OS X Botnet Malware
Security experts from Russian anti-virus maker Doctor Web have discovered a a new malware which compromises Mac PCs running on OS X operating systems using reddit.com’s search service to access a list of command and control (C&C) servers in order to receive further instructions.
In September 2014, Doctor Web’s security experts researched several new threats to Mac OS X and discovered that one of them turned out to be a complex multi-purpose backdoor that entered the virus database as Mac.BackDoor.iWorm. Criminals can issue commands that get this program to carry out a wide range of instructions on the infected machines.
A statistical analysis by Doctor Web indicates that there are more than 17,000 unique IP addresses associated with infected Macs. Doctor Web research also indicate that the cybercriminals behind this malware, have published the IP addresses and connection ports in comments on Reddit. It was observed that, after infecting the computer, the threat runs a search query on the user-powered news website, derived from the current date.
What is Mac.BackDoor.iWorm and how it uses Reddit Search
When Mac.BackDoor.iWorm is initially launched, it saves its configuration data in a separate file and tries to read the contents of the /Library directory to determine which of the installed applications the malware won’t be interacting with. If ‘unwanted’ directories can’t be found, the bot uses system queries to determine the home directory of the Mac OS X account under which it is running, checks the availability of its configuration file in the directory, and writes the data needed for it to continue to operate into the file. Then Mac.BackDoor.iWorm opens a port on an infected computer and awaits an incoming connection. It sends a request to a remote site to acquire a list of control servers, and then connects to the remote servers and waits for instructions. It is worth mentioning that in order to acquire a control server address list, the bot uses the search service at reddit.com, and—as a search query—specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date. The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd.
The statistics compiled by Doctor Web show that the malware is lethal and has been able to pass the AV detection engines test queries easily. As per Doctor Web around 17,000 systems with unique IP addresses have been infected by this malware.
United States most affected!
The country seeing most infections is the United States, where more than 4,500 (26.1%) compromised computers have been recorded. Canada and the United Kingdom are almost equally affected, with about 1,230 IP addresses from machines associated with the malware.
How does the iWorm work?
The malware has been written in C++ and Lua scripts to develop the threat and implement encryption capabilities on the machines. iWorm uses Lua scripts to retrieve the type of the operating system, the bot version, and UID, download files, open a socket for an inbound connection and run the commands received, ban nodes by IP, execute system instructions or a nested Lua script. Once installed and infecting a machine, the malware runs an authentication routine to contact its Command and Control servers. Only when the C & C contact is validated, the iWorm starts delivering data from the infected computer to the handlers.
Like all botnets especially the black hat ones, iWorm also has the ability to download files the handlers command it to and also to execute files and commands. It can be used by the cybercriminals for a wide range of attacks like data mining, information stealing, sending out spam, phishing and conducting a distributed denial-of-service attacks (DDoS).
Doctor Web says that with 17,000 and counting infections, this malware if not contained, may become as notorious OS X malware as Flashback, which infected more than 600,000 Mac computers in 2012.