Let’s call the bad iWork as Krowi.
So, the story starts when OS X user will download an iWork 09 installation package with serial key through BitTorrent.
Take note that Krowi is often found on a package “iWork09.zip” with filesize 450.4MB. Upon extracting, you’ll find NO “iWorkServices” here instead a main installation package named iWork09Trial.mpkg and an enticing serial.txt.
Upon inspecting the content of “iWork09Trial.mpkg” you’ll find nasty Krowi “iWorkServices.pkg” piggybacking.
The file “preflight” contains a one line instruction, which is executing the mach-o binary file “iworkservices”.
When installed, this will create the following files:
/System/Library/StartupItems/iWorkServices/StartupParameters.plist
/System/Library/StartupItems/iWorkServices/iWorkServices
/usr/bin/iWorkServices
Since the system keep a copy of the installer, you’ll find this as well:
/Library/Receipts/iWorkServices.pkg
Once installed, you will find “iWorkServices” process is running in background and it will persistently attempts to report to its command and control channels.
69.92.177.146:59201
qwfojzlk.freehostia.com:1024