16 Comments

Summary:

As reported recently all over the blogosphere, the world’s first Mac-based botnet is active after infiltrating people’s systems in January by way of a trojan hidden inside pirated iWork’09 installers. If you downloaded and installed iWork’09 from a torrent, binary newsgroup, or any other source not […]

As reported recently all over the blogosphere, the world’s first Mac-based botnet is active after infiltrating people’s systems in January by way of a trojan hidden inside pirated iWork’09 installers. If you downloaded and installed iWork’09 from a torrent, binary newsgroup, or any other source not from Apple’s trial download links or official DVDs, you have a high likelihood of infection and need to do something about it.

We’re not here to judge — we are here to help. So if you know you’re possibly at risk, you should immediately determine if you are infected or not, and if you are rid yourself of infection.

Manually Determining Infection

To manually determine if you are infected or not, fire up a terminal (run Terminal.app). There are three ways to detect infection and all three should be used for thoroughness. The Trojan masquerades by the name iWorkServices and this is the key to determine infection.

1. Check for the process running
sudo ps aux |grep -i iworkserv |grep -v "grep"
This checks that no process is running containing the name iworkserv on your system. If this returns anything at all, you are most likely infected.

2. Checking for opened file
sudo lsof -i -P|grep -i iworkserv
This checks that no process with the name containing iworkserv has any open files on your system, and no files containing iworkserv are opened by anything else. If this returns anything at all, you are most likely infected.

3. Checking for the files on your hard drive
sudo find / -iname "iworkserv*" -print
This searches your hard drive from top to bottom, inside and out, looking for a file starting with iworkserv. If this returns anything at all, you are most likely infected.

Quick Detection and Removal

The people over at SecureMac have posted a simple (and free) tool that will detect and rid you of infection. If you even think there’s a slight chance of infection, you should run this. This will scan your system and inform you if you need to clean the infection. If so, it will offer to clean it for you. For peace of mind, you can test manually with the steps above before and after cleaning, to ensure removal is complete.

Prevention

There is a strong debate relating to how necessary virus checking is for Macs. The situation is clearly becoming more risky, so I take the middle ground by running the full MacScan software as a scheduled process once a week. This gives me peace of mind that I will identify anything within a week, without slowing down my system with a constantly running process checking every file I open.

But crucially (and I cannot stress this enough), the most effective prevention is to be careful what you download and install — and especially be careful what you enter your admin password for. I’ve never had an infection on Windows or Mac in my life and they’re not hard to avoid if you keep your systems updated with security patches and don’t download and install without prejudice. Just as you look left and right before you cross the road, look before you install.

You’re subscribed! If you like, you can update your settings

  1. Note that sudo is not required for any of these commands. And if you try running them in a regular (non-administrative) user account, they will fail. It is therefore probably a better idea not to include sudo in the commands on your web page.

  2. Paul Moriarty Friday, April 24, 2009

    As a matter of practice, one should not run commands as root unless necessary. The “sudo” in Step 1 is not required.

  3. Then again, this was a trojan that you had to actually install yourself. And for the record, it doesn’t actually do anything. So, as long as you’re staying off the torrent sites and not installing crap from an unknown origin, you should be safe. This was more of a proof of concept than anything else.

  4. Does ClamAV look for iWorkServices infection?

  5. Its worth noting that if you downloaded iWork ’09 and had MacScan or any other virus protection software running it would not have done any good. this program would not have been in the definition file of any of these apps. My biggest argument against security software is that it is only as good as the definition file, and the file will never be ahead of the malware. That said its not an excuse not to run it, and as always smart downloading and emailing is the best defense.

  6. Welcome to four months ago.

  7. Sophto’s BloGy » Blog Archive » هل جهازك الماك مصاب Friday, April 24, 2009

    [...] المصدر [...]

  8. abednarz.net » Mac Botnet: How To Ensure You’re Not Part of the Problem Friday, April 24, 2009

    [...] Read how to detect and remove over at TAB. [...]

  9. I seem to recall a story that SecureMac was a malware site. Does anyone remember this?

  10. I think it’s worth saying that if you pirated the infected apps and got bit you got what you deserved.

    “As a matter of practice, one should not run commands as root unless necessary.”

    Perhaps, but this is looking for a process which might be running under root. sudo ensures EVERY process is looked at, not just the user’s own processes.

Comments have been disabled for this post