According to their report, the sophisticated malware – which they have dubbed Mac.BackDoor.iWorm – has infected more than 17,000 computers running OS X.
Unfortunately, what isn’t presently documented is how the malware spreads – but the consequences can clearly be serious.
Like any computers that have been recruited into a botnet, Macs that have been hijacked in this attack could have information stolen from them, further malware planted upon them, or be used to spread more malware or launch spam campaigns and denial-of-service attacks.
Fascinatingly, compromised computers receive commands from servers under the control of botmasters, using information posted in messages on Reddit as a navigational aid:
Then Mac.BackDoor.iWorm opens a port on an infected computer and awaits an incoming connection. It sends a request to a remote site to acquire a list of control servers, and then connects to the remote servers and waits for instructions.
It is worth mentioning that in order to acquire a control server address list, the bot uses the search service at reddit.com, and — as a search query — specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date. The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd.
This isn’t really Reddit’s fault of course. They’ve done nothing wrong as such, and even if they shut down the accounts that are communicating with the botnet there would be nothing to stop the hackers behind the campaign creating new accounts or using an alternative service (Twitter, perhaps?) to communicate with the compromised computers.
And it’s important to stress that Reddit isn’t spreading the infection – it’s simply providing a platform that is helping the botmasters communicate with the Mac computers they have managed to infect.
Dr Web’s research team claim that the country hit hardest by the botnet is the United States, followed by Canada and the United Kingdom.
This isn’t, of course, the first time that we have seen Mac computers infected by malware and hijacked into a criminal botnet, and it isn’t anything like as big so far as the notorious Flashback worm which hit more than 600,000 Mac computers in early 2012.
But it is another timely warning that Mac users shouldn’t be fooled into thinking they are somehow immune from computer security threats. An anti-virus product should be part of your arsenal, if you value your privacy and the data you store on your Apple computer.
In addition, keep your computer patched with the latest security updates – both for the underlying OS X operating system, but also for commonly targeted software such as Adobe Reader, Flash and Java.
More information about this particular threat can be found on Dr Web’s website.
Update: The guys at Bitdefender have been in touch, offering readers of Graham Cluley Security News, a special deal whereby you can get six months’ free protection with their Mac anti-virus product. You can check it out here.
Bitdefender tells me that Bitdefender Antivirus for Mac detects the malware as Mac.OSX.iWorm.D, Mac.OSX.iWorm.C, Mac.OSX.iWorm.B, and Mac.OSX.iWorm.A. Clearly a few different versions of the attack have already been seen, and users would be wise to keep their Mac anti-virus products updated as it wouldn’t be a surprise if there were more to come.
The Bitdefender offer runs out at midnight on
Monday Wednesday night.
If other vendors have similar deals, please leave a comment below so Mac users can check it out.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.