Newly Discovered ‘iWorm’ Malware Can Control Macs Via Reddit, More Than 17K Systems Affected

A group of Russian security researchers has discovered a new malware threat to the Apple Mac OS X that has affected thousands of Macs around the world. Hackers can issue commands to allow this malicious software to gather user data and perform various other system actions on the infected machines.

According to Russian security firm Dr.Web, the malware entered its virus database as “Mac.BackDoor.iWorm” in September. The new threat already has had effects on more than 17,000 unique Internet Protocol addresses associated with infected Macs. It is described as “a complex multipurpose backdoor” that can use Reddit’s search functions to perform its task.

“Criminals developed this malware using C++ and Lua,” a post on Dr.Web’s website read. “It should also be noted that the backdoor makes extensive use of encryption in its routines. During installation it is extracted into /Library/Application Support/JavaW, after which the dropper generates a p-list file so that the backdoor is launched automatically.”

After being installed, the iWorm malware creates an operating file, opens a port on an infected Mac, sends a request to a remote site for a list of control servers and then connects to the servers, awaiting further instructions. What is interesting here is the malware’s ability to employ Reddit’s search service in getting a control-server address list. The malware uses Reddit to look for comments left by the criminals in a Minecraft discussion section of the site.

“The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd,” Dr.Web said.

After iWorm connects with a command-and-control server, it can deliver commands via binary data or the Lua programming language. Although the Reddit string has apparently been shut down, the creators of iWorm have likely set up another server list through another search service, which has yet to be discovered, Apple Insider said.

Some 17,658 infected Mac computers were discovered as of Sept. 26, with 4,610 of them in the U.S.