MAC BOTNET uses REDDIT comments for directions
17,000 Macs compromised by malicious miscreants
A zombie network that feasts on the computer brains of infected Macs has press-ganged 17,000 compromised machines into its ranks, Russian anti-virus firm Dr Web warns.
The iWorm creates a backdoor on machines running OS X. Miscreants are using messages posted on Reddit as a navigational aid which points infected machines towards command and control servers.
Compromised machines phone home to these command nodes to get instructions on what to do. Dr Web has more detail on the mechanism in an advisory (extract below).
To acquire a control server address list, the bot uses the search service at reddit.com, and — as a search query — specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date. The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd.
Even if Reddit shuts down the accounts communicating with the botnet the miscreants behind the malware could easily either create new accounts or use an alternative web service, such as Twitter.
"Reddit isn’t spreading the infection – it’s simply providing a platform that is helping the botmasters communicate with the Mac computers they have managed to infect," explains veteran security watcher Graham Cluley in a blog post.
The mechanism used by the malware to spread remains undetermined. Its purpose is also unclear. Dr Web researchers estimate most of the victims of the botnet are US-based. The malware has also scalped a significant number of systems in Canada and the UK.
The number of infections attributed to the botnet is significant but nothing like as large as the number of Macs laid low by the notorious Flashback worm, which hit more than 600,000 Mac computers in early 2012. ®