Home > Malwares > Latest OS X Threat: “iWorkServices”

Latest OS X Threat: “iWorkServices”

January 22, 2009 Methusela Cebrian Ferrer Leave a comment Go to comments

A new OS X threat disguised as a legitimate application iWork 09 currently in-the-wild. Few OS X users had been tricked by this, so be careful! 

This malicious piece of code could create startup entry and copy itself as /usr/bin/iWorkServices. 

picture-1

 

picture-2

 

 Once installed, it will attempt to remotely communicate and execute HTTP request. It will also create /tmp/.iWorkServices and sets CHMOD 755 which is a read and execute for everyone, which may relate to its P2P activity. 

It is  also referencing to “Users/jason/diarrhea/aes/aes_modes.c”. 

 

 

Notice that this will also attempt to connect in this URL: 

picture-3

Ok, so the culprit is in Mach-O universal binary format: 

picture-4

I know this details are not enough, for now I can say that this is indeed a threat; a backdoor, trojan and P2P controlled bot. **Updated

**Note the file size that contains this threat is ~ 450MB**

Btw, this is currently discussed here: 

http://thepiratebay.org/torrent/4630952/iWork.09

http://thepiratebay.org/torrent/4627720/iWork__09_Trial

Categories: Malwares Tags: , , , ,
  1. Patrick
    January 22, 2009 at 7:33 pm | #1
    Reply | Quote

    Your report is really basic and doesn’t go into depth. Anyways … The really interesting part about this (fortunatly poorly coded) little beast is, that it comes with a Lua (scripting language) interpreter … This is the part neither you nor F-Secure found out yet … In theory this means it can be expanded in every imaginable way via it’s p2p network.

    Regards

  2. Macsico
    January 22, 2009 at 10:45 pm | #2
    Reply | Quote

    Code-signing is present in Mac OS X starting with 10.5. Security updates use SHA-1 checksums for years now. So at least some people at Apple know how to guarantee for software downloads integrity.

    But it seems that not all teams at Apple use this technology for ALL their applications.

    Lets see how they will deal with this …

  3. kampanye damai pemilu Indonesia 2009
    February 7, 2009 at 1:17 pm | #3
    Reply | Quote

    finally, thanks for this reference…

    Thank’s very much.

  4. Dazzer
    February 9, 2009 at 4:54 am | #4
    Reply | Quote

    I got infected with this thing via. Photoshop CS4. I’m curious to know what it does when it runs. I’ve deleted this trojan itself, but does anyone know what code it executes from the remote site? Because it got to do that at least once and I need to know if I need to completely reinstall?!

  5. Владислав
    June 11, 2009 at 10:46 am | #6
    Reply | Quote

    thanks this post. I made some adjustments

  6. That Guy
    June 11, 2009 at 6:27 pm | #7
    Reply | Quote

    I love this site

    • Methusela Cebrian Ferrer
      June 14, 2009 at 1:17 pm | #8
      Reply | Quote

      Thanks! Keep coming back and please send me an email if you find some suspicious relating to Mac.

  1. January 22, 2009 at 11:00 am | #1
    iWork Trojan or Botnet Binary found | Reverse Engineering Mac OS X
  2. January 22, 2009 at 3:40 pm | #2
    Torrent-Download der iWork-Trial mit Trojaner versetzt » MACNOTES.DE
  3. January 23, 2009 at 10:16 am | #3
    Trojanisierte Kopie von Apple iWork 2009 in Umlauf « Computerhilfe u. Info Blog
  4. January 23, 2009 at 7:35 pm | #4
    media-scientific – IT Blog » Blog Archive » Apple iWork 2009 – Trojanerverseucht!
  5. January 23, 2009 at 7:40 pm | #5
    Macintosh Trojan Attacks! » Help Desk Screeds
  6. January 24, 2009 at 12:13 am | #6
    Top Posts « WordPress.com
  7. January 27, 2009 at 3:05 pm | #7
    iWork/CS4 Trojan In-Depth Analysis « cordney*
  8. February 4, 2009 at 11:43 am | #8
    http://piratebaytorrent.se