New Mac OS X Trojan Found in Pirated iWork ’09

“Intego has discovered a new Trojan horse, OSX.Trojan.iServices.A, which is currently circulating in copies of Apple’s iWork 09 found on BitTorrent trackers and other sites containing links to pirated software. The version of iWork 09, Apple’s productivity suite, are complete and functional, but the installer contains an additional package called iWorkServices.pkg.” Update: A new variant has been discovered in a pirated version of Adobe Photoshop CS4, also information about one target of a DDOS attack coming from the trojan.

Whilst a report of a new virus trojan from a company that sells anti-virus software can be construed as a scaremongering, in this case the facts still remain that a poisoned installer package has been created that is in wide distribution.

This raises a particular point about piracy. Whilst I don’t condone piracy, I do firmly believe that those who do pirate should only do it if they know what they’re doing. I see so many PCs riddled with viruses from people not clued-in enough to know what a file extension is.

Now apply this to the Mac landscape and you’ve got a majority of people not running anti-virus, nor necessarily the where-with-all to properly check for suspicious activity — or (for those who do know) the pre-disposed nature that “it won’t happen to me”, because they’re on a Mac.

iWork ’09 already doesn’t have any activation or anti-piracy measures, so really people (that is to say, pirates) should be checking MD5s, but then who actually does this when they’re complacent enough already by going to untrustworthy sites to download executables from untrustworthy people?

The Intego report explains how the trojan is installed:

“When installing iWork 09, the iWorkServices package is installed. The installer for the
Trojan horse is launched as soon as a user begins the installation of iWork, following
the installer’s request of an administrator password (in older versions of Mac OS X,
10.5.1 or earlier, there will be no password request). This software is installed as a
startup item (in /System/Library/StartupItems/iWorkServices, a location reserved
normally for Apple startup items), where it has read-write-execute permissions for root.

The malicious software connects to a remote server over the Internet; this means that a
malicious user will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The
Trojan horse may also download additional components to an infected Mac.

As a torrent release of a new and popular product, Intego estimate the potential number of people affected:

Intego is issuing this alert to warn Mac users not to download iWork 09 installers from sites offering pirated software. (As of 6 am EST, at least 20,000 people have downloaded this installer.) The risk of infection is serious, and users may face extremely serious consequences if their Macs are accessible to malicious users.

Do I think that you need to rush out and buy anti-virus software for the Mac?
No. I think people need to rush out and get some common sense. Most people who pirate software do so out of laziness, habit, ignorance and convenience. I have never once met someone who had to choose between eating that day, or purchasing an office suite.

Everything you could ever want to do with a computer can be had for free, if you know where to look and how to use it. Piracy is a matter of attitude, not ideals.

However. This may be the first wide-spread, severe malware for Mac OS X to arrive on the scene. The security of Mac OS X had held up for 8 years, however no amount of security can truly survive social engineering. PC and Linux users have not been any more secure in this regard either. It’s merely a matter of those with malicious intent measuring the profit that can be made (monetary or otherwise) from their exploits.

I hope this wakes up those who pirate Mac software. I hope this doesn’t wake up Symantec into hammering vulnerable Mac users with worthless software.

Kroc Camen.

55 Comments

  1. 2009-01-22 6:16 pm
    • 2009-01-22 7:57 pm
      • 2009-01-23 9:23 am
        • 2009-01-23 12:21 pm
          • 2009-01-23 10:52 pm
        • 2009-01-23 2:41 pm
    • 2009-01-22 10:19 pm
      • 2009-01-23 2:19 am
      • 2009-01-23 7:30 am
        • 2009-01-24 12:57 am
      • 2009-01-23 3:44 pm
        • 2009-01-24 12:52 am
    • 2009-01-24 8:44 am
    • 2009-01-24 1:02 pm
  2. 2009-01-22 6:22 pm
    • 2009-01-23 2:58 pm
  3. 2009-01-22 6:35 pm
    • 2009-01-22 7:06 pm
    • 2009-01-22 8:26 pm
      • 2009-01-22 8:53 pm
      • 2009-01-22 9:44 pm
      • 2009-01-22 11:21 pm
      • 2009-01-24 3:02 pm
    • 2009-01-22 9:43 pm
  4. 2009-01-22 6:45 pm
    • 2009-01-22 6:58 pm
  5. 2009-01-22 7:02 pm
  6. 2009-01-22 7:05 pm
    • 2009-01-23 12:45 am
    • 2009-01-23 10:00 am
  7. 2009-01-22 9:34 pm
  8. 2009-01-22 9:36 pm
    • 2009-01-22 11:06 pm
    • 2009-01-22 11:06 pm
    • 2009-01-22 11:10 pm
      • 2009-01-22 11:42 pm
        • 2009-01-23 3:57 am
        • 2009-01-23 4:03 am
          • 2009-01-23 10:30 am
          • 2009-01-23 2:14 pm
      • 2009-01-23 6:57 pm
    • 2009-01-23 8:22 am
      • 2009-01-23 10:22 am
        • 2009-01-24 3:20 am
          • 2009-01-24 8:25 am
          • 2009-01-26 5:05 pm
          • 2009-01-24 3:57 pm
    • 2009-01-23 10:30 am
    • 2009-01-23 1:58 pm
      • 2009-01-23 7:15 pm
  9. 2009-01-23 4:54 am
  10. 2009-01-23 8:31 am
  11. 2009-01-23 6:30 pm
  12. 2009-01-23 7:44 pm
  13. 2009-01-24 2:16 pm