After the torrent-ed copy of iWork 09 is installed, two new services OSX.Iservice and OSX.Iservice.B also get installed as start up item and gain root level privileges. These two services use different method to obtain a Mac user's password and then take control of the machine.
Mario Ballano Barcena and Alfredo Pesoli, Symantec researchers, posted their findings at Virus Bulletin (requires subscription) the botnet has some sophisticated capabilities that suggest the work of an experienced programmer who may have rented out his creation to someone else who actually used it for denial-of-service attacks, a common pattern seen in botnets formed from Windows PCs.
Symantec spots first Mac botnet
Posted on Monday, April 20 2009 @ 20:59 CEST by Thomas De Maesschalck