Home > Malwares > Latest OS X Threat: “iWorkServices”

Latest OS X Threat: “iWorkServices”

A new OS X threat disguised as a legitimate application iWork 09 currently in-the-wild. Few OS X users had been tricked by this, so be careful! 

This malicious piece of code could create startup entry and copy itself as /usr/bin/iWorkServices. 





 Once installed, it will attempt to remotely communicate and execute HTTP request. It will also create /tmp/.iWorkServices and sets CHMOD 755 which is a read and execute for everyone, which may relate to its P2P activity. 

It is  also referencing to “Users/jason/diarrhea/aes/aes_modes.c”. 



Notice that this will also attempt to connect in this URL: 


Ok, so the culprit is in Mach-O universal binary format: 


I know this details are not enough, for now I can say that this is indeed a threat; a backdoor, trojan and P2P controlled bot. **Updated

**Note the file size that contains this threat is ~ 450MB**

Btw, this is currently discussed here: 



  1. Patrick
    January 22, 2009 at 7:33 pm

    Your report is really basic and doesn’t go into depth. Anyways … The really interesting part about this (fortunatly poorly coded) little beast is, that it comes with a Lua (scripting language) interpreter … This is the part neither you nor F-Secure found out yet … In theory this means it can be expanded in every imaginable way via it’s p2p network.


  2. January 22, 2009 at 10:45 pm

    Code-signing is present in Mac OS X starting with 10.5. Security updates use SHA-1 checksums for years now. So at least some people at Apple know how to guarantee for software downloads integrity.

    But it seems that not all teams at Apple use this technology for ALL their applications.

    Lets see how they will deal with this …

  3. February 7, 2009 at 1:17 pm

    finally, thanks for this reference…

    Thank’s very much.

  4. Dazzer
    February 9, 2009 at 4:54 am

    I got infected with this thing via. Photoshop CS4. I’m curious to know what it does when it runs. I’ve deleted this trojan itself, but does anyone know what code it executes from the remote site? Because it got to do that at least once and I need to know if I need to completely reinstall?!

    • Methusela Cebrian Ferrer
      February 9, 2009 at 11:10 am

      Have you checked this https://ithreats.wordpress.com/2009/01/26/how-to-remove-iworkservices/ this includes instruction and what it does. However, if you think you are able to remove it but still suspicious on possible left overs, you might want to further investigate (in terminal) your running processes and open ports.

  5. June 11, 2009 at 10:46 am

    thanks this post. I made some adjustments

  6. June 11, 2009 at 6:27 pm

    I love this site

    • Methusela Cebrian Ferrer
      June 14, 2009 at 1:17 pm

      Thanks! Keep coming back and please send me an email if you find some suspicious relating to Mac.

  1. January 22, 2009 at 11:00 am
  2. January 22, 2009 at 3:40 pm
  3. January 23, 2009 at 10:16 am
  4. January 23, 2009 at 7:35 pm
  5. January 23, 2009 at 7:40 pm
  6. January 24, 2009 at 12:13 am
  7. January 27, 2009 at 3:05 pm
  8. February 4, 2009 at 11:43 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: