Backdoor:OSX/iWorkServ.A

Backdoor:OSX/iWorkServ.A

iWork is a suite of productivity applications created by Apple Inc.

The legitimate trial version of iWork can be downloaded from:

• https://www.apple.com/iwork/download-trial/

Illegitimate File Sharing

There are illegitimate copies of iWork 2009 distributed on file sharing sites.

Some of these illegitimate copies contain a malicious backdoor with peer-to-peer functionality.

The backdoor uses a file called iWorkServices and is part of the installer package. This file is detected as iWorkServ.A.

Based on the code the file should install itself to:

• /System/Library/StartupItems/iWorkServices

It does so with equivalent - read+write+execute attribute.

Upon execution, the backdoor checks if it is run as administrator(sudo mode) by using "_geteuid" and "_getpwuid" API and then testing the output for "root".

If it is not executed with sudo rights, it will just exit.

It checks if the file is executed with a filename of "iWorkServices". If it doesn't it will delete the file "/tmp/.iWorkServices". It then create the following files:

• /System/Library/StartupItems/iWorkServices/iWorkServices
• /System/Library/StartupItems/iWorkServices/StartupParameters.plist
• /usr/bin/iWorkServices

The iWorkServices files are copies of itself.

The "StartupParameters.plist" file contains the following data:

• {Description = "iWorkServices"; Provides = ("iWorkServices"); Requires = ("Network"); OrderPreference = "None";}

It may attempt to connect to the following:

• 69.92.177.146:59201
• qwfojzlk.freehostia.com:1024

An attacker is capable of downloading and/or executing files using the following P2P commands:

• banadd
• banclear
• clear
• get
• httpget
• httpgeted
• leafs
• nodes
• p2pihist
• p2pihistsize
• p2plock
• p2pmode
• p2ppeer
• p2ppeerport
• p2ppeertype
• p2pport
• p2punlock
• platform
• rand
• rshell
• script
• sendlogs
• set
• shell
• sleep
• socks
• system
• uid
• unknowns
• uptime