• Dr.Web
  • Home

    E-licenses

    • Dr.Web Security Space
    • Anti-virus for Windows
    • Dr.Web Katana
    • Anti-virus for OS X
    • Anti-virus for Linux
    • Mobile protection
    • OEM products
    • Compare

    Anti-virus as a service

    • Subscribe
    • Dr.Web Premium
    • Dr.Web Classic

    Services

    • My Dr.Web Portal
    • Buy online
    • Renew/Upgrade
    • Register
    • Serial number recovery
    • License manager
    • Update Dr.Web anti-virus to version 11.0
    • Demo
    • Dr.Web CureIt! free for home
    • License certificate
  • Business

    Products Dr.Web Enterprise Security Suite

    • Control center
    • Desktop protection
    • Server protection
    • E-mail protection
    • Gateway protection
    • Mobile protection
    • Licensing

    For IT service providers

    • Dr.Web AV-Desk

    SMB bundles

    • Dr.Web Universal (5-50 PC)
    • Dr.Web for schools (10-200 PC)

    Curing utilities

    • Dr.Web CureNet!
    • Dr.Web CureIt!

    For banks

    • Dr.Web ATM Shield

    For equipment manufacturers

    • Dr.Web Mail Security Suite
    • Dr.Web Gateway Security Suite

    For ОEM suppliers

    • Dr.Web ОЕМ Universal
    • Dr.Web ОЕМ Mobile
    • Dr.Web ОЕМ Server

    Licenses&Certificates

    Services for users

    • Buy
    • Renew/Upgrade
    • Register
    • Serial number recovery
    • License manager
    • Online license certificate generation service
  • Download

    Ask for free trial

    • For home
    • Dr.Web Katana
    • For business
    • Protection of mobile devices
    • Dr.Web bundles
    • Curing utilities
    • Dr.Web LiveDemo for business

    Download

    • For home
    • For business

    Free services

    • Dr.Web for Android

    System administrator emergency kit

    Curing utilities

    • Dr.Web CureNet!
    • Dr.Web CureIt!
    • Dr.Web LiveDisk

    LinkChecker

    • for IE
    • for Mozilla
    • for Opera
    • for Safari
    • for Google Chrome
    • Documentation
    • Localizations

    News

    • Dr.Web products
    • Sign up
    • RSS-feeds
  • eStore

    For new customers

    • eStore
    • Buy with mobile
    • Buy from partners

    Discounts

    • Migration for business
    • Edu and Health

    For returning customers

    • Renew license
    • Upgrade license

    Dr.Web AV-Desk

    • Find a provider

    News

    • Promotions
    • Dr.Web products
    • Sign up
    • RSS-feeds
  • Support

    Support services

    • Submit a request
    • Forums

    Free for Dr.Web customers

    • Registration
    • Restoration of key
    • Serial number recovery
    • Registration email address change
    • "My Dr.Web" log in
    • Get a license certificate
    • Protection for mobiles
    • Dr.Web CureNet!
    • Dr.Web CureIt!

    Self-support

    • License manager
    • FAQ
    • Upgrade to v.11
    • Presentations
    • Unlock anti-theft

    Knowledge base

    • Legal section
    • Classification of viruses
    • Types of viruses
    • Phishing

    AV lab services

    • Decryption (Encoder)
    • Send a file for analysis
    • Report a malicious URL

    Free for all

    • Unlocking of Windows (Winlock)
    • Anti-Flashback
    • Online scanners
    • Dr.Web CureIt! (for home)
    • Dr.Web LiveDemo
    • Dr.Web Link Checker
  • Training

    For users

    • Courses
    • Register for exam

    For IT specialists and students

    • Courses and certification
    • Register for exam

    For partners and retailers

    • Courses and certification
    • Register for exam
    • External training cabinet

    News

    • Sign up
    • RSS-feeds
  • Partners

    Find partner

    • All partners
    • E-stores
    • Locate a distributor

    Partnership offerings

    • For distributors
    • For web site owners

    Partners area

    • Partner access
    • Restore password

    Training for partners

    • Courses and certification
    • Register for exam
  • EN
    • RU
    • UA
    • FR
    • DE
    • ES
    • PL
    • CN
    • JP


Sign up

All news
Dr.Web products
Dr.Web AV-Desk
Dr.Web beta versions news
Updates of virus database
Virus alerts
Mobile threats
Virus reviews
Real-time threat news
“The Anti-virus Times”
Promotions
Corporate news

RSS-feeds


Information
Myths about Dr.Web
About viruses

Resources
Press center
For website owners

Buy
Buy from partners
Anti-virus As a Service
Buy online
License center
Contact sales

New Mac OS X botnet discovered

September 29, 2014

In September 2014, Doctor Web's security experts researched several new threats to Mac OS X. One of them turned out to be a complex multi-purpose backdoor that entered the virus database as Mac.BackDoor.iWorm. Criminals can issue commands that get this program to carry out a wide range of instructions on the infected machines. A statistical analysis indicates that there are more than 17,000 unique IP addresses associated with infected Macs.

