{"id":32272,"date":"2014-10-02T16:31:08","date_gmt":"2014-10-02T23:31:08","guid":{"rendered":"http:\/\/www.intego.com\/mac-security-blog\/?p=32272"},"modified":"2015-02-03T13:47:18","modified_gmt":"2015-02-03T21:47:18","slug":"iworm-botnet-uses-reddit-as-command-and-control-center","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/iworm-botnet-uses-reddit-as-command-and-control-center\/","title":{"rendered":"iWorm Botnet Uses Reddit as Command and Control Center"},"content":{"rendered":"

\"infected-laptop-blog-header\"<\/p>\n

A new day, and a new threat to Mac OS X. Virus hunters have discovered a sophisticated botnet targeting\u00a0Mac OS X\u00a0computers and using a novel technique to operate. The malware has infected about 18,500 Macs, according to recent statistical analysis<\/a>.<\/p>\n

The Mac malware, called iWorm, uses a complex multi-purpose backdoor, through which criminals can issue commands that get the malicious program to carry out a wide range of instructions on the infected Macs.<\/p>\n

According to researchers, the backdoor makes extensive use of encryption in its routes. It is capable of discovering what other software is installed on the infected machine and sending out information about it (operating system), opening a port on it, downloading additional files, relaying traffic, and sending a query to a web server to acquire the addresses of the C&C servers, essentially turning your Mac into a zombie.<\/p>\n

Installing iWorm<\/h3>\n

During installation, the malware first installs a backdoor into the directory \/Library\/Application Support\/JavaW, after which the dropper generates a p-list file, so that the backdoor is launched automatically. Furthermore, it disguises itself as the application com.JavaW and sets itself to autostart via \/Library\/LaunchDaemons\/.<\/p>\n

\"com.JavaW\"<\/a><\/p>\n

Analysis indicates that the malware begins to seed itself into your Mac upon initial launch, saving its configuration data in a separate file and attempts to read the contents of the \/Library directory to determine which of the installed applications the malware won\u2019t be interacting with. If the bot cannot find \u2018unwanted\u2019 directories, according to reports, it uses system queries to determine the home directory of the Mac OS X account under which it is running, checks the availability of its configuration file in the directory, and writes the data needed for it to continue to operate into the file.<\/p>\n

How Reddit.com played its part<\/h3>\n

Many types of malware use command and control servers that they connect to, in order to get instructions from the creators of the malware. The problem with using these servers is that their IP addresses are specified in the malware code, and the servers can generally be taken down.<\/p>\n

What\u2019s particularly interesting about iWorm is that\u00a0the botnet uses a novel technique to operate: it uses reddit.com. Infected Macs receive commands from servers under the control of cybercriminals, using information posted in messages on Reddit in order to acquire a control server address list:<\/p>\n

Then Mac.BackDoor.iWorm opens a port on an infected computer and awaits an incoming connection. It sends a request to a remote site to acquire a list of control servers, and then connects to the remote servers and waits for instructions.<\/p>\n

Interestingly, in order to acquire a control server address list, the bot uses the search service at reddit.com. It sends a search query that specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date. The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd.<\/p><\/blockquote>\n

\"iWork<\/a><\/p>\n

The bot picks a random server from the 29 addresses on the list and sends queries to each of them. Search requests to acquire the list are sent to reddit.com in 5-minute intervals, according to Dr. Web\u2019s report<\/a>.<\/p>\n

While establishing a connection to the server whose address is picked from the list using a special routine, the backdoor attempts to determine whether the server address is on the exceptions list and engages in a data exchange with the server to employ special routines for authenticating the remote host. If successful, the backdoor sends the server information about the open port on the infected machine and its unique ID and awaits directives.<\/p><\/blockquote>\n

It\u2019s important to note that Reddit is not directly at fault, and it appears that reddit.com\/r\/minecraftserverlists has been shut down. (Intego malware researchers are unable to get persistent files on their systems due to the page being shut down.) If that is the only source criminals are using for the C&C, then they\u2019re dead in the water.<\/p>\n

