Pirate iWork ’09 loading trojan onto thousands of Macs

Chris Davies - Jan 23, 2009
Pirate iWork ’09 loading trojan onto thousands of Macs

Apple may have added some neat tricks to iWork '09 earlier this month, but they didn't list a trojan on the spec sheet.  That, however, is what at least 20,000 users have found infecting their machines, after illegally downloading a pirated version of the software.  The trojan - which obviously Apple didn't add themselves - is called OSX.Trojan.iServices.A, and can access a Mac's root OS, modify existing software, and download and install extra components, potentially allowing the authors to remotely take control of the computer.

The trojan was spotted by Intego, the company behind the Mac security app VirusBarrier, who are describing it as a high-risk issue and warn that "users may face extremely serious consequences" if their Macs become compromised by the third-party behind the malware.  Although it cannot spread from computer to computer by itself, given the allure of free software it's likely that OSX.Trojan.iServices.A will affect significantly more people than the initial 20,000 estimates.

"The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer’s request of an administrator password. This software is installed as a startup item (in /System/Library/StartupItems/iWorkServices, a location reserved normally for Apple startup items), where it has read-write-execute permissions for root. The malicious software connects to a remote server over the Internet; this means that a malicious user will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely" Intego security alert

Unfortunately, the safest way to clean an infected Mac is to completely reinstall OS X, making sure to do so from the original discs and not backups, which the trojan could have tampered with.  Unfortunately, this just underscores the need to be careful if downloading unofficial software - and to have an up-to-date anti-virus app running if you insist on doing so.

More on Apple