14 DAY TRIAL // A new malware compromising Mac systems uses reddit.com’s search service to access a list of command and control (C&C) servers in order to receive instructions.
Cybercriminals have published the IP addresses and connection ports in comments on Reddit. After infecting the computer, the threat runs a search query on the user-powered news website, derived from the current date.
The search string is carefully masked and consists of the hexadecimal values of the first eight bytes from the MD5 hash of the current date.
Security experts from Russian antivirus vendor Doctor Web observed the new botnet forming in September, while researching new threats for machines running on OS X.
C&C IPs pose as servers for Minecraft
Based on their telemetry data, the malware detected by their product as Mac.BackDoor.iWorm, managed to infect plenty of systems, statistics showing over 17,000 unique IP addresses associated with infected systems.
The country seeing most infections is the United States, where more than 4,500 (26.1%) compromised computers have been recorded. Canada and the United Kingdom are almost equally affected, with about 1,230 IP addresses from machines associated with the malware.
Researchers say that the malware authors used C++ and Lua to develop the threat and implement encryption capabilities in its routines.
The C&C server IPs appear to be posted by the owner of the account “vtnhiaovyd” and is available for the post “minecraftserverlists,” thus clearing any suspicion that the addresses serve for malicious purposes.
“The bot picks a random server from the first 29 addresses on the list and sends queries to each of them. Search requests to acquire the list are sent to reddit.com in five-minute intervals,” Doctor Web says.
iWorm can be used to funnel in other malware
As a protection measure, after establishing contact with a C&C server, the malware runs an authentication routine. Only if the remote machine is validated is data about the compromised computer delivered.
According to the antivirus company, iWorm uses Lua scripts to retrieve the type of the operating system, the bot version, and UID, download files, open a socket for an inbound connection and run the commands received, ban nodes by IP, execute system instructions or a nested Lua script.
Having the ability to download and execute files and commands, iWorm could be leveraged for a wide range of attacks, from stealing information available on the system or sending out spam to using it to conduct distributed denial-of-service attacks (DDoS).
Malware for OS X is not uncommon and Mac botnets have been seen before, one of the more notorious examples being the one dubbed Flashback, which amassed more than 600,000 Mac computers in 2012.
The Trojan creating the bots has been seen in the wild even in early 2014, and managed to compromise more than 22,000 computers, according to a post early this year from Mac security company Intego.