14 DAY TRIAL // Discovered on January 21, 2009, Intego calls OSX.Trojan.iServices.A a “serious” exploit. Some pirates have found out the hard way - actually, not some, but around 20,000 statistics have showed - that illegal copies of iWork '09 contain a Trojan.
“Intego has discovered a new Trojan horse, OSX.Trojan.iServices.A, which is currently circulating in copies of Apple’s iWork 09 found on BitTorrent trackers and other sites containing links to pirated software,” says the security firm. “The version of iWork 09, Apple’s productivity suite, are complete and functional, but the installer contains an additional package called iWorkServices.pkg,” Intego explains.
The company that develops and sells desktop Internet security and privacy software for Macintosh reveals that, “when installing iWork 09, the iWorkServices package is installed. The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer’s request of an administrator password (in older versions of Mac OS X, 10.5.1 or earlier, there will be no password request),” Intego further outlines. “This software is installed as a startup item (in /System/Library/StartupItems/iWorkServices, a location reserved normally for Apple startup items), where it has read-write-execute permissions for root.”
From there on, it's pretty obvious what's going to happen – the malware connects to the Internet and to a remote server to which a hacker has full access, of course. The hacker will then have the ability to connect and “perform various actions remotely,” says the company. In fact, the malware may even download additional components to an infected Mac, Intego says, although this hasn't been reported yet.
So, as a result of all this, “Intego is issuing this alert to warn Mac users not to download iWork 09 installers from sites offering pirated software.” The company goes to mention that, as of 6 am EST, at least 20,000 people had downloaded the installer. Readers should note that Intego doesn't mention the 20,000 persons as infected (or even as Mac users), but merely as downloaders of the infected software.
“The risk of infection is serious, and users may face extremely serious consequences if their Macs are accessible to malicious users,” Intego concludes. As usual, the company recommends that Mac users install VirusBarrier X4 and X5 with virus definitions dated January 22, 2009 or later.