Two new trojan horses threaten Mac software pirates

iWork '09

Mac security software maker Intego discovered last week what it calls "OSX.Trojan.iServices.A" in pirated copies of Apple's iWork '09 making the rounds on BitTorrent file sharing networks.  An additional package not found in retail copies of the iWork installer called "iWorkServices.pkg" is installed as a startup item with read/write/execute abilities with the pirated versions.

According to Intego, the rogue software connects to a remote server to notify its creator that the trojan has been installed on different Macs, and he or she can "connect to them and perform various actions remotely", including downloading additional components to the machine.

Intego considers the risk of infection to be serious, warning of "extremely serious consequences" if a user's Mac is compromised by software. The security firm said 20,000 people had already downloaded the installer at the time of its alert.  As of now, Intego counts 1,000 more since the initial warning.

In an update on the matter Monday morning, Intego said Macs infected with the trojan are being pushed new code that downloads in the background, which is then being used to facilitate a DDoS (distributed denial of service) attack on certain websites.

Photoshop CS4

As part of its update, Intego also says it has discovered a new variant of the same Trojan horse called "OSX.Trojan.iServices.B", which can be found in pirated versions of Adobe Photoshop CS4.  This installer has already been downloaded by 5,000 people who are now at risk, the firm says.

This installer compromises the system not by installing an additional package, but through a crack application that serializes the program for use without a purchased retail key.  This app extracts an executable from its data and installs a backdoor in /var/tmp/.  If the user runs the crack app again, a new executable with a different random name is created, making it difficult to safely remove the malware.

Once the administrator password is entered, a backdoor with root privileges is launched, copying the executable to /usr/bin/DivX and a startup item in /System/Library/StartupItems/DivX.  It then makes repeated connections to two IP addresses, according to Intego.

A malicious user can then connect to the affected Macs and perform various actions and downloads remotely.  Intego predicts this Trojan horse may also be used to execute similar DDoS attacks.

Warning

As a result of these two very serious risks, Intego is warning Mac users not to download any cracking software from sites that distribute it.

"The risk of infection is serious, due to the number of infected users, and these users may face extremely serious consequences if their Macs are accessible to malicious users," reads a notice on the security firm's website.

Intego recommends that users never download and install software from untrusted sources or questionable websites.  It says its own VirusBarrier X4 and X5 products with virus definitions dated January 22, 2009, or later will protect against these two Trojan horses.