iWork '09 Torrent Carrying OS X Trojan

[paric]

rm -r

It doesn't seem wise for MacRumors to post the fix in the manner they did.

Consider line #3: rm -r /System/Library/StartupItems/iWorkServices

What if someone typed "rm -r /", then reached over to hold down the SHIFT key to make the capital S in "System", but instead accidentally hit RETURN?

Wouldn't it erase everything? Or is a safeguard built in? I don't have a machine where I can test it.

It would seem safer to "cd" to the proper directory (like StartupItems), then rm -r iWorkServices.

Just a thought.

 

[Iron Chef]

Why do people have to use terminal to get rid of it? Can't they just go into the folder with the corrupt iworkservices.pkg file and just delete it?

 

[Yamcha]

I'm still gonna download it. , because I'm sure I can get rid of it, or at least get a copy thats free of trojan :]

 

[PeterQC]

Just bought a license for my 30-day demo-copy of VirusBarrier.

Wasn't going to, but the announcement of a real virus ...

Not that I steal things, mind you ...

Trojan =/= Virus.

 

[gonnabuyamac]

this is a good reason to use legit software. (not to mention morality and decency)

even though OS X is more secure than Windows, user idiocy accounts for the majority of viruses and spyware I've come across on my clients Windows computers. it was only a matter of time before that idiocy spilled over to the mac world.

i would venture to say that a healthy majority of Windows viruses,trojans, ect. that I've seen have been on computers that have stuff on them people downloaded for 'free' from torrent services... wasn't so 'free' when they had to hire me to fix their computer.

 

[iMaggot]

Yup. get what they deserve.

Agreed, some dumb people

 

[AidenShaw]

That removes the Trojan, but doesn't address damage that may have been done...

I think he meant trojin. It seems easy to detect without a anti virus program. I just came back from tauw with the easy detection. Just follow this to see if ya got it or not. It's the same thing as I think was posted here. But just in case someones panicking here it is again.:

Look for /System/Library/StartupItems/iWorkServices

To remove it.
1) (open Terminal.app)
2) sudo su (enter password)
3) rm -r /System/Library/StartupItems/iWorkServices
4) rm /private/tmp/.iWorkServices
5) rm /usr/bin/iWorkServices
6) rm -r /Library/Receipts/iWorkServices.pkg
7) killall -9 iWorkServices

Note that this fix only removes the Trojan service - it doesn't clean up any changes that the Trojan may have made to the system while it was running.

Intego says that they've seen evidence of the Trojan downloading other malware.

http://blog.intego.com/

Update: Intego is getting reports of the iServices.A Trojan horse actively downloading new code and acting as a botnet, participating in distributed denial of service attacks on certain websites.​

In other words, if the trojan started on your system, you have no idea what it has done. You had a malicious agent with full root privs running on you system, under the control of network criminals.

The only completely safe, simple action is to reformat your drive and reinstall the OSX.

You don't know what it has done to your system. It may have modified other files, added things to other startups, installed programs, modified the firewall, set up periodic jobs, installed a rootkit, or any number of things.

 

[raphbo]

Hey just wondering why people don't just look in the installer package before they install their copy to see if they have a file that looks like the one pictured in the link below. As long as the installer doesn't have this file it should be safe right? Also see if their copy adds up to the same amount of bites that a legit copy would contain. I am fairly sure that the number is out there and you could cross examine a legit version and your version to make sure it is authentic. But indeed, it is not like the program is worth stealing, use the student version of office if anything and split the cost with two other people, get openoffice or abiword or pay for the better stuff (ie. saving for them).

Though it does suck that apple keeps making people pay for minor updates to software that is initially free, kinda like a pusher. I already purchased iLife 3 times my last being '08 in December (what a 99 dollar kick in the teeth macworld '09 was)

http://www.intego.com/news/ism0901.asp

 

[Drag'nGT]

I guess I'm just gonna have to say I'm an idiot so that anyone who needs to know this can do it, but how do you key this stuff in? Is it one continuous command? Do you type in 'rm' or is that a key thing?

Also, if you go to /System/Library/Startupitems but don't see iworkservices then you're in the clear? Or do we know if it's hidden or not? I have never looked there before and it's blank...?



Is this pic from the package after you download it?

The one from Apple just mounts on it's own after it finishes downloading.

 

[zsft]

even though OS X is more secure than Windows

yeah okay.

 

[Iron Chef]

Why dont people just delete the file in question, iworkservices.pkg out of their system/library/startupitems folder? Seems simpler than using terminal

 

[matrix01]

Is NOBODY going to ask the most important question?

Isn't the most interesting thing to know: which particular site the trojan launches a "denial of service" attack against?

