Threat behavior
MacOS_X/Iservice.B is a trojan written for MacOSX. Similarly to its previous variant,
MacOS_X/Iservice, it compromises affected machines by being able to download arbitrary files and execute commands supplied remotely through its own peer-2-peer network.
Installation
MacOSX/Iservice.B has been distributed within a package containing a Mac version of the Adobe Photoshop application. The distributed archive 'Adobe Photoshop CS4 11.0 Extended (Mac OS X) Includes Crack+serial (Works 100%).zip' contained a clean package of Adobe Photoshop CS4 version 11.0, as well as a hacking application called Adobe CS4 Crack (used for generating serial numbers). The latter carries the actual trojan binary within its data.
When the serial generator is executed it extracts the trojan and writes it to the file /usr/bin/DivX.
DivX is a 866,548-byte, Mach-0 Unified Binary file carrying trojan code which is able to run under Mac OSX installed on machines with either PPC, or Intel processors.
In order to execute automatically, on system startup, the trojan creates the file:
- /System/Library/StartupItems/DivX/DivX
and a property list named:
- /System/Library/StartupItems/DivX/StartupParameters.plist
The file /System/Library/StartupItems/DivX/DivX is a simple shell script which executes the main trojan binary:
#!/bin/sh
/usr/bin/DivX &
Payload
Backdoor Functionality
The trojan may contact the following sites:
- 69.92.177.146 on port TCP 59201
- qwfojzlk.freehostia.com on port TCP 1024
The predefined set of commands recognized by the trojan includes the following:
abortall
banadd
banclear
clear
get
httpget
httpgeted
leafs
nodes
p2pihist
p2pihistsize
p2plock
p2pmode
p2ppeer
p2ppeerport
p2ppeertype
p2pport
p2punlock
platform
rand
rshell
script
sendlogs
set
shell
sleep
socks
system
uid
unknowns
uptime
Analysis by Jakub Kaminski
Prevention
