Threat Descriptions

Backdoor:OSX/iWorkServ.A

Classification

Category :

Malware

Type :

Backdoor

Platform :

OSX

Aliases :

Backdoor:OSX/iWorkServ.A

Summary

Backdoor:OSX/iWorkServ.A is a trojan backdoor that installs itself on Mac OSX computers.

Removal

The F-Secure security product will automatically remove the file.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Backdoor:OSX/iWorkServ.A

iWork is a suite of productivity applications created by Apple Inc.

The legitimate trial version of iWork can be downloaded from:

Illegitimate File Sharing

There are illegitimate copies of iWork 2009 distributed on file sharing sites.

Some of these illegitimate copies contain a malicious backdoor with peer-to-peer functionality.

The backdoor uses a file called iWorkServices and is part of the installer package. This file is detected as iWorkServ.A.

Based on the code the file should install itself to:

  • /System/Library/StartupItems/iWorkServices

It does so with equivalent - read+write+execute attribute.

Upon execution, the backdoor checks if it is run as administrator(sudo mode) by using "_geteuid" and "_getpwuid" API and then testing the output for "root".

If it is not executed with sudo rights, it will just exit.

It checks if the file is executed with a filename of "iWorkServices". If it doesn't it will delete the file "/tmp/.iWorkServices". It then create the following files:

  • /System/Library/StartupItems/iWorkServices/iWorkServices
  • /System/Library/StartupItems/iWorkServices/StartupParameters.plist
  • /usr/bin/iWorkServices

The iWorkServices files are copies of itself.

The "StartupParameters.plist" file contains the following data:

  • {Description = "iWorkServices"; Provides = ("iWorkServices"); Requires = ("Network"); OrderPreference = "None";}

It may attempt to connect to the following:

  • 69.92.177.146:59201
  • qwfojzlk.freehostia.com:1024

An attacker is capable of downloading and/or executing files using the following P2P commands:

  • banadd
  • banclear
  • clear
  • get
  • httpget
  • httpgeted
  • leafs
  • nodes
  • p2pihist
  • p2pihistsize
  • p2plock
  • p2pmode
  • p2ppeer
  • p2ppeerport
  • p2ppeertype
  • p2pport
  • p2punlock
  • platform
  • rand
  • rshell
  • script
  • sendlogs
  • set
  • shell
  • sleep
  • socks
  • system
  • uid
  • unknowns
  • uptime