Malware + Recommended + Security News

iWorm Botnet Uses Reddit as Command and Control Center

Posted on October 2nd, 2014 by

infected-laptop-blog-header

A new day, and a new threat to Mac OS X. Virus hunters have discovered a sophisticated botnet targeting Mac OS X computers and using a novel technique to operate. The malware has infected about 18,500 Macs, according to recent statistical analysis.

The Mac malware, called iWorm, uses a complex multi-purpose backdoor, through which criminals can issue commands that get the malicious program to carry out a wide range of instructions on the infected Macs.

According to researchers, the backdoor makes extensive use of encryption in its routes. It is capable of discovering what other software is installed on the infected machine and sending out information about it (operating system), opening a port on it, downloading additional files, relaying traffic, and sending a query to a web server to acquire the addresses of the C&C servers, essentially turning your Mac into a zombie.

Installing iWorm

During installation, the malware first installs a backdoor into the directory /Library/Application Support/JavaW, after which the dropper generates a p-list file, so that the backdoor is launched automatically. Furthermore, it disguises itself as the application com.JavaW and sets itself to autostart via /Library/LaunchDaemons/.

com.JavaW

Analysis indicates that the malware begins to seed itself into your Mac upon initial launch, saving its configuration data in a separate file and attempts to read the contents of the /Library directory to determine which of the installed applications the malware won’t be interacting with. If the bot cannot find ‘unwanted’ directories, according to reports, it uses system queries to determine the home directory of the Mac OS X account under which it is running, checks the availability of its configuration file in the directory, and writes the data needed for it to continue to operate into the file.

How Reddit.com played its part

Many types of malware use command and control servers that they connect to, in order to get instructions from the creators of the malware. The problem with using these servers is that their IP addresses are specified in the malware code, and the servers can generally be taken down.

What’s particularly interesting about iWorm is that the botnet uses a novel technique to operate: it uses reddit.com. Infected Macs receive commands from servers under the control of cybercriminals, using information posted in messages on Reddit in order to acquire a control server address list:

Then Mac.BackDoor.iWorm opens a port on an infected computer and awaits an incoming connection. It sends a request to a remote site to acquire a list of control servers, and then connects to the remote servers and waits for instructions.

Interestingly, in order to acquire a control server address list, the bot uses the search service at reddit.com. It sends a search query that specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date. The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd.

iWork Malware uses Reddit.com

The bot picks a random server from the 29 addresses on the list and sends queries to each of them. Search requests to acquire the list are sent to reddit.com in 5-minute intervals, according to Dr. Web’s report.

While establishing a connection to the server whose address is picked from the list using a special routine, the backdoor attempts to determine whether the server address is on the exceptions list and engages in a data exchange with the server to employ special routines for authenticating the remote host. If successful, the backdoor sends the server information about the open port on the infected machine and its unique ID and awaits directives.

It’s important to note that Reddit is not directly at fault, and it appears that reddit.com/r/minecraftserverlists has been shut down. (Intego malware researchers are unable to get persistent files on their systems due to the page being shut down.) If that is the only source criminals are using for the C&C, then they’re dead in the water.

However, as Graham Cluley noted on his blog, there is nothing to stop the hackers from using an alternative service, such as Twitter, to communicate with the Mac botnet. Graham wrote:

And it’s important to stress that Reddit isn’t spreading the infection – it’s simply providing a platform that is helping the botmasters communicate with the Mac computers they have managed to infect.

Information collected by Doctor Web’s researchers shows that most of the infected Macs—4,610, representing 26.1% of the botnet—reside in the United States. Canada ranks second, and the United Kingdom ranks third in terms of infected Macs.

iWorm global infection

How to check if you are infected

According to research, the iWorm botnet installs itself to the following two locations:

/Library/Application Support/JavaW
/Library/LaunchDaemons

To check to see if you are infected, open the Finder window and select the Go menu, and then choose “Go to Folder.”

Go to Folder

Copy and past the following into the window that opens:

/Library/Application Support/JavaW

Then, click the Go button. If the window displays the message, “The folder can’t be found,” in the bottom left corner, then you should be safe.

go to JavaW folder

However, as mentioned by Thomas Reed over at The Safe Mac, if a Finder window opens showing the contents of this folder, then you are infected.

Stay a step ahead

If after running the test above you find that you are not infected, you can take precautionary steps that enable you to receive a pop-up alert if a new item gets added to any of the locations that the iWorm malware installs itself to.

To do so, open the Finder, choose Go to Folder from the Go menu, and then copy and paste the following path into the window that pops up:

/Library/LaunchDaemons

Then, click the Go button.

You will be taken to the LaunchDaemons folder; right-click on the folder, and choose Folder Actions Setup.

Folder Actions Setup

Choose the script “add – new item alert.scpt” and click the Attach button.

Then, select the checkbox to Enable Folder Actions.

Enable Folder Actions

If possible, repeat these steps for /Library/Application Support/JavaW.

Now, if a new item gets added to any of these locations, you will get a pop-up alert. Note that when adding alerts to the folders, not every file added is an indication of iWorm or malware in general. You need to inspect the file and see if there's any references to JavaW. 

If after inspecting the file you come to find a reference to JavaW, take immediate measures to eradicate the malware.

How to eradicate iWorm malware

As the Mac security threat landscape evolves, it’s ever so important to protect your computer using a layered approach to security. Yes, Macs get malware, so you should invest in Mac anti-virus software to protect your computer. In fact, it’s a good idea to get anti-virus and a firewall, as a layered defense will protect you much more effectively than any one layer by itself.

Intego VirusBarrier with up-to-date virus definitions detects and eradicates this malware, which it identifies as OSX/iWorm.

  • Jay

    It also leaves a file in /private/var/root/.JavaW as the directory is restricted so far not a single AV in my test has picked up on that file. Not sure if it helps the persistence of iWorm but if it does, hiding in that directory will beat all AV.

  • LyingIdle

    Have you identified how this worm is spreading? Is it using some exploit or do users need to download and install an infected package?

  • |k|

    I have this. How do I get rid of it? I deleted those two files, but it’s still here. I don’t even use reddit.

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}