iWork '09 Torrent Carrying OS X Trojan

[MacRumors]

A security alert posted this morning by antivirus vendor Intego reveals that the company has discovered a new Trojan horse that is being carried by pirated copies of iWork '09 circulating on a number of torrent sites.

The Trojan, which Intego has classified as a "serious" risk and named OSX.Trojan.iServices.A, allows a malicious user to connect to an infected machine and perform various functions, as well as download additional software to the machine.

This software is installed as a startup item (in /System/Library/StartupItems/iWorkServices, a location reserved normally for Apple startup items), where it has read-write-execute permissions for root. The malicious software connects to a remote server over the Internet; this means that a malicious user will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac.

Intego reports that over 20,000 users had downloaded the package as of 6:00 AM Eastern time this morning, and an update to an entry posted on Intego's Mac Security Blog notes that the Trojan now appears to be actively downloading new code to infected machines and using them to carry out denial-of-service attacks on certain websites.

Article Link: iWork '09 Torrent Carrying OS X Trojan

 

[gkarris]

and starts the onlsought of Mac viruses....

 

[Schtumple]

Karma's a bitch eh?

Wonder how many machines are now infected with this trojan (as it spreads).

 

[Tallest Skil]

and starts the onlsought of Mac viruses....

Trojan, not virus.

 

[K3mp]

They type in their password. It looks like somebody just wrote a malicious app. I guess that is what they get for being cheap. Has anyone found a removal tool for it yet? Or is it still spreading?

 

[Sky Blue]

I guess that is what they get for being cheap.

Yup. get what they deserve.

 

[born4sky]

Steve wants to collect statistics

 

[Peterkro]

They type in their password. I guess that is what they get for being cheap. Has anyone found a removal tool for it yet? Or is it still spreading?

Users that have downloaded and installed a pirated version of iWork '09 can check for iWorkServices in /System/Library/StartupItems. iWorkServices is the malicious payload that's installed along with iWork.

 

[mrboult]

Ha ha. Serves them right the suckers!

 

[h.21]

and starts the onlsought of Mac viruses....

Consider yourself to be highly lucky that you have no idea what a virus actually is.

Isn't OS X grand?

 

[K3mp]

Steve wants to collect statistics

That actually sounds realistic .

 

[zephead]

It just goes to show that even if you have a Mac, just use a little common sense and you'll be fine.

 

[BoyBach]

Illegal software carries a trojan? As Justin Trousersnake once sang: "Cry Me A River."

 

[glasserp]

Interesting. Two things: Could this possibly be prevented for those with Little Snitch? Wouldn't they see "OSX.Trojan.iServices.A is trying to connect to ##.###.###", and then deny access to it? Also, couldn't this be removed by the user just deleting OSX.Trojan.iServices.A from StartupItems?

 

[LaDirection]

********. I dl and installed iWorks, so did 4 people I know, none of us has this freakin' thing installed.

Intego is at it again with imaginary threats

 

[drlunanerd]

Ouch. Seems Apple is doing pirates a favour by not requiring a serial number in iWork '09, but these peeps have got burnt and won't realise it.

Ironically the other day I spent hours troubleshooting a weird problem a client was having on their Power Mac G5. Turns out all their Word documents were infected with a macro virus. I wasted a lot of time as I just didn't think to check for viruses, it being OS X and all

 

[swingerofbirch]

Why would anyone dl the torrent when you can get the full version minus serial code from apple?

 

[zombitronic]

-1 for the pirates.

 

[Eidorian]

Which is why you just get the direct download from Apple.

 

[Peterkro]

Why would anyone dl the torrent when you can get the full version minus serial code from apple?

Good question.

 

[drlunanerd]

********. I dl and installed iWorks, so did 4 people I know, none of us has this freakin' thing installed.

Intego is at it again with imaginary threats

'Fraid it's real, I picked up on this a few days ago via some underground info.
Might want to get rid of whatever you downloaded and get the real McCoy from Apple

 

[sjc83]

**** happens....

 

[jackiecanev2]

Wirelessly posted (iPhone: Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_2 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5G77 Safari/525.20)

Haha. I have no sympathy. It actually kind of made me smile....

 

[kolax]

Ironically the other say I spent hours troubleshooting a weird problem a client was having on their Power Mac G5. Turns out all their Word documents were infected with a macro virus. I wasted a lot of time as I just didn't think to check for viruses, it being OS X and all

Not the same as an actual virus for OS X.

 

[synth3tik]

They should have just not said anything. Karma can be a bitch!

Ha, the other day I ran across an iWork 09 torrent that came out a day after the release. Thankfully I can't even figure why I would want to buy, let alone steal the suite.