While it’s still unclear exactly how it spreads, a new Mac OS X virus has been discovered using Reddit’s search features to connect newly infected computers to servers where the compromised machines await orders on how to proceed.
Security researchers recently discovered that more than 17,000 Macs around the world have been infected by a new OS X malware threat called “iWorm,” which at one point used Reddit.com as a go-between to cull user data, perform various system actions and execute Lua scripts. Entered into the virus database of Russian research firm Dr. Web as “Mac.BackDoor.iWorm,” the new threat is described as a complex multi-purpose backdoor capable of issuing a variety of commands to be carried out by an affected host Mac. Among the operations available to the malware are data gathering and limited system remote control. Dr. Web says the Mac.BackDoor.iWorm malware was written in C++ and Lua. The worm, which encrypts its behaviors, installs to the /Library/Application Support/JavaW directory, which is where users will find the worm if their computer is under attack by it.
“The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd,” states Dr. Web. “The bot picks a random server from the first 29 addresses on the list and sends queries to each of them. Search requests to acquire the list are sent to reddit.com in five-minute intervals.”
After iWorm installs, it creates an operating file, opens a port to request a list of control servers and connects, awaiting further instructions. Unique to this particular piece of malware is its use of Reddit.com’s search service to retrieve the botnet server list, which until recently was disguised in a comment to the post “minecraftserverlists.”
Once iWorm connects with a command and control server, the backdoor pulls in instructions via binary data or the Lua programming language. Alternatively, connected servers can send over another bit of malware to further compromise the affected machine.
iWorm itself can gather and send off sensitive user information, set parameters in configuration files, perform GET queries, put a Mac to sleep, ban nodes and perform nested Lua scripts, among other backdoor operations.
According to Dr. Web’s statistical analysis of iWorm, the malware as infected some 17,658 Macs worldwide as of Sept. 26.
The Mac.BackDoor.iWorm is likely to send spam emails, flood websites with traffic, or mine bitcoins. Most of the compromised machines are located in the US, Canada ranked second, with 1,235 comprised addresses, followed by the United Kingdom with 1,227 addresses and the rest is in Europe, Australia, the Russian Federation, Brazil and Mexico.