Archive

Archive for January 22, 2009

Latest OS X Threat: “iWorkServices”

January 22, 2009 16 comments

A new OS X threat disguised as a legitimate application iWork 09 currently in-the-wild. Few OS X users had been tricked by this, so be careful! 

This malicious piece of code could create startup entry and copy itself as /usr/bin/iWorkServices. 

picture-1

 

picture-2

 

 Once installed, it will attempt to remotely communicate and execute HTTP request. It will also create /tmp/.iWorkServices and sets CHMOD 755 which is a read and execute for everyone, which may relate to its P2P activity. 

It is  also referencing to “Users/jason/diarrhea/aes/aes_modes.c”. 

 

 

Notice that this will also attempt to connect in this URL: 

picture-3

Ok, so the culprit is in Mach-O universal binary format: 

picture-4

I know this details are not enough, for now I can say that this is indeed a threat; a backdoor, trojan and P2P controlled bot. **Updated

**Note the file size that contains this threat is ~ 450MB**

Btw, this is currently discussed here: 

http://thepiratebay.org/torrent/4630952/iWork.09

http://thepiratebay.org/torrent/4627720/iWork__09_Trial

Categories: Malwares Tags: , , , ,
Follow

Get every new post delivered to your Inbox.