New OS X backdoor malware roping Macs into botnet

New malware targeting Mac machines, opening backdoors on them and roping them into a botnet currently numbering around 17,000 zombies has been spotted and analyzed by malware researchers of Russian AV company Dr. Web.

The malware, dubbed Mac.BackDoor.iWorm, targets computers running OS X and makes extensive use of encryption in its routines, the researchers noted.

What’s even more interesting is that it gets the IP address of a valid command and control (C&C) server from a post on popular news site Reddit.

Unfortunately, the researchers didn’t mention how the malware spreads, but they shared that it is unpacked into the /Library/Application Support/JavaW directory, poses as the application com.JavaW, and sets itself to autostart.

The malware is capable of discovering what other software is installed on the machine, opening a port on it, and sending a query to a web server to acquire the addresses of the C&C servers.

The query it sends out is determined by the current date whose value in days is calculated in a specific manner, and that value is hashed. The first 8 bytes of the MD5 hash value from the current date is included in the query and sent to Reddit’s web server/website.

“The search returns a web page containing the list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists (op.a. the subreddit of the same name) under the account vtnhiaovyd,” the researchers noted. That particular account (and its posts) has since been deleted.

Once the backdoor successfully authenticates itself to one of the C&C servers, it sends to it information about the open port on the infected machine and its unique ID, and awaits instructions.

The malware is capable of many things. Apart from opening a backdoor, it can send out information about the machine (OS, open port) and itself (version, UID, uptime) to the server, connect to other servers, relay traffic, add or ban nodes (by IP), download additional files and execute system instructions.

Ultimately, a botnet of computers infected with iWorm can be used for a variety of attacks: DDoS, spam, information theft. The researchers didn’t mention what the botnet is doing now, so I guess the botmasters are currently concentrated on growing it.

A little over one quarter of currently infected machines are located in the US, 7 percent in Canada, another 7 percent in the UK, and the rest is in Europe, Australia, the Russian Federation, Brazil and Mexico.

UPDATE, 3 October, 15:00 PM CET According to Dr. Web researchers, the malware’s propagation method is unknown. They received the sample from VirusTotal, and the code does not contain any indication that it’s self-replicating.

The botnet is currently dormant, as all the Reddit comments containing the C&C servers’ IP addresses have been deleted.