Sunday, January 25, 2009

Pirated iWork 09 contains Mac Trojan Horse

iwork 09.jpg

Even though this doesn't count as a fun weekend topic, I think it bears mentioning to those of you who are using Macs and looking to save money by cutting some security corners. Usually we Mac lovers have very little reason to be concerned about security issues like viruses, etc but every once in a while a problem comes along that reminds us no one is immune.

It seems that a pirated copy of iWork 09 that can be downloaded for free comes with a little surprise that means its not really free after all. The program also contains a payload of the OSX.Trojan.iServices.A Trojan Horse. It was spotted by Intego on January 21. Here is what the Intego website has to say:

Exploit: OSX.Trojan.iServices.A Trojan Horse

Discovered: January 21, 2009

Risk: Serious

Description: Intego has discovered a new Trojan horse, OSX.Trojan.iServices.A, which is currently circulating in copies of Apple’s iWork 09 found on BitTorrent trackers and other sites containing links to pirated software. The version of iWork 09, Apple’s productivity suite, are complete and functional, but the installer contains an additional package called iWorkServices.pkg.

When installing iWork 09, the iWorkServices package is installed. The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer’s request of an administrator password. This software is installed as a startup item (in /System/Library/StartupItems/iWorkServices, a location reserved normally for Apple startup items), where it has read-write-execute permissions for root. The malicious software connects to a remote server over the Internet; this means that a malicious user will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac.

Intego is issuing this alert to warn Mac users not to download iWork 09 installers from sites offering pirated software. (As of 6 am EST, at least 20,000 people have downloaded this installer.) The risk of infection is serious, and users may face extremely serious consequences if their Macs are accessible to malicious users.

Intego VirusBarrier X4 and X5 with virus definitions dated January 22, 2009 or later protect against this Trojan horse. Intego recommends that users never download and install software from untrusted sources or questionable web sites.

No comments:

Post a Comment