The CnC posts appear to now have been expunged from Reddit, and a survey of the most recent servers identified in the subreddit by Ars found that most of their IP addresses, scattered around the world on systems that were apparently compromised-including computers in Slovakia and at Marist College in Poughkeepsie, New York-are now unreachable. It uses an MD5 hash algorithm to encode the current date, and uses the first 8 bytes of that value to search Reddit’s “minecraftserverlist” subreddit’-where most of the legitimate posts are over a year old. The bot malware itself looks for somewhere in the user’s Library folder to store a configuration file, then connects to Reddit’s search page. plist file to automatically launch the bot whenever the system is started. But its “dropper” program installs the malware into the Library directory within the affected user’s account home folder, disguised as an Application Support directory for “JavaW." The dropper then generates an OS X.
Web report doesn’t say how is being distributed to victims of the malware. That subreddit now appears to have been expunged of CnC data, and the account that posted the data appears to be shut down. One of the most curious aspects of the botnet is that it uses a search of Reddit posts to a Minecraft server list subreddit to retrieve IP addresses for its command and control (CnC) network. Web, over 17,000 Macs worldwide are part of the botnet-and almost a quarter of them are in the US. According to a survey of traffic conducted by researchers at Dr. Web has reported the spread of a new botnet that exclusively targets Apple computers running Mac OS X.
0 kommentar(er)
