17,000 Macs infected with botnet controlled via Reddit
Dr. Web security experts discovered several threats to the MAC OS X after
conducting a check in September, the Russian company said in a
statement on its website.
“One of them turned out to be a complex multi-purpose backdoor that entered the virus database as Mac.BackDoor.iWorm,” the statement reads.
It has not yet been determined how the malware spreads, but
Russian experts say that once a Mac has been infected, the
software establishes a connection with the command server.
“It is worth mentioning that in order to acquire a control server address list, the bot uses the search service at reddit.com, and – as a search query – specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date,” the security company said.
“The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd.”
"Criminals developed this malware using C++ and Lua. It
should also be noted that the backdoor makes extensive use of
encryption in its routines. During installation it is extracted
into /Library/Application Support/JavaW, after which the dropper
generates a p-list file so that the backdoor is launched
automatically," the company added.
The Mac.BackDoor.iWorm is likely to send spam emails, flood websites with traffic, or mine bitcoins.
Dr. Web says 17,000 Macs were compromised by the botnet malware as of September 26. Most of them (4,610) were in the United States. Canada ranked second, with 1,235 comprised addresses, followed by the United Kingdom with 1,227 addresses.