Roll-your-own Defense Against Mac.BackDoor.iWorm

Roll-your-own Defense Against Mac.BackDoor.iWorm

[UPDATE]: Advanced settings added below

Get Alerted If Your Computer Gets Infected

When the Mac.BackDoor.iWorm malware gets installed via pirated software, your computer and becomes part of a botnet.  While you may not be able to stop it from getting there, you can be alerted when it does and then take steps to manually neutralize it.

How To Set This Up

Enable Folder Actions

According to the research, this malware installs itself to the following three locations.  However, if the first folder exists, you might already be infected.  So, really, you will probably just need to monitor the LaunchDaemons and /private/var/root folders.  You will notice in the screenshot that I have other folders listed, this is because I have used this trick to block other types of malware. The last folder is mentioned here, but I can’t confirm or deny its accuracy.

/Library/Application Support/JavaW /Library/LaunchDaemons /private/var/root/
  1. Right-click one the the folders listed above
  2. Choose Services > Folder Actions Setup…
  3. Check Enable

Assign A Folder Action

  1. Click the plus sign on the right side of the window
  2. Highlight add – new item alert.scpt
  3. Click Attach
  4. Repeat the process for each folder

If a new item gets added at any of these location, you will get a pop-up alert.  If it does happen, disconnect from the Internet and try to get rid of the malware.

Advanced Setup Using Hazel

The built in Folder Actions aren’t so good at detecting the addition of specific folders, especially in a folder that gets used often, like /Library/Application Support.  If you want to detect if the JavaW folder gets installed, I suggest using Hazel.  It is similar to Folder Actions, but more robust.

Below is the setup I used, or you can download the rules I made and import it.  It will just watch for that exact folder name and if it find its, give a notification and reveal the folder in the Finder.


1. Add /Library/Application Support as one of the folder for Hazel to watch

2. Add a new rule called Detect JavaW

3. Set it up per the screenshot below

4. You are all set!

If Hazel detected the folder, you will get a little Notification Center message.

You could also set Hazel up to watch the other two folders too, but since it is a paid product, the built-in folder actions will work just the same.

Another Option

Running these two commands will make the directory and then make it immutable, which should essentially preventing anyone but the super-user from modifying it.

sudo mkdir '/Library/Application Support/JavaW' 
sudo chflags schg '/Library/Application Support/JavaW'

The folder icon will have a little silver lock on it if the command was successful.

As long as you are not installing pirated software, you should not get infected with this malware.