The Russian based antivirus company Dr. Web has identified a Reddit-powered Mac OS X botnet, which has infected thousands of compromised computers. According to the security researchers, the botnet has infected more than 18 000 Macs as of 29th September.
What Is Mac OS X Botnet?
The experts from Dr. Web antivirus company reported a spread of a new botnet built on the back of the malware Mac.BackDoor.iWorm. It was calculated that more than 18 500 unique IP addresses have been used by the infected computers in order to connect to the botnet. Almost quarter of the computers are based in the United States, followed by computers in Canada and in the UK.
The targets of the new botnet are mainly Apple computers, which are running Mac OS X. It is curious to mention that Mac.BackDoor.iWorm malware is using a Reddit posts search to a Minecraft server list, which is sub-reddit to IP addresses retrieval for its command and control network. The security researchers have found out that the sub-reddit has been expunged of C&C data and the account responsible for posting the data appears to be shut down.
Mac OS X Botnet Distribution
Mac.BackDoor.iWorm malware was developed by using Lua and C++ and uses encryption in its routines. When the malware is initially launched, the configuration data is saved in a separate file and it tries to read the contents of the Library directory, in order to know which installed applications the malware has to avoid.
The report published by the experts from Dr. Web does not give information on how the Mac.BackDoor.iWorm is distributed to the malware victims. The report points out that the program installs the malware to the Library directory at the account home folder of the affected user. The malware is further disguised as JavaW application support directory. Then, the dropper generates an OS X p-list file which is disguised as the application com.JavaW and allows automatic launch through /Library/LaunchDaemons/ of the bot every time the system is started.
How Does Mac OS X Botnet Affect the User’s Computer?
The bot malware searches for a place at the Library folder of the user to store a configuration file and then makes a connection to the search page of Reddit. The bot then uses an MD5 hash algorithm in order to encode the current date. It also uses the first 8 bytes to search Reddit’s MineCraftServer List, where the legitimate posts were over one year old.
A newly conducted survey on the most recent servers that have been identified in the sub-reddit by Ars, has found out that most of their IP addresses are placed on compromised systems. The experts say that it is unlikely for the botnet to be completely shut down. Mac OS X malware can download additional files and execute commands on the infected systems. That is why the experts say that a new version of this botnet might be already existing and spreading with other malware. Currently, both Dr. Web and Bitdefender experts have detected variants of the botnet.
It should be stated that Reddit is not spreading the infection; it is offering a platform for the authors of the bot to communicate with the Mac computers they have already managed to infect.
Mac OS X Botnet – Detection and Protection
The Mac owners can defend themselves against the malware. Jacob Salmela, a developer, has posted descriptive instructions on how to create a set of OS X folder actions, which will inform the user if his system is infected.