Threat Researcher

January 22, 2009

Latest OS X Threat: “iWorkServices”

Filed under: Malwares — Methusela Cebrian Ferrer @ 7:47 am
Tags: , , , ,

A new OS X threat disguised as a legitimate application iWork 09 currently in-the-wild. Few OS X users had been tricked by this, so be careful! 

This malicious piece of code could create startup entry and copy itself as /usr/bin/iWorkServices. 

picture-1

 

picture-2

 

 Once installed, it will attempt to remotely communicate and execute HTTP request. It will also create /tmp/.iWorkServices and sets CHMOD 755 which is a read and execute for everyone, which may relate to its P2P activity. 

It is  also referencing to “Users/jason/diarrhea/aes/aes_modes.c”. 

 

 

Notice that this will also attempt to connect in this URL: 

picture-3

Ok, so the culprit is in Mach-O universal binary format: 

picture-4

I know this details are not enough, for now I can say that this is indeed a threat; a backdoor, trojan and P2P controlled bot. **Updated

**Note the file size that contains this threat is ~ 450MB**

Btw, this is currently discussed here: 

http://thepiratebay.org/torrent/4630952/iWork.09

http://thepiratebay.org/torrent/4627720/iWork__09_Trial

16 Comments »

  1. [...] seems there is a trojan or botnet binary for OS X in the wild. Some details available at http://ithreats.wordpress.com/2009/01/22/latest-os-x-threat-iworkservices/ [...]

    Pingback by iWork Trojan or Botnet Binary found | Reverse Engineering Mac OS X — January 22, 2009 @ 11:00 am | Reply

  2. [...] ein Bot, Trojaner und P2P-Wurm”, so der Sicherheitsspezialist Methusela Ferrer, der in seinem eigenen Blog noch einige andere Informationen [...]

    Pingback by Torrent-Download der iWork-Trial mit Trojaner versetzt » MACNOTES.DE — January 22, 2009 @ 3:40 pm | Reply

  3. Your report is really basic and doesn’t go into depth. Anyways … The really interesting part about this (fortunatly poorly coded) little beast is, that it comes with a Lua (scripting language) interpreter … This is the part neither you nor F-Secure found out yet … In theory this means it can be expanded in every imaginable way via it’s p2p network.

    Regards

    Comment by Patrick — January 22, 2009 @ 7:33 pm | Reply

  4. Code-signing is present in Mac OS X starting with 10.5. Security updates use SHA-1 checksums for years now. So at least some people at Apple know how to guarantee for software downloads integrity.

    But it seems that not all teams at Apple use this technology for ALL their applications.

    Lets see how they will deal with this …

    Comment by Macsico — January 22, 2009 @ 10:45 pm | Reply

  5. [...] Der Trojaner kopiert sich in die Liste der Systemstartobjekte und nimmt Verbindung mit einem Server auf. Bislang wurden aber keine weiteren Aktivitäten des Schädlings beobachtet. Vermutlich dürfte er aber auf Befehle warten, um weitere Komponenten nachzuladen. Eine erste Analyse des Trojaners hat Sicherheitsspezialist Methusela Cebrian Ferrer auf seinen Seiten veröffentlicht. [...]

    Pingback by Trojanisierte Kopie von Apple iWork 2009 in Umlauf « Computerhilfe u. Info Blog — January 23, 2009 @ 10:16 am | Reply

  6. [...] wird, dass er auf Befehle wartet um weitere Software nachzuladen. Eine erste Analyse gibt es hier. Laut dem Security-Experten und Antivieren-Hersteller Intego haben bisher 20.000 Nutzer die [...]

    Pingback by media-scientific - IT Blog » Blog Archive » Apple iWork 2009 - Trojanerverseucht! — January 23, 2009 @ 7:35 pm | Reply

  7. [...] A post from ithreat, describing a new Trojan threat for the Macintosh, a file that masquerades as an… [...]

    Pingback by Macintosh Trojan Attacks! » Help Desk Screeds — January 23, 2009 @ 7:40 pm | Reply

  8. [...] Latest OS X Threat: “iWorkServices” A new OS X threat disguised as a legitimate application iWork 09 currently in-the-wild. Few OS X users had been [...] [...]

    Pingback by Top Posts « WordPress.com — January 24, 2009 @ 12:13 am | Reply

  9. [...] a little further, please let me know. Thanks go to Methusela Cebrian Ferrer from iThreats for the initial sight into the [...]

    Pingback by iWork/CS4 Trojan In-Depth Analysis « cordney* — January 27, 2009 @ 3:05 pm | Reply

  10. http://piratebaytorrent.se...

    Wednesday, December 26. 2007 While searching some torrent on piratebay I noticed a little legal link at the bottom of the site….

    Trackback by http://piratebaytorrent.se — February 4, 2009 @ 11:43 am | Reply

  11. finally, thanks for this reference…

    Thank’s very much.

    Comment by kampanye damai pemilu Indonesia 2009 — February 7, 2009 @ 1:17 pm | Reply

  12. I got infected with this thing via. Photoshop CS4. I’m curious to know what it does when it runs. I’ve deleted this trojan itself, but does anyone know what code it executes from the remote site? Because it got to do that at least once and I need to know if I need to completely reinstall?!

    Comment by Dazzer — February 9, 2009 @ 4:54 am | Reply

  13. thanks this post. I made some adjustments

    Comment by Владислав — June 11, 2009 @ 10:46 am | Reply

  14. I love this site

    Comment by That Guy — June 11, 2009 @ 6:27 pm | Reply

    • Thanks! Keep coming back and please send me an email if you find some suspicious relating to Mac.

      Comment by Methusela Cebrian Ferrer — June 14, 2009 @ 1:17 pm | Reply


RSS feed for comments on this post. TrackBack URI

Leave a comment

Blog at WordPress.com.