While it's still unclear exactly how it spreads, a new Mac OS X virus has been discovered using Reddit's search features to connect newly infected computers to servers where the compromised machines await orders on how to proceed.
Russian security firm Dr. Web discovered the malware, Mac.BackDoor.iWorm, while researching current security threats that affect Mac OS X. Dr. Web says it counted 17,000 unique IP address that are now under the spell of the malware and vulnerable to executing whatever commands are sent to them from perpetrators behind the worm.
Dr. Web says the Mac.BackDoor.iWorm malware was written in C++ and Lua. The worm, which encrypts its behaviors, installs to the /Library/Application Support/JavaW directory, which is where users will find the worm if their computer is under attack by it.
Mac.BackDoor.iWorm scours the /Library directory to determine which applications it will avoid and will rewrite permissions for itself in a user account's configuration file. After that, the worm opens a port on the infected computers and waits for an incoming request over the Internet.
Dr. Web says the worm will leverage Reddit's search tool to retrieve a list of command and control servers.
"The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd," states Dr. Web. "The bot picks a random server from the first 29 addresses on the list and sends queries to each of them. Search requests to acquire the list are sent to reddit.com in five-minute intervals."
Dr. Web lists 25 currently known abilities Mac.BackDoor.iWorm has when the malware is up and running on a computer. Some of its abilties include downloading a file, opening a socket for inbound connections, executing commands received from through the connection it opened, banning nodes by IP address, and clearing a list of banned nodes.
The Mac.BackDoor.iWorm malware has emerged just as another security firm found an iOS virus that targeted protesters in China. While Mac OS X virus has taken advantage of Reddit's search feature, security blogger Graham Cluley reminds Apple users not to blame the social news site for being used in the spread of Mac.BackDoor.iWorm.
"This isn't really Reddit's fault, of course," states Cluely. "They've done nothing wrong as such, and even if they shut down the accounts that are communicating with the botnet there would be nothing to stop the hackers behind the campaign creating new accounts or using an alternative service (Twitter, perhaps?) to communicate with the compromised computers."
