Friday19 August 2022

New Mac Botnet Uses Reddit To Hand out C&C Server IPs

Reading time is around minutes.

The Mac world had an unsettling wakeup call today as it found out what most people have known for years: Macs are no more secure than any other PC. This wakeup call is not the first of its kind and it is certainly not going to be the last, we just wonder if anyone will actually listen or if Apple PR will continue to claim Macs cannot get malware.

By now you are probably wondering what I am talking about. Well I seems that someone has discovered a bot net of around 17,000 Mac computers. This is not the first time Macs have been involved in a botnet (this happened in 2009 and 2012) and it is not the largest one that has been identified either.  In mid-2012 the Flashback Trojan brought around 600,000 Mac computers under control. Russian Security firm Dr. Web is laying claim to the discovery of the latest malware to compromise the Apple line.

Dubbed Mac.BackDoor.iWorm, the new Malware is very interesting in the way it communicates and maintains control of the systems involved. According to Dr Web the malware uses a sub-Reddit (on Minecraft) to communicate. When a computer is infected it reaches out to Reddit and uses the search function to find the commands left there. These commands contain information the new bot needs to talk back to the mother ship (the C&C Server). The commands in the sub-Reddit have a listing of server IPs and ports for connection. The bad guys can update these as things change without the need to modify the code installed on the infected system. It is pretty smart really even if it is rather clumsy and awkward.

No one is quite sure what this botnet is being built for, right now it is not doing anything other than talking back to the command and control servers. It is possible that the people that put this together were waiting for it to be large enough, or that it is simply a proof of concept. Using Reddit to distribute IPs for C&C servers is clever, but might not be the smartest way to maintain anonymity.

This new dent in the mac armor is an interesting side note in the botnet world, but it is not really a major deal. The biggest thing about this is really the fact that the attackers are using Reddit to send commands and change C&C IPs. Other than that at 17,000 member idle botnet is sort of small compared to others that are in existence and executing commands. The fact that it is happening to Mac systems through a yet-unknown method does add to the excitement of it, but not significantly so.

Tell us what you think

Last modified on Friday, 03 October 2014 14:02

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.