icon bookmark-bicon bookmarkicon cameraicon checkicon chevron downicon chevron lefticon chevron righticon chevron upicon closeicon v-compressicon downloadicon editicon v-expandicon fbicon fileicon filtericon flag ruicon full chevron downicon full chevron lefticon full chevron righticon full chevron upicon gpicon insicon mailicon moveicon-musicicon mutedicon nomutedicon okicon v-pauseicon v-playicon searchicon shareicon sign inicon sign upicon stepbackicon stepforicon swipe downicon tagicon tagsicon tgicon trashicon twicon vkicon yticon wticon fm
3 Oct, 2014 20:27

17,000 Macs infected with botnet controlled via Reddit

17,000 Macs infected with botnet controlled via Reddit

Russian security company Dr. Web has discovered a flaw in the Mac OS X, which enables hackers to control infected computers using a search service at Reddit. The company says at least 17,000 unique IPs have been hacked, mostly in the US.

Dr. Web security experts discovered several threats to the MAC OS X after conducting a check in September, the Russian company said in a statement on its website.

“One of them turned out to be a complex multi-purpose backdoor that entered the virus database as Mac.BackDoor.iWorm,” the statement reads.

It has not yet been determined how the malware spreads, but Russian experts say that once a Mac has been infected, the software establishes a connection with the command server.

“It is worth mentioning that in order to acquire a control server address list, the bot uses the search service at reddit.com, and – as a search query – specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date,” the security company said.

The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd.”

image from http://st.drweb.com

"Criminals developed this malware using C++ and Lua. It should also be noted that the backdoor makes extensive use of encryption in its routines. During installation it is extracted into /Library/Application Support/JavaW, after which the dropper generates a p-list file so that the backdoor is launched automatically," the company added.

The Mac.BackDoor.iWorm is likely to send spam emails, flood websites with traffic, or mine bitcoins.

Dr. Web says 17,000 Macs were compromised by the botnet malware as of September 26. Most of them (4,610) were in the United States. Canada ranked second, with 1,235 comprised addresses, followed by the United Kingdom with 1,227 addresses.

image from http://st.drweb.com