Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

OSX.Iservice—It’s not going to iWork for you.

Created: 23 Jan 2009 12:40:04 GMT • Updated: 23 Jan 2014 18:38:00 GMT
Andy Cianciotto's picture
0 0 Votes
Login to vote

What do you call it when pirating software works against you?  OSX.Iservice. What this means is that there is no free lunch, nor is there free Apple iWork '09, unless you download the trial version directly from Apple. Unfortunately, the idea of getting one over on a big corporation fuels a lot of file sharing, and malicious software authors bank on that. 

Symantec has become aware of a Trojan currently being shared on peer-to-peer (P2P) networks. We originally reported on this yesterday on our Norton Protection Blog—take a look at the article New Trojan Attacks Pirates. Disguised as a copy of the legitimate trial version of Apple’s iWork ‘09, the phony iWork ’09 installer has the filename and is approximately 450MB in size.

In contrast, the legitimate trial version of iWork ’09 that is available from Apple is named iWork09Trial.dmg and is slightly over 451MB. The Trojanized package contains some parts of the official Apple iWork ’09 trial version, but also includes a malicious installer named iWorkServices.pkg.

The iWorkServices.pkg contains the Trojan executable named iworkservices, and is approximately 404KB in size.

When the Trojanized installer is executed, it also runs the malicious program iworkservices. The Trojan, OSX.Iservice, targets the Mac OS and is compiled as a Mach-O multi-architecture binary. This allows the Trojan to run natively on both PowerPC and x86 architectures.

The Trojan first determines if it is the root user on the compromised computer and if not, it will end. Then, it checks to see if it was executed with the file name iWorkServices. If not, it will create the following folder:


The Trojan then copies itself to both of the following locations:


It then modifies the following file to ensure that it runs when the compromised computer restarts:


The Trojan then restarts itself from its new location in /System/Library/StartupItems/iWorkServices, and decrypts an AES encrypted configuration file, which is located in /private/tmp/.iWorkServices. Finally, the Trojan acts as a back door and opens a port on the local host for connections. It then attempts to connect to the following remote hosts:

The inbound and outbound network traffic is also AES encrypted. Symantec recommends that users who wish to try the trial version of iWork ’09 should download it directly from Apple at

*Note: My thanks to Angela Thigpen for her assistance with the research on this threat and information provided in this article.

Message Edited by Ben Nahorney on 01-23-2009 06:09 AM