Mac Worm uses Reddit for botnet propagation

It’s a little old now, I’m surprised I hadn’t blogged about it before now, but I feel it’s still an interesting little exploit to mention.

From my naive understanding of the exploit, it masks itself as a Java-esque app and trys to gain port listening access surreptitiously.

The novel part is that once it can, it searches Reddit for a partial MD5 hash based on the current date, which would return a list of ips published by a former /u/vtnhiaovyd on a former r/minecraftserverlists.

These IPs are of course C&C servers, from which the worm gets further commands.

It’s all been long cleaned up, but I still find it an amusing and novel little worm.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s