OS X has proven to be quite popular with APPLE enthusiasts. However, a piece of software called “Mac.BackDoor.iWorm” has hacked its way into nearly 17,000 Macs, wreaking havoc as it slithers through the computers and allows hackers to control the device.
Mac.BackDoor.iWorm was discovered by Dr. Web, a Russian security company. It is currently unknown how the worm spreads through Apple Macs, but it is known that the program attempts to make a connection to a command server. From there, the worm will utilize Reddit’s search functions to [inpoint comments that are left by the criminal hackers. The comments are currently contained in a Minecraft discussion thread. Below is a screen shot of an example of the Reddit post.
Once the comments are found in the Minecraft subReddit, Mac.BackDoor.iWorm will attempt to connect to one of the server addresses notated in the comment. When a connection is successfully initiated, the hackers will be able to send commands to the infected computers.
The infected botnet is most likely used to send spam emails, flood websites with traffic, or mine bitcoins, along with other nefarious tasks. So far, around 17,000 Macs are known to be infected. With no current idea how the worm spreads, it is unknown how many more are infected that are waiting to be discovered. Many of the infected Macs are in the United States, with Canada and the United Kingdom nearly tied for second place.
Dr. Web, an antivirus website, posted about the worm.
“Criminals developed this malware using C++ and Lua. It should also be noted that the backdoor makes extensive use of encryption in its routines. During installation it is extracted into /Library/Application Support/JavaW, after which the dropper generates a p-list file so that the backdoor is launched automatically.”
They go on to explain,
“When Mac.BackDoor.iWorm is initially launched, it saves its configuration data in a separate file and tries to read the contents of the /Library directory to determine which of the installed applications the malware won’t be interacting with. If ‘unwanted’ directories can’t be found, the bot uses system queries to determine the home directory of the Mac OS X account under which it is running, checks the availability of its configuration file in the directory, and writes the data needed for it to continue to operate into the file.”
Finally, they explain how it communicates beyond the Mac.
“Then Mac.BackDoor.iWorm opens a port on an infected computer and awaits an incoming connection. It sends a request to a remote site to acquire a list of control servers, and then connects to the remote servers and waits for instructions. It is worth mentioning that in order to acquire a control server address list, the bot uses the search service at reddit.com, and—as a search query—specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date. The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd.”
A common misconception among novice Mac users is that they are not vulnerable to viruses. However, with the increase use of the devices, more and more hackers are attempting to exploit any holes they can find in the magnificent Apple machines.
[Photo Courtesy: Life Hack]