Trojan Hides In Pirated Copies of Apple iWork '09

CWmike writes "Pirated copies of Apple's new iWork '09 suite that are now available on file-sharing sites contain a Trojan horse that hijacks Macs and leaves them open to further attack, a security company said yesterday. The 'iServices.a' Trojan hitchhikes on iWork '09's installer, said Intego, which makes Mac security software. 'The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer's request of an administrator password,' Intego said in a warning. Once installed, the Trojan "phones home" to a malicious server to notify the hacker that the Mac has been compromised, and to await instructions."

But...

[alienunknown]

From the article:

Late last year, in fact, when Apple revised an online recommendation that Mac users consider running antivirus software, the move drew lots of attention.

Most antivirus programs on os x actually scan for Windows viruses only, and are totally useless against almost all os x malware. The only software vendor that I know of that makes anti-malware programs for native OS X malware is Intego. Intego make great software and are mentioned in this article, but what about all the mac users out there who get a mac virus scanner that only scans for windows viruses? A lot of people are being duped.

Re:Of course

[0100010001010011]

LittleSnitch [obdev.at] is one of my favorite security programs. Shows any outgoing connections and I can allow for that session, once, or forever and to just that port, any port, that host, that host and port.

Does anyone have a torrent to a file with the trojan? I'd like to open the .pkg and and look at it. It's surprisingly easy to look at the 'install' files. Right click on the pkg and open a few folders and look for pre-flight & post-flight scripts (which can be written in about any language). .pkgs are fun little things.

Re:No, that's impossible.

[onecheapgeek]

And how long has it been since a true virus was attacking windows? It's always trojans, worms or adware and has been for several years.

Re: But, but....

[calmofthestorm]

Um most pirated software is clean of malware. The primary vectors are email and infected websites (often reputable ones that are compromised themselves, often due to sketchy)

The "piracy has VIRUSES!" myth is very much a content industry creation. I'm more concerned about malware in "genuine" software than pirated, and one more reason that I pirate things when I do. Of course, you -are- running an executable from a total stranger. At least "genuine" software makers have it tied to their name, so this could easily become truer.

Given that all three OSes have sudo, social engineering will ALWAYS work. Unless we take sudo away from average users (which is far easier to get away with on linux than windows and still have everything work smoothly)

If you're really paranoid, you might consider running your browser and mail client in a virtual machine

Re:cynicism

[zappepcs]

Actually, IMO we are in need of another category of malicious software. Social engineering allows code writers to get their code run by the user in a way that is neither stealthy or without their knowledge. It runs as a user program, and did not necessarily 'infect' the machine, yet is a virus by the definition that it has modified an executable. So we need either a new term, or be satisfied that the generic use of the term 'virus' fits such code.

An example would be a screen saver that does it's work when the computer is idle and the screen saver itself has been run on the user's command to do so. That group of software that claims to be scanning software which does more than look for malicious code is also in this category. It's becoming quite confusing, and at any turn unvalidated code can be malicious. Many end users are unable to know the difference without much more training. Social engineering makes it fairly simple to get users to run malicious code.

We've seen people repackage OOo software and sell it. It won't be long before we discover such tactics used to deliver malicious code. Would that be a virus or a worm?

You see, my favorite scenario for malicious code is quite simple... spreads like a virus, then sits and waits patiently for the moment that it finds itself on a machine whose user is 'bill gates' (as an example) then every time the screen saver is activated, it searches the drive for the oldest .xls or .doc files and deletes two of them that are at least 45 days since last access. Every 17th time (or follow a Fibonacci number sequence) the screen saver is activated, it searches for Symantec installations and deletes the current virus definition file. Every 6th boot, it loads a key logger which looks for a select set of certain bank URLs. Every time you plug in a USB drive, it copies itself to the USB device if the screen saver is activated. You see, there are many ways to create hard to find problems. It won't be long before we are seeing them.

Re:Now unveiling...

[powerspike]

to be a little serious here, i think you are more right then you realize, do you think computer shops are going to be more or less likely to sell an OS, that they know will have to come back at some stage to get "cleaned" up?

Re: But, but....

[brit74]

Um most pirated software is clean of malware. The primary vectors are email and infected websites (often reputable ones that are compromised themselves, often due to sketchy)
Well, if as few as 10% of the pirated software has viruses, then anyone who downloads and installs 10 software apps has roughly a 66% chance of getting something. It seems bizarre that malware creators wouldn't use pirated software to spread keyloggers and other nasty stuff. I mean - if I went to a website and got a popup to download and install an exe, or I got something in my email that said to run an exe, I'd NEVER do it. And neither would most tech-savy people. But, people who pirate software are installing the software they're downloading. That's a malware-creator's dream come true. I'm sure mafia and identity-theft criminals love the idea (and they can create lots of seeders to create the illusion of being legit).

The "piracy has VIRUSES!" myth is very much a content industry creation.
Uh huh. And the ""piracy has viruses" is a myth" myth is advocated by people who want to believe piracy is totally safe.

I'm more concerned about malware in "genuine" software than pirated, and one more reason that I pirate things when I do.
Well, pirated software has the "malware" created by the genuine software manufacturers plus the malware added to it by anyone who wants to add a trojan.

Re:Now unveiling...

[Zencyde]

Apparently it's not that easy: http://www.linux.com/articles/42031 [linux.com]
Stupid Linux.. not letting me run viruses. :(

Re:Why not download directly from Apple?

[WiiVault]

I was using common terminology, I realize you are not "stealing". You are just depriving the owner of profits. Perhaps you would have never bought it it at all, but I wouldn't be proud of the habit. BT is great for trials, or getting lossless versions of songs you already bought, or Linux distros. But straight up long term use of pirated (another imperfect term) software is not good for our industry. I download tons of stuff against the "law" but I am certain to observe the moral law of paying my due.

Re:Not that I condone piracy but

[denzacar]

Me neither.

Particularly knowing that my former boss and his competition still run only pirated software on all of their computers.
Being lazy bastards - most Mac pirating was done by just copying the entire folder of the particular app.
No registry, no shared .DLLs... no two computers being able to run the same app cause it's serial was already being used somewhere else on the network.