Thousands of Macs infected with OS X botnet malware controlled via Reddit
Russian security researchers from anti-virus company Dr Web have discovered a new OS X botnet that has hijacked over 17,000 Macs worldwide. Macs recruited into the botnet are infected with Mac.BackDoor.iWorm malware, which is being spread by a yet-to-be-discovered method.
Once infected, Mac computers can be controlled by hackers who are communicating with infected machines using a unique medium -- Reddit. The Mac.BackDoor.iWorm opens a port on the Mac and connects to other infected machines using information posted by the hackers in Reddit's forums.
It is worth mentioning that in order to acquire a control server address list, the bot uses the search service at reddit.com, and - as a search query - specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date. The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd.
The bot picks a random server from the first 29 addresses on the list and sends queries to each of them. Search requests to acquire the list are sent to reddit.com in five-minute intervals.
According to their analysis, the United States has the most infected machines with 4,200 compromised OS X computers. The UK and Canada are also hotbeds with more than 1,200 botnet controlled machines in each country.
[Via Graham Cluley]
