Pirated iWork '09 installer may contain trojan horse
Intego, makers of VirusBarrier and other security software for the Macintosh, issued a security alert for Mac users on Thursday, advising them about the existence of a new Trojan Horse, which they’ve named OSX.Trojan.iServices.A. This new Trojan Horse can be found in pirated copies of Apple’s iWork ‘09 application suite, which has been downloaded over 20,000 times, according to Intego’s numbers.
When installing an infected pirated copy of iWork ‘09, an extra iWorkServices package is installed; this installation begins as soon as the user launches the iWork ‘09 installer. This package is installed as a system-wide startup item, where it has read-write permissions as root. In other words, this code can do anything to any part of the system, with full authorization.
The malicious software connects to remote servers over the internet, so a malicious remote user will know that the program has been installed. The malicious user will be able to connect to the infected Mac and perform various actions; the Trojan horse may also download additional components to an infected Mac.
It should also be noted that this exploit is out and about in the real world; see this post as an example of what it can do.
This is not a virus—it cannot spread from one Mac to another on its own. It’s also not a remote exploit; the user must download and install a pirated copy of iWork ‘09 to become infected. To check if you’ve been infected, look in /System/Library/StartupItems for an item named iWorkServices. If it exists, you’ve been infected with this Trojan horse.
Once infected, the clean-up process may be quite painful. As the Trojan horse has the ability to install additional components, it’s not sufficient to remove the known pieces. Instead, the safest recovery method starts with a reformat and a clean install of OS X. Because the Trojan may also modify installed applications (this is possible because the Trojan is running as root), programs should be reinstalled from their master discs, not from backups. Finally, the user should copy over their data files from backups.
As always, the best preventive medicine is to simply avoid downlaoding files from unknown and untrusted sources. Intego’s VirusBarrier X4 and X5 will detect the Trojan horse, prevent it from installing in the first place, and remove the currently-known pieces of the Trojan horse if you’ve been infected. If you download software from untrusted sources, you should strongly consider using an anti-virus package of some sort to minimize the risk from this sort of attack.