Content

OSX/IWService

Type
Trojan
SubType
Macintosh
Discovery Date
01/22/2009
Length
413,568 bytes
Minimum DAT
5504 (01/23/2009)
Updated DAT
5507 (01/26/2009)
Minimum Engine
5.2.00
Description Added
01/22/2009
Description Modified
01/22/2009 8:13 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

This trojan is dropped as part of an illegitimate iWork application installation that has been observed to be available on some file sharing sites.

Upon installation, the following malicious files are created:

  • /usr/bin/iWorkServices (OSX/IWService)

It will also hook system startup by creating or modifying the following file(s) and folder(s):

  • /System/Library/StartupItems/iWorkServices/iWorkServices/
  • /System/Library/StartupItems/iWorkServices/StartupParameters.plist

iWorkServices is set to start when the 'Network' parameter is reached at startup through definitions set in the .plist file listed above.

The installation folder is then modifed to have read and execute rights to "all" and read, write and execute for the "root" user by setting the permission attributes with "chmod 755".

Connection attempts may also be made from the following domains on non-standard ports:

  • 69.92.{blocked} (TCP Port 59201)
  • {blocked}.freehostia.com (TCP Port 1024)

The connections may be used to receive and execute the following remote commands:

  • socks
  • system
  • httpget
  • httpgeted
  • rand
  • sleep
  • banadd
  • banclear
  • p2plock
  • p2punlock
  • nodes
  • leafs
  • unknowns
  • p2pport
  • p2pmode
  • p2ppeer
  • p2ppeerport
  • p2peertype
  • set
  • get
  • clear
  • p2pihistsize
  • p2pihist
  • platform
  • script
  • sendlogs
  • uptime
  • uid
  • shell
  • rshell

 

Symptoms

  • Presence of the afforementioned file(s) and folder(s).
  • Presence of unexpected network connection(s) to previously mentioned domains

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

-- January 22, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/01/22/mac_trojan_attack/

--

This Trojan is dropped as part of an illegitimate iWork installation obtained from file sharing sites.

 

Aliases

  • Backdoor:OSX/iWorkServ.A (F-Secure)
  • OSX.Iwork (Symantec)

Characteristics

Characteristics -

This trojan is dropped as part of an illegitimate iWork application installation that has been observed to be available on some file sharing sites.

Upon installation, the following malicious files are created:

  • /usr/bin/iWorkServices (OSX/IWService)

It will also hook system startup by creating or modifying the following file(s) and folder(s):

  • /System/Library/StartupItems/iWorkServices/iWorkServices/
  • /System/Library/StartupItems/iWorkServices/StartupParameters.plist

iWorkServices is set to start when the 'Network' parameter is reached at startup through definitions set in the .plist file listed above.

The installation folder is then modifed to have read and execute rights to "all" and read, write and execute for the "root" user by setting the permission attributes with "chmod 755".

Connection attempts may also be made from the following domains on non-standard ports:

  • 69.92.{blocked} (TCP Port 59201)
  • {blocked}.freehostia.com (TCP Port 1024)

The connections may be used to receive and execute the following remote commands:

  • socks
  • system
  • httpget
  • httpgeted
  • rand
  • sleep
  • banadd
  • banclear
  • p2plock
  • p2punlock
  • nodes
  • leafs
  • unknowns
  • p2pport
  • p2pmode
  • p2ppeer
  • p2ppeerport
  • p2peertype
  • set
  • get
  • clear
  • p2pihistsize
  • p2pihist
  • platform
  • script
  • sendlogs
  • uptime
  • uid
  • shell
  • rshell

 

Symptoms

Symptoms -

  • Presence of the afforementioned file(s) and folder(s).
  • Presence of unexpected network connection(s) to previously mentioned domains

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A