to PC viruses, which is completely true.

-They do have great built-in security features that it is very easy to educate yourself on.

 

At this point you're attacking Apple for not educating their customers about trojans. They've already gone about as far as they can technologically speaking while still maintaining a convenient system, you yourself admitted this earlier. Customers do not want to educate themselves about this kind of thing. If they did "password" would not still be the most popular password. They do in fact offer materials on the subject of protecting yourself from malware, what malware is, and even how to harden your OS X install so it's nearly impenetrable. (that last one does cut out a lot of convenience, which is why it's not a default)

 

They can't force their customers to read the stuff they already have out on the subject. I can tell you right now that almost nobody normal reads those Microsoft articles either. They do not need to educate their users on malware as much because statistically speaking it's still far more difficult to infect yourself on OS X. If you're going to deny that at this point there's honestly not much more I can say.

[LAwLz]

If this is any indication it's pretty clear that all of those statements are true. They don't get PC viruses because PC viruses only work on Windows. Notice with this XProtect updated silently in the background and now the issue is resolved. There are tons of help articles on malware provided by Apple.

 

The bottom line of this is that it is far more difficult to infect yourself on a Mac than on a PC. You can deny this all you'd like but it is a fact of my experience with the matter and the experience of many fellow Mac users that infections simply don't happen on Macs. You have Flashback, sure. That's an isolated case, and admittedly they handled it badly but it's one case. There are so many more cases of it happening on Windows PCs that comparing them is silly. 

 

Here's what I'll say about Apple and security:

-Historically and currently, it is more difficult to get an infection on a machine running Apple OS X than Microsoft Windows.

-That being said, Apple has never been fantastic at updating things speedily. I hope their speedy response to this and the iCloud leak is a sign that this is changing.

-They tell their users that their products are not susceptible to PC viruses, which is completely true.

-They do have great built-in security features that it is very easy to educate yourself on.

 

At this point you're attacking Apple for not educating their customers about trojans. They've already gone about as far as they can technologically speaking while still maintaining a convenient system, you yourself admitted this earlier. Customers do not want to educate themselves about this kind of thing. If they did "password" would not still be the most popular password. They do in fact offer materials on the subject of protecting yourself from malware, what malware is, and even how to harden your OS X install so it's nearly impenetrable. (that last one does cut out a lot of convenience, which is why it's not a default)

 

They can't force their customers to read the stuff they already have out on the subject. I can tell you right now that almost nobody normal reads those Microsoft articles either. They do not need to educate their users on malware as much because statistically speaking it's still far more difficult to infect yourself on OS X. If you're going to deny that at this point there's honestly not much more I can say.

Yes I know all those statements are technically true, but you are ignoring the fact that they are deliberately made to give their customers a false sense of security. That's very very bad.

The more people think they are invincible, the more stupid things they will make. The more people know about the dangers, the more careful they will be.

 

I like how you say I "admitted" that they have gone as far as they can on the OS side, as if I was trying to hide it or something (since admit implies reluctance). I have absolutely no problem giving Apple credit for good things. I have absolutely no problem giving any company credit if I think they deserve it, when I look at it as objectively as I can. I don't have any problem giving any company crap if I think they have done something bad either. So please stop implying that I am on some kind of crusade against Apple, since I don't treat them any differently than any other company.

 

I agree that you can't force consumers to read about this stuff, but telling them that they don't have to worry and that OS X will keep them safe without them having to think about it does more harm than good to the consumers.

There is a difference between educating people, and encouraging people to not educate themselves.

[Builder]

Yes I know all those statements are technically true, but you are ignoring the fact that they are deliberately made to give their customers a false sense of security. That's very very bad.

The more people think they are invincible, the more stupid things they will make. The more people know about the dangers, the more careful they will be.

 

I agree that you can't force consumers to read about this stuff, but telling them that they don't have to worry and that OS X will keep them safe without them having to think about it does more harm than good to the consumers.

There is a difference between educating people, and encouraging people to not educate themselves.

I don't think they're encouraging people not to educate themselves. I guess that's where we disagree. I don't think the sense of security is false either. Even with this it's largely true that you didn't have to do anything about it, those that were infected should now know, (XProtect will tell them) and then the problem will be almost resolved.

 

I think they have a long way to go too. They need to be more transparent about their security practices and they need to get on stuff like this iWorm as fast as they did this time every time. The guy who writes for TheSafeMac submits all his signatures to them and only recently have they really gotten on it. I think Apple is far from perfect, but where we differ is that I think they still have more to do besides educating their users.

[Jerakl]

Reason I don't visit TPB. Or really any torrent sites for that matter.

[MrSuperb]

Yes I know all those statements are technically true, but you are ignoring the fact that they are deliberately made to give their customers a false sense of security. That's very very bad.

The more people think they are invincible, the more stupid things they will make. The more people know about the dangers, the more careful they will be.

 

 

If you try to deactivate security measures, they warn you, that this makes your Mac less secure. How is this giving their customers a false sense of security?

It is impossible to stop simple malware like "iworm" to be installed, when a user has to actively deactivate security measures and enter their admin password to confirm the installation.

 

You don't blame your car manufacturer, when your car has been stolen, after you left it open and the key in the ignition, that their cars are insecure.