What do you call it when pirating software works against you?  OSX.Iwork. What this means is that there is no free lunch, nor is there free Apple iWork '09, unless you download the trial version directly from Apple. Unfortunately, the idea of getting one over on a big corporation fuels a lot of file sharing, and malicious software authors bank on that. 

Symantec has become aware of a Trojan currently being shared on peer-to-peer (P2P) networks. We originally reported on this yesterday on our Norton Protection Blog—take a look at the article New Trojan Attacks Pirates. Disguised as a copy of the legitimate trial version of Apple’s iWork ‘09, the phony iWork ’09 installer has the filename iWork09.zip and is approximately 450MB in size.

In contrast, the legitimate trial version of iWork ’09 that is available from Apple is named iWork09Trial.dmg and is slightly over 451MB. The Trojanized package contains some parts of the official Apple iWork ’09 trial version, but also includes a malicious installer named iWorkServices.pkg.

The iWorkServices.pkg contains the Trojan executable named iworkservices, and is approximately 404KB in size.

When the Trojanized installer is executed, it also runs the malicious program iworkservices. The Trojan, OSX.Iwork, targets the Mac OS and is compiled as a Mach-O multi-architecture binary. This allows the Trojan to run natively on both PowerPC and x86 architectures.

The Trojan first determines if it is the root user on the compromised computer and if not, it will end. Then, it checks to see if it was executed with the file name iWorkServices. If not, it will create the following folder:

/System/Library/StartupItems/iWorkServices

The Trojan then copies itself to both of the following locations:

/usr/bin/iWorkServices
/System/Library/StartupItems/iWorkServices

It then modifies the following file to ensure that it runs when the compromised computer restarts:

/System/Library/StartupItems/iWorkServices/StartupParameters.plist

The Trojan then restarts itself from its new location in /System/Library/StartupItems/iWorkServices, and decrypts an AES encrypted configuration file, which is located in /private/tmp/.iWorkServices. Finally, the Trojan acts as a back door and opens a port on the local host for connections. It then attempts to connect to the following remote hosts:

69.92.177.146:59201
qwfojzlk.freehostia.com:1024

The inbound and outbound network traffic is also AES encrypted. Symantec recommends that users who wish to try the trial version of iWork ’09 should download it directly from Apple at http://www.apple.com/iwork/.

*Note: My thanks to Angela Thigpen for her assistance with the research on this threat and information provided in this article.