Security researchers from Dr. Web believe they have uncovered a botnet malware campaign that has infected more than 17,000 Macs already worldwide. Referred to as Mac.BackDoor.iWorm by the Russian research team that spotted it, unfortunately the team us yet to release details on exactly how the botnet is spreading.
Like any typical botnet infected system, the Macs in question are extremely vulnerable. Those infected could have private information stolen as well as be at risk for further malware infection.
The attackers are using a somewhat unique method of interacting with the botnet and infected computers. The hackers are using Reddit as a navigational tool to pass commands to infected systems:
It is worth mentioning that in order to acquire a control server address list, the bot uses the search service at reddit.com, and — as a search query — specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date. The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd.
Once installed, it will search for pages on Reddit that contain links to command & control servers. Infected machines can then be linked up to each other to be used for various attacks including denial of service and brute force password cracks.
Reddit is at no fault here apparently, and shutting down these pages/accounts would simply cause the attackers to move shop or create new ones. While there is no direct indication how the infection is spreading, reports suggest that this is also not Reddit’s fault. Dr. Web says the US is being hit the hardest with as many as 4,600 infected systems, followed by he UK and Canada.
It seems as though the attacks may be hinged on Java tech and is on some way tied to a mystery folder called JavaW. It is highly recommended to search down this folder in order to tell if you have been infected. Unfortunately, there is no direct fix available just yet, you can wipe your Mac and start fresh if you find the evil Java folder, otherwise you may need to wait until further instructions hit the web (not recommended). Additional details can be found at the Dr. Web site.