New Mac Malware Uses Reddit to Communicate

Written by

Researchers have spotted new Mac malware in the wild which uses Reddit to connect with its command and control (C&C) servers.

Russian security firm Dr Web claimed that the backdoor malware has already infected 17,000 Macs.

Although the firm didn’t reveal exactly how the malware – dubbed Mac.BackDoor.iWorm – spreads, it said that the biggest number of infected OS X machines are in the US (26%), followed by Canada (7%) and the UK (6.9%).

The malware was developed using C++ and Lua and makes “extensive use of encryption  in its routines,” the firm wrote in a blog post.

“When Mac.BackDoor.iWorm is initially launched, it saves its configuration data in a separate file and tries to read the contents of the /Library directory to determine which of the installed applications the malware won't be interacting with,” Dr Web continued.

“If ‘unwanted’ directories can't be found, the bot uses system queries to determine the home directory of the Mac OS X account under which it is running, checks the availability of its configuration file in the directory, and writes the data needed for it to continue to operate into the file.”

The backdoor then opens a port on a victim machine and waits for an incoming connection.

It is at this stage that it uses Reddit to communicate with the C&C servers, the vendor said.

“In order to acquire a control server address list, the bot uses the search service at reddit.com, and—as a search query—specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date,” it explained.

“The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd. The bot picks a random server from the first 29 addresses on the list and sends queries to each of them. Search requests to acquire the list are sent to reddit.com in five-minute intervals.”

The firm didn’t say to what use the compromised computers have been put but it would be natural to assume that once co-opted into a botnet, they could be used to launch DDoS attacks, spam runs or other malware attacks.

Security expert Graham Cluley pointed out that Reddit is not to blame – it’s platform is simply being abused by the hackers.

“They’ve done nothing wrong as such, and even if they shut down the accounts that are communicating with the botnet there would be nothing to stop the hackers behind the campaign creating new accounts or using an alternative service (Twitter, perhaps?) to communicate with the compromised computers,” he argued.

What’s hot on Infosecurity Magazine?