So, there is no malware for Mac! Well, I am sure that we all heard this one time or another…but as you know, this is not true.

The recent iWork09 trojan shows that once more.

Some interesting list of facts about iWork09 and this Trojan:

•  Apple releases the iWork09 onMacWorld09 on January 6^th. (the version requires a serial number)
• Apple decides that no serial number will be needed for iWork09 anymore, on January 19^th
•  iWork09 trojan was discovered in Jan 21^st

So, what would be the logical explanation? Since Apple decided that the serial numbers  will not be needed anymore, there would happen a boost on the illegal torrents,  and the malware writer enjoyed the opportunity to add a backdoor on the package, right?

Wrong!

When I was checking some torrents of the iWok09, I could notice a different timeline…Most of the infected torrents dated approximately of January 7^th . Just one day after the iWork09 release, and the malware file also helps this theory:

 

-rwxr-xr-x  1 pedrobueno  staff  413568  7 Jan 22:22 iworkservices

 

As you may know this iWork09 trojan is not like the recent  popupers or other Mac  trojans, but a quite well developed piece of malware, that uses among other things a p2p-like network style and an encrypted communication channel.

It is not clear yet the ‘real’ purpose of such advanced Mac malware, but we will probably get more details as time goes by, and I will try to keep you posted.

What follows bellow is a list of command lines that will help you to identify and later remove the malware from your computer.

• Identify if the Trojan is using the network

sudo lsof -i -P|grep -i tcp|grep -i iworkserv

The output of this command will likely be something like:

iworkserv 5326     pedrobueno    9u  IPv4 0x7170270      0t0    TCP *:<port>

 

• Identify if the Trojan is present on the harddrive           

sudo find / -iname "iworkservice*" -print           

The output of this command will likely be something like:

.funnystuff/English.lproj/iWorkServices.info

.funnystuff/iworkservices

.funnystuff/iWorkServices.bom

.funnystuff/iWorkServices.pax.gz

.funnystuff/iWorkServices.sizes

 

• Identify if the Trojan is actually running on your system 

sudo ps aux |grep -i iworkservice |grep -v "grep"

 

The output will be something like this:

pedrobueno  5326   0.6  0,4   451036  15660 s002  S+    4:49     0:00.62 ./iworkservices

 

Where 5326 is the PID.

 

The removing part can be faster or a more completed way.

The faster way would be just kiiling it using the command line:

• sudo kill -9 PID, which in this case would be 5326. 

This command will terminate the running process on the machine, but it the file will be there yet.

 

A more complete approach is to also delete the iworkservices files, to prevent it to run again.

To do that simply go to the place where the output of the second command showed and use the following:

 

• sudo rm –rf iWorkservic*
• sudo rm –rf iworkservic*

 

ATTENTION. The command rm –rf is a very powerful command on Unix, specially when used with superuser privileges, so use with caution. I am not responsible for the misusage of it.

 

So, my next advice is to restart your machine and check it again. Remember that this malware is a backdoor which have multiple capabilities, and may update itself , making this instructions outdated.

 

So, that said, think about an AV for your Mac.

 

Some iWork references:

McAfee AvetLabs: OSX/IWService - http://vil.mcafeesecurity.com/vil/content/v_153893.htm

Intego security: http://www.intego.com/news/ism0901.asp

F-Secure: http://www.f-secure.com/v-descs/backdoor_osx_iworkserv_a.shtml

------------------------------------------------------------------------------------------------

Handler on Duty: Pedro Bueno ( pbueno && isc. sans. org ) - Written on a Powerbook :)