Posted on Friday, January 23rd, 2009 | Bookmark on del.icio.us

iWorkServices == P2P iBotnet

by Jose Nazario

If you want iWork 09 and didn’t want to pay for it, you may have grabbed a pirated copy. That may not have been all you got. If you wanted your Mac to be a part of a P2P botnet, then you’re in luck!

It turns out the package you may have downloaded over BitTorrent, a massive 450MB ZIP installer, is really just a huge Trojan horse package that installs a simple P2P bot tool on your box. Running the installer will not install iLife but instead the official sounding “iWorkServices”. This is not what you think it is. The binary has these characteristics:

MD5 (iWorkServices) = 046af36454af538fa024fbdbaf582a49
SHA1(iWorkServices)= 55d754b95ab9b34bdd848300045c3e11caf67ecf
SHA(iWorkServices)= 6b83df2636a4813ef722f3fad7c65b5419044889
file size: 413568 bytes
iWorkServices: Mach-O universal binary with 2 architectures
iWorkServices (for architecture ppc):   Mach-O executable ppc
iWorkServices (for architecture i386):  Mach-O executable i386

When run as root it creats a couple of files and directories to get set up:

/System/Library/StartupItems/iWorkServices
/System/Library/StartupItems/iWorkServices/StartupParameters.plist
/usr/bin/iWorkServices

This will now run whenever your box boots. The installer makes sure that the script is runnable:

chmod 755 /System/Library/StartupItems/iWorkServices/iWorkServices

And the script just launches the binary:

#!/bin/sh
/usr/bin/iWorkServices &

Not very sophisticated. On startup it creates a “dot” directory under /tmp:

/tmp/.iWorkServices

It fires up some connections:

69.92.177.146:59201
qwfojzlk.freehostia.com:1024

It will keep on trying until it connects. It also grabs a list of seed P2P peers from the file itself by decrypting the running file (thwarting static analysis) and managing the known peers as you would expect. It generates a port to listen on as needed (although it’s not quite clear to me how it would handle being behind a NAT device).

The bot software itself appears to be a Kadima-related P2P protocol with the expected commands to manage the peer list, but also to provide a remote shell, download and run arbitrary code, and to give full access to the box:

socks
system
httpget
httpgeted
rand
sleep
banadd
banclear
p2plock
p2punlock
nodes
leafs
unknowns
p2pport
p2pmode
p2ppeer
p2ppeerport
p2ppeertype
clear
p2pihistsize
p2pihist
platform
script
sendlogs
uptime
shell
rshell

What’s more is that there is an embedded Lua interpreter, giving a very sophisticated command language some additional structure.

So, what’s this botnet been up to? DDoS it seems, via a downloaded and executed PHP script. Clever.

Looking to find if anyone else is monitoring this botnet …

Bear in mind that this is just like all of the other OS X malware: you have to willingly install it. It’s much more of a Trojan Horse than a virus or worm.

Related info:

Edited to fix the name of the product this Trojan package masqueraded as.

This entry was posted on Friday, January 23rd, 2009 at 3:52 pm and is filed under Botnets, P2P, Trojan Horses. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses | Add your own



Comment Post by: Rui Paulo — January 23rd, 2009 @ 5:04 pm EST  Reply

In the first sentence, don’t you mean “iWork 09″ ?

Comment Post by: Jose Nazario — January 23rd, 2009 @ 7:06 pm EST  Reply

i did indeed, and i fixed it. thanks!

Comment Post by: Steve — January 25th, 2009 @ 3:15 am EST  Reply

Hi, can you tell me the IP “qwfojzlk.freehostia.com” used to resolve too? Thanks

Comment Post by: Jose Nazario — January 25th, 2009 @ 2:15 pm EST  Reply

hi steve, it had been at qwfojzlk.freehostia.com A 201.235.145.105 (via passive DNS analysis)

Leave a Comment