Mac Worm uses Reddit for botnet propagation

It’s a little old now, I’m surprised I hadn’t blogged about it before now, but I feel it’s still an interesting little exploit to mention.

From my naive understanding of the exploit, it masks itself as a Java-esque app and trys to gain port listening access surreptitiously.

The novel part is that once it can, it searches Reddit for a partial MD5 hash based on the current date, which would return a list of ips published by a former /u/vtnhiaovyd on a former r/minecraftserverlists.

These IPs are of course C&C servers, from which the worm gets further commands.

It’s all been long cleaned up, but I still find it an amusing and novel little worm.




A very interesting project to create a better defense against MITM attacks on the web, independent of HTTPS and site certificates.

Can’t wait to see a 1.0 version of this, its promise of a simpler alternative to something like PGP is very alluring to me.