Threat behavior
MacOS_X/Iservice is a trojan written for MacOSX. It compromises affected machines by being able to download arbitrary files and execute commands supplied remotely through its own peer-2-peer network.
Installation
MacOS_X/Iservice has been distributed masquerading as a pirated trial version of the iWork09 application. The distributed archive 'iWork09.zip' contains fragments of the legitimate Mac OSX installation package iWork09Trial, as well the trojanized package 'iWorkServices.pkg'. The latter contains the actual trojan in the file 'iworkservices'.
Note: The legitimate clean trial version of iWork09 can be downloaded from: http://www.apple.com/iwork/download-trial/
'iworkservices' is a 413,568-byte, Mach-0 Unified Binary file carrying trojan code which is able to run under Mac OSX installed on machines with either PPC, or Intel processors.
During the installation the trojan is copied to:
In order to execute automatically, on the system startup, the trojan creates the file:
- /System/Library/StartupItems/iWorkServices/iWorkServices
and a property list named:
- /System/Library/StartupItems/iWorkServices/StartupParameters.plist
The file /System/Library/StartupItems/iWorkServices/iWorkServices is a simple shell script which executes the main trojan binary:
#!/bin/sh
/usr/bin/iWorkServices &
Payload
Backdoor Functionality
The trojan may contact the following sites:
- 69.92.177.146 on port TCP 59201
- qwfojzlk.freehostia.com on port TCP 1024
The predefined set of commands recognized by the trojan includes the following:
banadd
banclear
clear
get
httpget
httpgeted
leafs
nodes
p2pihist
p2pihistsize
p2plock
p2pmode
p2ppeer
p2ppeerport
p2ppeertype
p2pport
p2punlock
platform
rand
rshell
script
sendlogs
set
shell
sleep
socks
system
uid
unknowns
uptime
Note: The legitimate clean trial version of iWork09 can be downloaded from:
http://www.apple.com/iwork/download-trial/
Analysis by Jakub Kaminski
Prevention
