Risk Assessment / Security & Hacktivism Reddit-powered botnet infected thousands of Macs worldwide

Discussion in 'Mac - General discussion' started by ireland, Oct 3, 2014.

  1. ireland

    ireland Active member

    Joined:
    Nov 28, 2002
    Messages:
    3,451
    Likes Received:
    15
    Trophy Points:
    68
    Risk Assessment / Security & Hacktivism
    Reddit-powered botnet infected thousands of Macs worldwide

    Mac.BackDoor.iWorm used Minecraft server subreddit for command and control.
    The Russian antivirus vendor Dr. Web has reported the spread of a new botnet that exclusively targets Apple computers running Mac OS X. According to a survey of traffic conducted by researchers at Dr. Web, over 17,000 Macs worldwide are part of the Mac.BackDoor.iWorm botnet—and almost a quarter of them are in the US. One of the most curious aspects of the botnet is that it uses a search of Reddit posts to a Minecraft server list subreddit to retrieve IP addresses for its command and control (CnC) network. That subreddit now appears to have been expunged of CnC data, and the account that posted the data appears to be shut down.
    The Dr. Web report doesn’t say how Mac.BackDoor.iWorm is being distributed to victims of the malware. But its “dropper” program installs the malware into the Library directory within the affected user’s account home folder, disguised as an Application Support directory for “JavaW." The dropper then generates an OS X .plist file to automatically launch the bot whenever the system is started.
    The bot malware itself looks for somewhere in the user’s Library folder to store a configuration file, then connects to Reddit’s search page. It uses an MD5 hash algorithm to encode the current date, and uses the first 8 bytes of that value to search Reddit’s “minecraftserverlist” subreddit’—where most of the legitimate posts are over a year old.
    The CnC posts appear to now have been expunged from Reddit, and a survey of the most recent servers identified in the subreddit by Ars found that most of their IP addresses, scattered around the world on systems that were apparently compromised—including computers in Slovakia and at Marist College in Poughkeepsie, New York—are now unreachable. The Marist College node, based on its IP address, was a virtual machine running in the college’s private cloud.
    However, it’s unlikely that the botnet has been completely shut down. The malware has the capability of downloading additional files and executing commands on the infected systems, so a new version of the botnet may have already been distributed—along with other malware spread through it.
    Security journalist Graham Cluley reports that Dr. Web and Bitdefender both detect variants of the botnet, (which Bitdefender refers to as Mac.OSX.iWorm). There are also ways for Mac owners to defend themselves against the malware. Developer Jacob Salmela has posted instructions on how to create a set of OS X folder actions that will alert a user if their system becomes infected.
    http://arstechnica.com/security/201...rstechnica/index (Ars Technica - All content)
     
  2. megadunderhead

    megadunderhead Regular member

    Joined:
    Jan 14, 2012
    Messages:
    524
    Likes Received:
    2
    Trophy Points:
    28
    yea and they fixed it already so big fat deal
     
  3. ddp

    ddp Moderator Staff Member

    Joined:
    Oct 15, 2004
    Messages:
    39,167
    Likes Received:
    136
    Trophy Points:
    143
    for how long as last time apple fixed a malware, it lasted 6hrs before it was back.
     
  4. megadunderhead

    megadunderhead Regular member

    Joined:
    Jan 14, 2012
    Messages:
    524
    Likes Received:
    2
    Trophy Points:
    28
    actually no it didn't and this malware code was only in minecraft and because mine craft moved to microsoft servers even the ps3 and xbox 360 are also now exposed to this potential for a virus
     

Share This Page