"Cui bono" - is Latin for "who benefits?":
http://en.wikipedia.org/wiki/Cui_bono

If someone here is smart enough, it shouldn't be hard to find out which particular site the trojan is targeting. Maybe even Little Snitch could tell us. Identifying the DDS target site would inform us as to who might like to have the target site "done in".

History makes sense when you find context and motivations.

Never mind the tinfoil hats. It clear that someone put a bit of resources into this. People put out that effort for a reason. This is a good story - but isn't the most interesting part of it - why? who?

 

[emil.lofman]

late to the show but...

I used to be into the whole hacked, cracked, and pirated software gig when I was much younger. I always wondered why my machines ran like garbage. Now that I keep everything legit, my machines run great. Coincidence? I think not.

This does not compute. Example:

"Back in the 60's, I used to drive a '65 Beetle with Goodyear tyres. I always thought it was real slow. Now I own a '05 Beetle with Michelin tires, and it's much faster."

You know, computers has evolved since you were "much younger".

 

[ksgant]

As I'm sure others have said, let me echo it here:

A virus exploits the weaknesses of an OS
A trojan exploits the weaknesses of the user of the OS

 

[knightlie]

Note that this fix only removes the Trojan service - it doesn't clean up any changes that the Trojan may have made to the system while it was running.

Intego says that they've seen evidence of the Trojan downloading other malware.

http://blog.intego.com/

Update: Intego is getting reports of the iServices.A Trojan horse actively downloading new code and acting as a botnet, participating in distributed denial of service attacks on certain websites.​

In other words, if the trojan started on your system, you have no idea what it has done. You had a malicious agent with full root privs running on you system, under the control of network criminals.

The only completely safe, simple action is to reformat your drive and reinstall the OSX.

You don't know what it has done to your system. It may have modified other files, added things to other startups, installed programs, modified the firewall, set up periodic jobs, installed a rootkit, or any number of things.

+1. If I were dumb enough to have got this trojan then that's exactly what I'd do. Zero sympathy for those who get this.

 

[locust76]

As I'm sure others have said, let me echo it here:

A virus exploits the weaknesses of an OS
A trojan exploits the weaknesses of the user of the OS

A trojan is a definition of Malware (malicious software). A trojan appears to be a regular program, but does things secretly in the background, like emailing copies of itself to addresses found in contact lists or acting as a node in a BotNet.

A virus is defined as a piece of malicious code that has the ability to replicate itself and infect other computers either through the network or removable media. Typically a virus infects the code of other files. A virus does not necessarily have to cause harm to a computer. A virus can be a trojan.

That being said, MOST viruses/trojans/worms/malware in general exploit the weaknesses of the user, since it usually starts with people executing foreign code on their systems. The fact that most malware is written for the broader Windows market obviously doesn't make Windows the only OS that can play host to malware.

It's not impossible to code a virus or any other malicious software for OSX, because even though the OS might have more strict user access policies than Windows, the users are just as weak, if not weaker.

 

[countdrachma]

Ethics - pirates v Apple ?

There's a lot a moral objections to everyone who has downloaded iWork 09 via the torrent and I for one have not done so and prefer to do the right thing and buy my software. I think its almost ironic though that if I were to go down that route (of illegally obtaining it), it would be a direct result of Apple's failure to offer me a legitimate course to "upgrade" my existing purchased copy of iWork 08. I wouldn't object to anyone "upgrading" via obtaining an illegal copy of the new version rather than paying a full purchase price for "some" functionality improvements. And incidentally, 08 was woefully inadequate as a release in the first place.

 

[burningbright]

I'm curious as to what countries have such lax copyright laws?

Granted, American copyright law is archaic and authoritarian, if DMCA is any indication.

Hmm, I'm not sure, but I think China might have. Certainly when I was in a city of 6 million people I went into an 'authorised Apple reseller' sign and huge Apple logo and asked how much iLife would be. The attendant raised his eyebrows, winked, and said with a knowing smile that they didn't sell Apple software. I asked if there was anywhere I could actually buy Apple software and he said, 'um, maybe Shanghai somewhere. Probably Beijing.' Lots of Apple software torrents seem to be originate in China though. It might be worth pointing out that Apple hardware is the same price as in the West there, despite PCs being considerably cheaper than in the West, IIRC. I don't think this just applies to software either- you can go to China's equivalent of Google, baidu.com, and there's a special section offering free downloads of pretty much any Chinese pop song you like. (The pop stars still get extremely wealthy, despite their biggest market by far being mainland China.) Mind you, a century ago American attitudes to copyright were just as lax, and look at them now! Who knows if Chinese attitudes will still be as lax in a few years' time?

 

[goosnarrggh]

Like I wrote above: this is NOT a virus. It was just a program that was "mis-labled" The cover said <goodthing> but inside was <bad thing>. Anti-virus software can NOT stop you from intentionally installing what you think is <good thing> The ONLY thing that can save you is to get your software from a trusted source.

