iWork/Photoshop Trojan or Botnet Binary found

It seems there is a trojan or botnet binary for OS X in the wild. Some details available at http://ithreats.wordpress.com/2009/01/22/latest-os-x-threat-iworkservices/ .

The iWorkservices binary is available here: iWorkServices-trojan.zip

A very quick and dirty strings dump and disassembly seems to show a trojan with botnet capabilities. There are references to p2p and that can be the main clue. There are no clear string references to a specific IP address or URL, which nowadays makes sense since most botnet use p2p features to contact the master nodes. Update: Further analysis from irc channel people reveal IP addresses do exist and are encrypted, but it seems inactive for now.
If you are interesting in this subject have a look at this year CCC presentation about Storm Botnet. Very good one !

Please leave feedback if you advance with analysis on this, I don’t have much free time available 🙁

Updates on this:

So it seems really to be a botnet binary. It’s a shame it looks inactive and not very functional since it appears to have fixed control servers which should be easy to take down. Bah !

Update version 2:

There is a new version this time packed on Adobe Photoshop CS4. If you want to give a look, grab the binary here: trojannewvariant.tar

While it writes a different name to /var/tmp each time it’s executed (it uses tmpnam function to create these), it doesn’t have any kind of polymorphic code. The trojan/botnet binary can be easily detected using a sha1 checksum (md5 shouldn’t be really used for anything, not even for these little things!). Openssl gives the following: b8ab6832bcf4b5b5db45e98d0a7d5a58d573f0e5
That makes it easy to clean the file from /var/tmp (to be honest, I would do a rm -f /var/tmp/tmp.* , since I don’t see any harm by doing that!).
It seems Jason (grep the binary) isn’t yet very skilled writing this kind of stuff. And if someone has bought this code, it’s rather useless and calls attention to the subject. This kind of stuff should be off the radar!

Thanks to the guys from #osxre for their input :=)

Have fun!

P.S.: If you want to run Mac OS X under Vmware (useful for malware analysis), check out this link http://forum.insanelymac.com/index.php?showtopic=139178
Signiso.sh script needs a small fix (the path for the vmware iso images) but it works fine with Vmware Fusion 2.0.1.

One thought on “iWork/Photoshop Trojan or Botnet Binary found

  1. Some details: current detections: eTrust-Vet:OSX/Krowi.A, Symantec:OSX.Iwork
    iWorkServices is a universal binary… also comes with a LUA interpreter embedded, that’s cool

Leave a Reply

Your email address will not be published. Required fields are marked *