Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

MAC BOTNET uses REDDIT comments for directions

17,000 Macs compromised by malicious miscreants

A zombie network that feasts on the computer brains of infected Macs has press-ganged 17,000 compromised machines into its ranks, Russian anti-virus firm Dr Web warns.

The iWorm creates a backdoor on machines running OS X. Miscreants are using messages posted on Reddit as a navigational aid which points infected machines towards command and control servers.

Compromised machines phone home to these command nodes to get instructions on what to do. Dr Web has more detail on the mechanism in an advisory (extract below).

To acquire a control server address list, the bot uses the search service at reddit.com, and — as a search query — specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date. The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd.

Even if Reddit shuts down the accounts communicating with the botnet the miscreants behind the malware could easily either create new accounts or use an alternative web service, such as Twitter.

"Reddit isn’t spreading the infection – it’s simply providing a platform that is helping the botmasters communicate with the Mac computers they have managed to infect," explains veteran security watcher Graham Cluley in a blog post.

The mechanism used by the malware to spread remains undetermined. Its purpose is also unclear. Dr Web researchers estimate most of the victims of the botnet are US-based. The malware has also scalped a significant number of systems in Canada and the UK.

The number of infections attributed to the botnet is significant but nothing like as large as the number of Macs laid low by the notorious Flashback worm, which hit more than 600,000 Mac computers in early 2012. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like