An Security researcher from Russian based anti-malware firm Dr.Web have noted according to their research that a zombie network that targets Apple computers running Mac OS X worldwide has compromised more then 17,000 mac machines so far, the malware gives hackers backdoor access to infected Apple computers. Researchers also confirmed that almost a quarter of iWorm botnet are located in the United States.
Dr.Web also refereed the infecting malware as Mac.BackDoor.iWorm, as researched that attacker can issue the commands that get this program to carry out a wide range of instructions on the infected Mac machines.
The most interesting thing about this botnet is that it uses a method of spreading through a search service of Reddit.com posts to a Minecraft server list subreddit to collect IP addresses for its CnC Command & control network. The user who had posted that subreddit data has been shut down though the iWorm malware creators are likely to make another server list.
Anti-Malware company said “It is worth mentioning that in order to acquire a control server address list, the bot uses the search service at reddit, and – as a search query – specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date.”
The reddit search returns a web page containing a list of botnet Command & Control servers and ports published by cyber criminals in comments to the post mine craft server lists under the account vtnhiaovyd.”
How iWorm Malware works ?
Though the security researchers did not mention that how this Mac.BackDoor.iWorm spreads, but they have shared that a “dropper” program of the iWorm malware allows it to be install in the Library directory within the affected user’s account home folder, disguised as an Application Support directory for “JavaW” and sets itself to autostart.
The iWorm malware was designed in two programming languages C++ and Lua and cyber criminals are using a somewhat unique way of interacting with the botnet and the infected Apple computers. The hackers are using Reddit.com as a navigational tool to pass commands to infected systems.
During the installation it is extracted into /Library/Application Support/JavaW, after which the dropper generates a p-list file so that the backdoor is launched automatically- security researcher noted.
Once a Apple computer running Mac OS has been infected, the Malware establishes a connection with the C&C command & control server. Then backdoor on the infected user’s system can be used to receive instructions to perform a variety of tasks, like stealing confidential information, spreading other Malware or trojan, change config data or put a system to sleep mode.
The malware Mac.BackDoor.iWorm is likely to send spam emails, mine bitcoins or flood websites with traffic. Security Researchers also mentioned that among the list of infected countries, United States is at first with 4,610 systems (representing 26.1% of the total) followed by the Canada and United Kingdom, 1,235 systems (7%) and 1,227 systems (6.9% of the total) respectively.