The Trojan is shared through BitTorrent and is bundled with a modified copy of the iWork09 trial application.
The modified iWork09 installer has the following file name and is 472,275,848 bytes (450 MB) in size:
The bundle contains part of the legitimate iWork09 trial package and also the following malicious package:
When the installer is executed, it runs the following malicious program:
The malicious file is a Universal Binary designed to run both on PowerPC and x86 architectures.
Next, the Trojan determines if the session is running with root privileges. If not, the threat exits.
The Trojan creates the following folder if it did not execute from the iWorkServices file:
It then attempts to delete the following file:
The Trojan copies itself as the following file:
It modifies the following files so that it runs every time the computer starts:
Next, the Trojan restarts itself from the /System/Library/StartupItems/iWorkServices folder and decrypts its configuration file which is encrypted with the AES algorithm.
It then opens a back door on the compromised computer and may contact the following hosts in order to receive further commands from the remote attacker:
The remote attacker may use the following remote commands:
The network traffic is encrypted with AES.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":