14 DAY TRIAL // Security firms Intego and Sophos are warning against downloading pirated copies of Adobe Photoshop CS4 for Mac. The same kind of Trojan that can be found in illegal copies of iWork '09 is also included with the contents of Photoshop CS4 copies available via BitTorrent trackers and other sites linking to illegal downloads of the suite.
"Intego has discovered a new variant of the iServices Trojan horse that the company discovered on January 22, 2009,” reads the latest security alert. “This new Trojan horse, OSX.Trojan.iServices.B, like the previous version, is found in pirated software distributed via BitTorrent trackers and other sites containing links to pirated software. OSX.Trojan.iServices.B Trojan horse is found bundled with copies of Adobe Photoshop CS4 for Mac. The actual Photoshop installer is clean, but the Trojan horse is found in a crack application that serializes the program,” the firm explains.
Intego adds that users downloading pirated copies of Photoshop CS4 will be forced to run the crack application to be able to use Adobe Photoshop. This is where all hell breaks loose, says the company.
“The crack application extracts an executable from its data, then installs a backdoor in /var/tmp/, a directory which is not deleted when the computer is restarted,” the company goes to explain. Even worse, the Trojan horse is able to create a new executable with a different name, should the user run the crack application again. Ultimately, when the user is asked for his administrator password, the crack application launches the backdoor with root privileges.
As with iServices.A, found in illegal copies of iWork '09, the malware connects to a remote server notifying its creator that it has completed its task without fail. The hacker will then have the ability to connect to the user's computer and perform various actions remotely, warns Intego.
The company claims that Intego VirusBarrier X4 and X5 protect against this Trojan horse, as long as the user downloads and installs the latest virus definitions dated January 25, 2009 or later.