iWorm, which isn’t a worm at all but a plain jane trojan, has been generating some rather absurd headlines and coverage. And, would you believe that only 17,000 or so actual Macs have been infected?
Sample iWorm Headlines
— Hackers Have Found A Flaw In Macs And Are Using It To Control 17,000 Apple Computers … Via Reddit
— Reddit-powered botnet infected thousands of Macs worldwide
— Scary flaw lets hackers create a botnet
Of course, the “flaw” in the first and last headlines is the individual Mac user that installs iWork — trojans require the user to install the malware. In this case, the iWorm payload is delivered via warez downloads from the PirateBay and Demonoid sites, which link to illegal copies of mainstream apps like MS Office, Adobe Photoshop, etc.
And, what about Reddit’s role in all of this? Reddit’s role is actually incidental in that it was used to host a list of command and control servers. That bit of administration could easily have been assigned to any one of a million public sites on the internet.
To whit, while it’s still early days, iWorm seems to be 1.) a retooling of a 2009 trojan that takes advantage of a flaw in Java that’s also called iWorm and 2.) the people behind this latest iteration don’t seem to be particularly clever. That is, they used old code and got caught after infecting only a relative handful of people.
Even if the total were a thousand times greater — still only 17 million Macs (ie wa tiny PC botnet) — the headlines and coverage would still be absurdly over the top.
Xprotect Update Obviates iWorm
Late on Saturday, Apple pushed a background update to Xprotect, the malware blocker integrated in every version of its desktop operating system since OS X 10.6.x Snow Leopard. Because Apple pushed these updates to users, protection occurs without user interface — brilliant, really.
How To: Monitor Apple Xprotect Updates
So, while some tiny number (~17,000) of really dull people (ie that download illegal warez and then don’t scan it for malware) with Java installed are infected, new iWorm infections going forward are extremely unlikely.
[u] Apple’s Xprotect update covers two variants of the iWorm trojan. However, there are four versions of iWorm out n’ about, so stay tuned.
iWorm and the resulting media coverage are so very much like BENDGHAZI — ie dull people inflicting damage upon themselves and then the media reporting the result as somehow preventably Apple’s fault or problem…
What’s your take?