It seems there is a trojan or botnet binary for OS X in the wild. Some details available at http://ithreats.wordpress.com/2009/01/22/latest-os-x-threat-iworkservices/.
The iWorkservices binary is available here: iWorkServices-trojan.zip
A very quick and dirty strings dump and disassembly seems to show a trojan with botnet capabilities. There are references to p2p and that can be the main clue. There are no clear string references to a specific IP address or URL, which nowadays makes sense since most botnet use p2p features to contact the master nodes. Update: Further analysis from irc channel people reveal IP addresses do exist and are encrypted, but it seems inactive for now.
If you are interesting in this subject have a look at this year CCC presentation about Storm Botnet. Very good one!
Please leave feedback if you advance with analysis on this, I don’t have much free time available 😦.
Updates on this:
So it seems really to be a botnet binary. It’s a shame it looks inactive and not very functional since it appears to have fixed control servers which should be easy to take down. Bah!
Update version 2:
There is a new version this time packed on Adobe Photoshop CS4. If you want to give a look, grab the binary here: trojannewvariant.tar
While it writes a different name to /var/tmp each time it’s executed (it uses tmpnam function to create these), it doesn’t have any kind of polymorphic code. The trojan/botnet binary can be easily detected using a SHA1 checksum (MD5 shouldn’t be really used for anything, not even for these tasks). OpenSSL generates the following hash: b8ab6832bcf4b5b5db45e98d0a7d5a58d573f0e5.
That makes it easy to clean the file from /var/tmp (to be honest, I would do a rm -f /var/tmp/tmp.*, since I don’t see any harm by doing that). It seems Jason (grep the binary) isn’t yet very skilled writing this kind of stuff. And if someone bought this code, it’s rather useless and calls attention to the subject. This kind of stuff should be off the radar!
Thanks to the guys from #osxre for their input 😃.
P.S.: If you want to run Mac OS X under VMware (useful for malware analysis), check out this link http://forum.insanelymac.com/index.php?showtopic=139178.
Signiso.sh script needs a small fix (the path for the vmware iso images) but it works fine with Vmware Fusion 2.0.1.