Call it what you will. The fact of the matter is that security software labelled as "Anti-Virus" can, and historically has, been capable of identifying the signatures of certain software classified as Trojans and quarantining/neutralizing the threat.

In this case, the downloaded package did indeed contain the desired "good" software. (I mean "good" in terms of the downloader getting what he expected to get, not "good" in terms of the act of copyright violation being a good thing) But a piece of "bad" software was also attached alongside it. It would absolutely be possible to automatically scan the software, either as it's being downloaded, or on an on-access basis, to identify the signature of the "bad" software and prevent it from running, whilst allowing the "good thing" to operate as normal.

 

[Wild-Bill]

Why Why WHY?

First off, I'll throw out the disclaimer that I do not and am not an advocate of piracy. By the same token I won't jump in waving my finger at someone saying "You shouldn't be doing this", etc. etc... To each their own.

I don't understand why people would D/L iWork09 from a torrent site when they can D/L the official trial from Apple's own site and then apply any nefarious serials they could happen upon on previous mentioned sites, as I've read some people have done. Wouldn't the D/L from Apple be much, much faster?

The real issue I struggle with is why? If it was a product that was obscenely expensive (i.e. most Adobe software) then maybe I could come up with a justification.... But come on, it's $79.00. And one could D/L the official version from Apple, "try before they buy", and then pay the small fee for some pretty great software.

I've seen some discussion on using certain torrents as a "try before you buy" benefit, but that's usually for products from companies that don't offer trial versions.

What I am most concerned with is the high-level attention this has been getting in the media. This could very well awaken the "sleeping giant" and bring (a lot) more unwanted attention from the types of folks who, until now, have focused their virus and trojan-writing efforts for Windows-based systems.

I loathe the day that we as Mac users must employ real-time virus/vulnerability scanning that eats up CPU resources and slows systems down.

 

[locust76]

I loathe the day that we as Mac users must employ real-time virus/vulnerability scanning that eats up CPU resources and slows systems down.

Modern CPUs are so fast that a quick scan of incoming/outgoing/executable code isn't going to significantly effect performance.

Besides, why don't you use virus protection software? Malicious code can come from anywhere at any time, you can never be 100% sure you're not downloading malware regardless of which OS you use.

I'm a Windows user and I haven't seen a virus on my systems in decades, but I still use virus protection. Like running your system as a regular user and not as an admin, it just makes more sense from a security perspective.

 

[Macmel]

Morality extends far beyond legality.

Sorry to say, but it's not you americans, despite what you think, who set the moral standards. That's pretty much dependent on the society you live in. And in some of our societies we consider inmoral to charge 20 euros ($25) for a CD that actually costs 2 and to use anticopy systems when you are ALLOWED to make personal copies of material you own.
I bought a CD a few years ago that I could not use in a computer. I did not have a mp3 player, but as of today, can you please tell me how can I listen to the music I legally purchased on my iPod?. Magic transfer of files, maybe?.
In Spain they charge an extra amount on everything that is able to contain or make a copy of copyrighted material (photocopiers, CDs, DVDs, recorders, computers, cell phones, you name it). They are assuming you are guilty and people are paying an amount to the Spanish RIAA for, for example, burning their own projects on a CD
How the f*ck is that moral?

 

[AidenShaw]

Habit?

I don't understand why people would D/L iWork09 from a torrent site when they can D/L the official trial from Apple's own site and then apply any nefarious serials....

Perhaps there are tens or hundreds of thousands of Mac users who usually steal the software they need from the torrents, rather than honestly purchasing it.

When Iwork came out, perhaps out of habit they looked for the torrent, not to see if Apple had a trial and not to see if there was a way of disabling the trial feature of Apple's download.

 

[Macmel]

For anyone interested, considering 20,000 people downloaded iWork 09 illegally (just via torrent, not downloading from Apple and using another's serial/editing .plist), Apple lost $1.6 million dollars. Some may think that high, others too low.

That's one of the lies of the anti-pirate establishment: Apple did not loose that money because most of those who downloaded it would have never paid for it.
Actually, in many cases, it's just the opposite. With a download you can have a taste of, for example, a new band music without having to pay for it and for whom you would never have paid. If you like it, you might consider going to their next concert (which actually provides with a lot more money to the band that actually created the music than to the record company: and who is complaining the most over downloads?).
I had never considered paying for any of the contents I have ever downloaded, but thanks to the download, I have bought, for example, seguels to games I have previously tried and that I wouldn't consider risking to pay without knowing them. So on my side, companies have made money with me thanks to the downloads.

 

[nplima]

[...] even though the OS might have more strict user access policies than Windows, the users are just as weak, if not weaker.

..and that is the key.
As much as people may fight the idea, computers require users to know more than just "how to use", we really need to know "how it works".