Apple just updated XProtect - its malware and virus protection system - to block an attack that has already infected thousands of Macs.
Dr. Web, a Russian antivirus firm, reported the emergence of this troublesome malware network that specifically goes after Apple Mac computers. The malware, called iWorm, disguises itself in a Java application and and automatically launches on infected machines.
Beginning Saturday, Apple updated XProtect to detect and defend against three versions of iWorm.
It remains an mystery how the malware's creators spread iWorm, but it does include an interesting feature. It actually enlists infected Macs in the botnet (a collection of internet-connected programs that communicate with others to perform tasks) by use of a Reddit search. Basically, this search returns a list of botnet servers that an infected machine could connect with. Once a connection has been made, it waits for instructions from iWorm operators.
Apple's malware defense
There have been more than 18,519 unique IP addresses connected to iWorm, with one quarter of those reporting in from the United States and another 1,200 from both Canada and the UK. While these numbers pale in comparison to the total amount of machines infected in 2012 by an outbreak dubbed Flashback, the two incidents had one major similarity - they were both identified by Russia's Dr. Webb.
Two years ago, more than 600,000 machines were infected with Flashback before Apple responded with a malware removal tool. Apparently, Apple's response time is quite a bit better this time after learning that tough lesson, last go 'round. What's more, now the company doesn't even bother to alert its users when their XProtect is being updated - in fact, it currently contains detections for 40+ Mac threats. Their system is so effective, they use an identical approach to force Mac users off of outdated Flash and Java versions - both of which are widely targeted by hackers.
While iWorm doesn't seem nearly as significant as Flashback in scale, it is great news to see that Apple has beefed up its defense efforts.
Just to be on the safe side, here's how to check if your Mac has been infected with iWorm:
- Open Finder and choose Go to Folder from the Go menu at the top of the screen
- When a window pops up, type: /Library/Application Support/JavaW
- If the folder can't be found, you computer hasn't been infected and is okay
- If you do find that you have it, you can remove the file. But you are probably better off erasing your hard drive.