Identifying and Removing the iWork09 Trojan
So, there is no malware for Mac! Well, I am sure that we all heard this one time or another…but as you know, this is not true.
The recent iWork09 trojan shows that once more.
- Apple releases the iWork09 onMacWorld09 on January 6th. (the version requires a serial number)
- Apple decides that no serial number will be needed for iWork09 anymore, on January 19th
- iWork09 trojan was discovered in Jan 21st
So, what would be the logical explanation? Since Apple decided that the serial numbers will not be needed anymore, there would happen a boost on the illegal torrents, and the malware writer enjoyed the opportunity to add a backdoor on the package, right?
Wrong!
When I was checking some torrents of the iWok09, I could notice a different timeline…Most of the infected torrents dated approximately of January 7th . Just one day after the iWork09 release, and the malware file also helps this theory:
-rwxr-xr-x 1 pedrobueno staff 413568 7 Jan 22:22 iworkservices
As you may know this iWork09 trojan is not like the recent popupers or other Mac trojans, but a quite well developed piece of malware, that uses among other things a p2p-like network style and an encrypted communication channel.
It is not clear yet the ‘real’ purpose of such advanced Mac malware, but we will probably get more details as time goes by, and I will try to keep you posted.
What follows bellow is a list of command lines that will help you to identify and later remove the malware from your computer.
- Identify if the Trojan is using the network
sudo lsof -i -P|grep -i tcp|grep -i iworkserv
The output of this command will likely be something like:
iworkserv 5326 pedrobueno 9u IPv4 0x7170270 0t0 TCP *:<port>
- Identify if the Trojan is present on the harddrive
sudo find / -iname "iworkservice*" -print
The output of this command will likely be something like:
.funnystuff/English.lproj/iWorkServices.info
.funnystuff/iworkservices
.funnystuff/iWorkServices.bom
.funnystuff/iWorkServices.pax.gz
.funnystuff/iWorkServices.sizes
- Identify if the Trojan is actually running on your system
sudo ps aux |grep -i iworkservice |grep -v "grep"
The output will be something like this:
pedrobueno 5326 0.6 0,4 451036 15660 s002 S+ 4:49 0:00.62 ./iworkservices
Where 5326 is the PID.
The removing part can be faster or a more completed way.
The faster way would be just kiiling it using the command line:
- sudo kill -9 PID, which in this case would be 5326.
This command will terminate the running process on the machine, but it the file will be there yet.
A more complete approach is to also delete the iworkservices files, to prevent it to run again.
To do that simply go to the place where the output of the second command showed and use the following:
- sudo rm –rf iWorkservic*
- sudo rm –rf iworkservic*
ATTENTION. The command rm –rf is a very powerful command on Unix, specially when used with superuser privileges, so use with caution. I am not responsible for the misusage of it.
So, my next advice is to restart your machine and check it again. Remember that this malware is a backdoor which have multiple capabilities, and may update itself , making this instructions outdated.
So, that said, think about an AV for your Mac.
Some iWork references:
McAfee AvetLabs: OSX/IWService - http://vil.mcafeesecurity.com/vil/content/v_153893.htm
Intego security: http://www.intego.com/news/ism0901.asp
F-Secure: http://www.f-secure.com/v-descs/backdoor_osx_iworkserv_a.shtml
------------------------------------------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno && isc. sans. org ) - Written on a Powerbook :)
Network Solutions DDoS
We've had several requests for confirmation of the Network Solutions DDoS that was on-going. I say "was" because according to Network Solutions's blog, the attack has cleared up.
We received several reports about the attack, and now since it's hit Slashdot we've received several reader and media inqueries regarding the attack.
We'd like to point you to the article that Daniel wrote, that was (we believe) the actual attack method that was used against Network Solutions:
http://isc.sans.org/diary.html?storyid=5713
-- Joel Esler | http://www.joelesler.net | http://twitter.com/joelesler
Comments