Apple OSX HowTo's

Mac Botnet you say?

The new well sort of new (The light bulb has only just come on for some users) Mac.BackDoor.iWorm backdoor appears to be causing some concern just lately, I have added a brief description of how it works below but if you want to know more I have linked some good articles about it below, What I wanted to focus on is how to let you know your infected.

The botnet works by impersonating application support for Java from there the infected machine connects out to a reddit site (At least at this time I can see that changing) that it searches for its command and control network.

The botnet creates a folder in the following location, if we had of been using linux we could have used something like inotify to execute a script when it detected the folder had been created. Instead another method could be to proactively create the folder and then change the permission so that only the super user has access to it.

sudo mkdir "/Library/Application Support/JavaW"
sudo chflags schg "/Library/Application Support/JavaW"

This makes the folder unalterable for anyone except the root user for more information about chflags check out nixCraft

In summary, it is not a mystery how this or any other malware gets onto a machine someone did something stupid no amount of folder monitoring or antivirus software can fix that.

Here is where you can read more about the botnet:
ars technica
MacRumors

Similar Posts:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.