Trojan Hides In Pirated Copies of Apple iWork '09 431
CWmike writes "Pirated copies of Apple's new iWork '09 suite that are now available on file-sharing sites contain a Trojan horse that hijacks Macs and leaves them open to further attack, a security company said yesterday. The 'iServices.a' Trojan hitchhikes on iWork '09's installer, said Intego, which makes Mac security software. 'The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer's request of an administrator password,' Intego said in a warning. Once installed, the Trojan "phones home" to a malicious server to notify the hacker that the Mac has been compromised, and to await instructions."
Re: But, but.... (Score:2, Informative)
The biggest w32 virus right now only requires the user to click on what appears to be the normal choice for safe viewing of USB key contents, but other USB trojans don't even need that much. Most of the other forms of malware are installed via drive-by download or by worm propogation. I doubt 99.99% of malware needs user action, or worms, USB Trojans, and drive bys wouldn't be so dangerously prevalent.
I guess you could call "visiting a website" or "plugging in a USB key" user user action, but there's no action needed to be infected by a worm.
Wait. You're right. Users have to turn on their machines.
Why not download directly from Apple? (Score:5, Informative)
Re:Not that I condone piracy but (Score:5, Informative)
Not that I'd ever use a keygen or anything, but that's definitely only a Windows problem. From what I *cough* hear, most apps are either pre-cracked, have a drag-and-drop crack (how Mac-like), or just need any of a hundred serials floating around with no further mess.
(Actually, I think all of my software is totally legit except for Photoshop, and I plan to buy it eventually)
Re:Why pirate iWork (Score:3, Informative)
Have you downloaded something using Apple's servers? I get a solid 1MB/s+ almost all the time, pretty much maxing out my entire connection. It's very rare for me to get anywhere near that on ANY torrent, even very popular ones - plus Apple doesn't ask me to upload the same amount for proper etiquette.
Re:Not that I condone piracy but (Score:5, Informative)
Apple removed serial number requirements from iWork '09 - just install for the CD and go.
Now, explain again how to use a sn with a crippled trail, please...
Re:cynicism (Score:2, Informative)
Think about it. If a virus program did some key logging for bank URLs then spread itself a bit, then self destructed... hmmmmm They are seeing more sophisticated virus programs now, and fortunately beginning to look for them. Sadly, you'll have some pretty incredibly long scan times to find some types of malicious software: none of this 45 minute scan by Symantec etc.
Presumably you mean worm programs not virus programs. Virus programs are typically very obvious as they modify the executables on the system they infect. These modifications are easily detected as the checksums (md5, crc, whatever) change and someone notices.
Re:Now unveiling... (Score:2, Informative)
Well that leaves you out. This is simply a malicious program. Obviously any computer that can run software can run malicious software.
Re:Nice of them to tell you how to remove it. (Score:5, Informative)
Their alert, unlike every other antivirus company alert, does not tell you how to remove the trojan.
Nice.
sudo -s (enter password) /System/Library/StartupItems/iWorkServices
/private/tmp/.iWorkServices
/usr/bin/iWorkServices
/Library/Receipts/iWorkServices.pkg
rm -r
rm
rm
rm -r
killall -9 iWorkServices
Mod parent up. removal instructions. (Score:3, Informative)
Mod parent informative.
Re:Of course (Score:3, Informative)
I can confirmed LittleSnitch works like a charm.
The site above doesn't provide free download, so I went to an abundantware site called ThePirateBay.org.
I'm surprised this little germ even comes with pre-whitelist feature and several connections that I've never heard of have already been pre-allowed.
Truly a time-saver.
Re:Not that I condone piracy but (Score:2, Informative)
except for Photoshop, and I plan to buy it eventually
The funny part of this, is Photoshop is one of the few pieces of software that has the Adobe Phone Home features that is not cracked or disabled 99% of the time.
So your computer name, info, IP, MAC Address, etc are sent to Adobe with 99% of the 'cracked' copies out there running around for both the PC and Mac.
Be sure to unplug that iCable when you use it... :)
Re:Now unveiling... (Score:2, Informative)
"Moral of the story again: Untrusted code could do anything. Don't download copied software."
But often in the case of the Mac, this may be your ONLY way to get software, for older machines. run the newer stuff, say the new iLife versions? You can't buy the older ones....where are you supposed to get it?
Try ebay, or one of numerous mac software houses. Older versions of iLife can be picked up for next to nothing complete with the retail box. If you fool around in the cesspool of piracy don't be suprised if you end up with a bad smell.
Re:Pirates (Score:2, Informative)
Re:Now unveiling... (Score:2, Informative)