Apple Skeptical Security Ping!
If you want on or off the Mac Ping List, Freepmail me.
Posted on 10/03/2014 1:10:51 AM PDT by Swordmaker
New malware targeting Mac machines, opening backdoors on them and roping them into a botnet currently numbering around 17,000 zombies has been spotted and analyzed by malware researchers of Russian AV company Dr. Web.
The malware, dubbed Mac.BackDoor.iWorm, targets computers running OS X and makes extensive use of encryption in its routines, the researchers noted.
What's even more interesting is that it gets the IP address of a valid command and control (C&C) server from a post on popular news site Reddit.
Unfortunately, the researchers didn't mention how the malware spreads, but they shared that it is unpacked into the /Library/Application Support/JavaW directory, poses as the application com.JavaW, and sets itself to autostart.
The malware is capable of discovering what other software is installed on the machine, opening a port on it, and sending a query to a web server to acquire the addresses of the C&C servers.
The query it sends out is determined by the current date whose value in days is calculated in a specific manner, and that value is hashed. The first 8 bytes of the MD5 hash value from the current date is included in the query and sent to Reddit's web server/website.
"The reddit.com search returns a web page containing the list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists (op.a. the subreddit of the same name) under the account vtnhiaovyd," the researchers noted. That particular account (and its posts) has since been deleted.
Once the backdoor successfully authenticates itself to one of the C&C servers, it sends to it information about the open port on the infected machine and its unique ID, and awaits instructions.
The malware is capable of many things. Apart from opening a backdoor, it can send out information about the machine (OS, open port) and itself (version, UID, uptime) to the server, connect to other servers, relay traffic, add or ban nodes (by IP), download additional files and execute system instructions.
Ultimately, a botnet of computers infected with iWorm can be used for a variety of attacks: DDoS, spam, information theft. The researchers didn't mention what the botnet is doing now, so I guess the botmasters are currently concentrated on growing it.
A little over one quarter of currently infected machines are located in the US, 7 percent in Canada, another 7 percent in the UK, and the rest is in Europe, Australia, the Russian Federation, Brazil and Mexico.
If you want on or off the Mac Ping List, Freepmail me.
Damn autospelling... Bonnet = Botnet
It does look pretty sketchy, in that I currently have Oracle Java installed (v 8.0) and there is no /Library/Application Support/JavaW folder...
They wait long enough that stories about Mac "botnets" are but a memory, and they come out with a new one. They have to make a splash from time to time.
This story -might- be true of course -- and we -might- have space aliens in the downtown restaurant, too -- but I'm at least as skeptical as you are.
Let's see if anything comes of this, and remember the outcome for the next time Dr. Web makes up another story.
Just checked my Mac, none here either
I’d like to see what the attack vector is for this.Is it a trojan? A virus? Does it take user assistance to make it work?
Meet Dr. Web.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.