However, as Graham Cluley noted on his blog<\/a>, there is nothing to stop the hackers from using an alternative service, such as Twitter, to communicate with the Mac botnet. Graham\u00a0wrote:<\/p>\n

And it\u2019s important to stress that Reddit isn\u2019t spreading the infection \u2013 it\u2019s simply providing a platform that is helping the botmasters communicate with the Mac computers they have managed to infect.<\/p><\/blockquote>\n

Information collected by Doctor Web\u2019s researchers shows that most of the infected Macs\u20144,610, representing 26.1% of the botnet\u2014reside in the United States. Canada ranks second, and the United Kingdom ranks third in terms of infected Macs.<\/p>\n

\"iWorm<\/a><\/p>\n

How to check if you are infected<\/h3>\n

According to research, the iWorm botnet installs itself to the following two locations:<\/p>\n

\/Library\/Application Support\/JavaW\r\n\/Library\/LaunchDaemons<\/pre>\n
To check to see if you are infected, open the Finder window and select the Go menu, and then choose \u201cGo to Folder.\u201d<\/p>\n
\"Go<\/p>\n
Copy and past the following into the window that opens:<\/p>\n
\/Library\/Application Support\/JavaW<\/strong><\/p>\n
Then, click the Go button. If the window displays the message, \u201cThe folder can\u2019t be found,\u201d in the bottom left corner, then you should be safe.<\/p>\n
\"go<\/a><\/p>\n
However, as mentioned by Thomas Reed over at The Safe Mac<\/a>, if a Finder window opens showing the contents of this folder, then you are infected.<\/p>\n
Stay a step ahead<\/h3>\n
If after running the test above you find that you are not infected, you can take precautionary steps that enable you to receive a pop-up alert if a new item gets added to any of the locations that the iWorm malware installs itself to.<\/p>\n
To do so, open the Finder, choose Go to Folder from the Go menu, and then copy and paste the following path into the window that pops up:<\/p>\n
\/Library\/LaunchDaemons<\/strong><\/p>\n
Then, click the Go button.<\/p>\n
You will be taken to the LaunchDaemons folder; right-click on the folder, and choose Folder Actions Setup.<\/p>\n
\"Folder<\/p>\n
Choose the script \u201cadd \u2013 new item alert.scpt\u201d and click the Attach button.<\/p>\n
Then, select the checkbox to Enable Folder Actions.<\/p>\n
\"Enable<\/a><\/p>\n
If possible, repeat these steps for \/Library\/Application Support\/JavaW.<\/p>\n
Now, if a new item gets added to any of these locations, you will get a pop-up alert. Note that when adding alerts to the folders, not every file added\u00a0is an indication of iWorm or malware in general. You need\u00a0to inspect the file and see if there’s any references to JavaW.\u00a0<\/span><\/p>\n
If after inspecting the file you come to find a reference to JavaW, take immediate measures to eradicate the malware.<\/p>\n
How to eradicate iWorm malware<\/h3>\n
As the Mac security threat landscape evolves, it\u2019s ever so important to protect your computer using a layered approach to security. Yes, Macs get malware, so you should invest in Mac anti-virus<\/a><\/strong> software to protect your computer. In fact, it\u2019s a good idea to get anti-virus and a firewall, as a layered defense will protect you much more effectively than any one layer by itself.<\/p>\n
Intego VirusBarrier<\/a>\u00a0with up-to-date virus definitions detects and eradicates this\u00a0malware, which it identifies as OSX\/iWorm<\/strong>.<\/p>\n","protected":false},"excerpt":{"rendered":"
A new day, and a new threat to Mac OS X. Virus hunters have discovered a sophisticated botnet targeting\u00a0Mac OS X\u00a0computers and using a novel technique to operate. The malware has infected about 18,500 Macs, according to recent statistical analysis. The Mac malware, called iWorm, uses a complex multi-purpose backdoor, through which criminals can issue […]<\/p>\n","protected":false},"author":4,"featured_media":13987,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190,151,5],"tags":[30,505,1492,174,80,1498,86,1495,1501],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\t\n\t\n\t\n