iWorkServices == P2P iBotnet
If you want iWork 09 and didn’t want to pay for it, you may have grabbed a pirated copy. That may not have been all you got. If you wanted your Mac to be a part of a P2P botnet, then you’re in luck!
It turns out the package you may have downloaded over BitTorrent, a massive 450MB ZIP installer, is really just a huge Trojan horse package that installs a simple P2P bot tool on your box. Running the installer will not install iLife but instead the official sounding “iWorkServices”. This is not what you think it is. The binary has these characteristics:
MD5 (iWorkServices) = 046af36454af538fa024fbdbaf582a49 SHA1(iWorkServices)= 55d754b95ab9b34bdd848300045c3e11caf67ecf SHA(iWorkServices)= 6b83df2636a4813ef722f3fad7c65b5419044889 file size: 413568 bytes iWorkServices: Mach-O universal binary with 2 architectures iWorkServices (for architecture ppc): Mach-O executable ppc iWorkServices (for architecture i386): Mach-O executable i386
When run as root it creats a couple of files and directories to get set up:
/System/Library/StartupItems/iWorkServices /System/Library/StartupItems/iWorkServices/StartupParameters.plist /usr/bin/iWorkServices
This will now run whenever your box boots. The installer makes sure that the script is runnable:
chmod 755 /System/Library/StartupItems/iWorkServices/iWorkServices
And the script just launches the binary:
#!/bin/sh /usr/bin/iWorkServices &
Not very sophisticated. On startup it creates a “dot” directory under /tmp:
It fires up some connections:
It will keep on trying until it connects. It also grabs a list of seed P2P peers from the file itself by decrypting the running file (thwarting static analysis) and managing the known peers as you would expect. It generates a port to listen on as needed (although it’s not quite clear to me how it would handle being behind a NAT device).
The bot software itself appears to be a Kadima-related P2P protocol with the expected commands to manage the peer list, but also to provide a remote shell, download and run arbitrary code, and to give full access to the box:
socks system httpget httpgeted rand sleep banadd banclear p2plock p2punlock nodes leafs unknowns p2pport p2pmode p2ppeer p2ppeerport p2ppeertype clear p2pihistsize p2pihist platform script sendlogs uptime shell rshell
What’s more is that there is an embedded Lua interpreter, giving a very sophisticated command language some additional structure.
So, what’s this botnet been up to? DDoS it seems, via a downloaded and executed PHP script. Clever.
Looking to find if anyone else is monitoring this botnet …
Bear in mind that this is just like all of the other OS X malware: you have to willingly install it. It’s much more of a Trojan Horse than a virus or worm.
- Pirated iWork ’09 Installs P2P-Controlled Bot from the CA Security Advisor Research Blog.
- Update: “iWorkServices” Not Just A Trojan from the Threat Researcher blog. Great analysis.
- Hit by an OS X exploit, from the not a hat blog. He noticed the DDoS bit.
Edited to fix the name of the product this Trojan package masqueraded as.