Criminals developed this malware using C++ and Lua. It should also be noted that the backdoor makes extensive use of encryption in its routines. During installation it is extracted into /Library/Application Support/JavaW, after which the dropper generates a p-list file so that the backdoor is launched automatically.

When Mac.BackDoor.iWorm is initially launched, it saves its configuration data in a separate file and tries to read the contents of the /Library directory to determine which of the installed applications the malware won't be interacting with. If ‘unwanted’ directories can't be found, the bot uses system queries to determine the home directory of the Mac OS X account under which it is running, checks the availability of its configuration file in the directory, and writes the data needed for it to continue to operate into the file. Then Mac.BackDoor.iWorm opens a port on an infected computer and awaits an incoming connection. It sends a request to a remote site to acquire a list of control servers, and then connects to the remote servers and waits for instructions. It is worth mentioning that in order to acquire a control server address list, the bot uses the search service at reddit.com, and—as a search query—specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date. The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd.

screen

The bot picks a random server from the first 29 addresses on the list and sends queries to each of them. Search requests to acquire the list are sent to reddit.com in five-minute intervals.

While establishing a connection to the server whose address is picked from the list using a special routine, the backdoor attempts to determine whether the server address is on the exceptions list and engages in a data exchange with the server to employ special routines for authenticating the remote host. If successful, the backdoor sends the server information about the open port on the infected machine and its unique ID and awaits directives.

Mac.BackDoor.iWorm is able to perform two types of commands: different directives depending on the binary data provided and Lua scripts. Basic backdoor commands for Lua-scripts can be used to perform the following actions:

  • Get the OS type.
  • Get the bot version.
  • Get the bot UID.
  • Get a value from the configuration file.
  • Set a parameter value in the configuration file.
  • Remove all parameters from the configuration file.
  • Get bot uptime.
  • Send a GET query.
  • Download a file.
  • Open a socket for an inbound connection and then execute the commands received.
  • Execute a system instruction.
  • Sleep.
  • Ban a node by IP.
  • Clear the list of banned nodes.
  • Get the node list.
  • Get a node IP.
  • Get node type.
  • Get node port.
  • Execute a nested Lua-script.

Information collected by Doctor Web's researchers shows that as of September 26, 2014, 17,658 IP addresses of infected devices were involved in the botnet created by hackers using Mac.BackDoor.iWorm. Most of them—4,610 (representing 26.1% of the total)—reside in the United States. Canada ranks second with 1,235 addresses (7%), and the United Kingdom ranks third with 1,227 IP addresses of infected computers (6.9% of the total). The late September 2014 geographical distribution of the botnet created with Mac.BackDoor.iWorm is shown in the following illustration:

screen

The signature of this malware has been added to the virus database, so Mac.BackDoor.iWorm poses no danger to Macs protected with Dr.Web Anti-virus for Mac OS X.

Learn more about this threat

Share this news with your friends in social networks and invite them to read it!


Back to news

Your opinion counts

Sign in or register to comment on our news posts and take advantage of other benefits available to registered users. You will be awarded one Dr.Webling per comment. You can exchange your Dr.Weblings for gift certificates that can be used to purchase Dr.Web at a discount.


Other comments

BUY from our partners | online | with mobile
Company | News&Events | Send a virus | Online scanner | Privacy policy | Site map
[Blog Dr.Web] [You Tube] [Twitter] [Facebook] [Instagram] [Spiceworks]
Dr.Web
© Doctor Web
2003 — 2016
Doctor Web is the Russian developer of Dr.Web anti-virus software. We have been developing our products since 1992. The company is a key player on the Russian market for software that meets the fundamental need of any business — information security. Doctor Web is one of the few anti-virus vendors in the world to have its own technologies to detect and cure malware. Our anti-virus protection system allows the information systems of our customers to be protected from any threats, even those still unknown. Doctor Web was the first company to offer an anti-virus as a service and, to this day, is still the undisputed Russian market leader in Internet security services for service providers. Doctor Web has received state certificates and awards; our satisfied customers spanning the globe are clear evidence of the high quality of the products created by our talented Russian programmers.


www.drweb.com | estore.drweb.com | www.drweb-curenet.com | www.av-desk.com | www.freedrweb.com