17000 Macs infected with botnet controlled via Reddit

Share it:
Security researcher from Russian anti-malware company Dr.Web have noted according to their research on the several malicious threats on Macs that a botnet malware have infected more than 17,000 Macs system worldwide.

The claim has been made according to the companies research that was conducted last month.
Dr.Web refereed the infecting malware as Mac.BackDoor.iWorm, as noted that attacker can issue commands that get this program to carry out a wide range of instructions on the infected machines. 

The malware was designed in C++ and Lua and attackers are using a somewhat unique method of interacting with the botnet and infected computers. The hackers are using Reddit as a navigational tool to pass commands to infected systems.
During installation it is extracted into /Library/Application Support/JavaW, after which the dropper generates a p-list file so that the backdoor is launched automatically- researcher noted.
How malware works
When Mac.BackDoor.iWorm is initially launched, it saves its configuration data in a separate file and tries to read the contents of the /Library directory to determine which of the installed applications the malware won't be interacting with. If ‘unwanted’ directories can't be found, the bot uses system queries to determine the home directory of the Mac OS X account under which it is running, checks the availability of its configuration file in the directory, and writes the data needed for it to continue to operate into the file.
After that Malware opens a port on an infected computer and awaits an incoming connection. It sends a request to a remote site to acquire a list of control servers, and then connects to the remote servers and waits for instructions. 
It is worth mentioning that in order to acquire a control server address list, the bot uses the search service at reddit.com, and—as a search query—specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date. The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd.

After the report from the anti-malware company Dr.Web, Reddit started shutting down/closing all the associated pages, accounts and links. Dr.Web mentioned that among the list of infected coutries, US is at first with 4,610 systems (representing 26.1% of the total) followed by Canada and United Kingdom,  1,235 systems (7%) and 1,227 systems (6.9% of the total) respectively. 


Share it:

Malware

News

Post A Comment:

0 comments:

Follow by Email