Roll-your-own Defense Against Mac.BackDoor.iWorm

[UPDATE]: Advanced settings added below

Get Alerted If Your Computer Gets Infected

When the Mac.BackDoor.iWorm malware gets installed via pirated software, your computer and becomes part of a botnet.  While you may not be able to stop it from getting there, you can be alerted when it does and then take steps to manually neutralize it.

How To Set This Up

Enable Folder Actions

According to the research, this malware installs itself to the following three locations.  However, if the first folder exists, you might already be infected.  So, really, you will probably just need to monitor the LaunchDaemons and /private/var/root folders.  You will notice in the screenshot that I have other folders listed, this is because I have used this trick to block other types of malware. The last folder is mentioned here, but I can’t confirm or deny its accuracy.

/Library/Application Support/JavaW
/Library/LaunchDaemons
/private/var/root/

 

  1. Right-click one the the folders listed above
  2. Choose Services > Folder Actions Setup…
  3. Check Enable

useyourownbandwidth-macbackdooralertsetup

Assign A Folder Action

  1. Click the plus sign on the right side of the window
  2. Highlight add – new item alert.scpt
  3. Click Attach
  4. Repeat the process for each folder

If a new item gets added at any of these location, you will get a pop-up alert.  If it does happen, disconnect from the Internet and try to get rid of the malware.

alertwhenmalwareappears

Advanced Setup Using Hazel

The built in Folder Actions aren’t so good at detecting the addition of specific folders, especially in a folder that gets used often, like /Library/Application Support.  If you want to detect if the JavaW folder gets installed, I suggest using Hazel.  It is similar to Folder Actions, but more robust.

Below is the setup I used, or you can download the rules I made and import it.  It will just watch for that exact folder name and if it find its, give a notification and reveal the folder in the Finder.

Setup

  1. Add /Library/Application Support as one of the folder for Hazel to watchhazelsetup
  2. Add a new rule called Detect JavaW
  3. Set it up per the screenshot belowrulesetup
  4. You are all set!

If Hazel detected the folder, you will get a little Notification Center message.

javaw detected

You could also set Hazel up to watch the other two folders too, but since it is a paid product, the built-in folder actions will work just the same.

Another Option

Running these two commands will make the directory and then make it immutable, which should essentially preventing anyone but the super-user from modifying it.

sudo mkdir '/Library/Application Support/JavaW'
sudo chflags schg '/Library/Application Support/JavaW'

The folder icon will have a little silver lock on it if the command was successful.

javawimmutable

As long as you are not installing pirated software, you should not get infected with this malware.

36 Replies to “Roll-your-own Defense Against Mac.BackDoor.iWorm”

    1. Good question. They are usually pretty responsive, but like to provide a solution they know works, not just a haphazard one. That’s why this trick is nice. Anytime a new malware comes out you can set this up–just need to find out what folders to monitor. I pretty much always monitor all the LaunchDaemons and LaunchAgents folders as a standard since it is a common attack vector.

    1. Deleting it seems like the reasonable course of action, but who knows what else it does or what file it makes once it exists. The security experts will figure that out, I’m sure. This just offers a first line of defense for zero-day attacks. You will probably want to disconnect your device from the Internet until you get it resolved. Or if you stand it, turn it off until there is an easy way to clean it.

    1. It is indeed root’s home. I was reading that a file gets planted there, too, but I never followed up on it. It does t hurt to monitor it anyway, I don’t want any unauthorized files trying to move in there!

      I was also thinking of using Hazel to monitor for the JavaW folder. I’ll post instructions for that to tomorrow.

  1. If I try to go to:
    /private/var/root/
    … I get a message saying “The folder can’t be found”
    If I try to go to:
    /private/var/root
    … (no trailing slash) I get a message saying “The folder “root” can’t be opened because you don’t have permission to see its contents”

    1. That is root’s home folder so it is highly-protected. You can only access it from the command line or Single-user mode. If you navigate to /private/var in the Finder, you will see the folder is there with a prohibitory badge on it.

    1. Malware always finds it way in. It’s less likely under a standard account since they don’t have access to those folders, but not impossible. For this particular worm, the user types in their password, granting the malware access–a common ruse with pirated software.

Leave a Reply