New OS X Botnet

Tuesday, October 7, 2014 @ 10:10 PM gHale

In a move to get further instructions, malware hitting Mac systems uses’s search service to access a list of command and control (C&C) servers.

Attackers published the IP addresses and connection ports in comments on Reddit. After infecting the computer, the threat runs a search query on the user-powered news website, derived from the current date.

Mitigations for DDoS Toolkit Attacks
New Wave DDoS Attacks
Oil & Gas Firm Attacked
Middle East Petrochem Firms Targeted

The search string ends up carefully masked and consists of the hexadecimal values of the first eight bytes from the MD5 hash of the current date, researchers said.

This new botnet formed in September, while researchers at Russian antivirus vendor Doctor Web were investigating new threats for machines running on OS X.

Based on their telemetry data, the malware detected by their product as Mac.BackDoor.iWorm, managed to infect plenty of systems, statistics showing over 17,000 unique IP addresses associated with infected systems.

The country seeing most infections is the United States, where more than 4,500 (26.1 percent) of compromised computers ended up recorded. Canada and the United Kingdom have about 1,230 IP addresses each from machines associated with the malware.

Researchers said the malware authors used C++ and Lua to develop the threat and implement encryption capabilities in its routines.

It appears the C&C server IPs ended up posted by the owner of the account “vtnhiaovyd” and is available for the post “minecraftserverlists,” thus clearing any suspicion the addresses serve for malicious purposes.

“The bot picks a random server from the first 29 addresses on the list and sends queries to each of them. Search requests to acquire the list are sent to in five-minute intervals,” Doctor Web researchers said in a blog post.

As a protection measure, after establishing contact with a C&C server, the malware runs an authentication routine. Only if the remote machine ends up validated will the bot deliver the data about the compromised computer.

According to the antivirus company, iWorm uses Lua scripts to retrieve the type of the operating system, the bot version, and UID, download files, open a socket for an inbound connection and run the commands received, ban nodes by IP, execute system instructions or a nested Lua script.

Having the ability to download and execute files and commands, iWorm could end up leveraged for a wide range of attacks, from stealing information available on the system or sending out spam to using it to conduct distributed denial-of-service attacks (DDoS).

Leave a Reply

You must be logged in to post a comment.