This malware arrives as a file bundled with pirated versions of Apple's iWork '09 suite which may be downloaded from file sharing Web sites. The malicious code is stored in iWorkServices.pkg as shown below:
It attempts to install itself as iWorkServices in the /usr/bin and in /System/Library/StartupItems/iWorkServices folders.
It then modifies the attribute of the installation folder by executing the command chmod 755 to set read and execute access for everyone and also write access for the owner of the file.
This malware creates the property list StartupParameters.plist in the startup item directory /System/Library/StartupItems/iWorkServices which contains the following data:
Description = "iWorkServices";
Provides = ("iWorkServices");
Requires = ("Network");
OrderPreference = "None";
Once connected, the following P2P commands may be executed on the affected machine:
This malware connects to the following Web sites to send and receive information:
This malware runs on Mac OS X.
Analysis By: Jasper Manuel