Trojan Hides In Pirated Copies of Apple iWork '09

← Back to Stories (view on slashdot.org)

Trojan Hides In Pirated Copies of Apple iWork '09

Posted by timothy on Thursday January 22, 2009 @03:40PM from the good-reason-not-to-pirate-software dept.

CWmike writes "Pirated copies of Apple's new iWork '09 suite that are now available on file-sharing sites contain a Trojan horse that hijacks Macs and leaves them open to further attack, a security company said yesterday. The 'iServices.a' Trojan hitchhikes on iWork '09's installer, said Intego, which makes Mac security software. 'The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer's request of an administrator password,' Intego said in a warning. Once installed, the Trojan "phones home" to a malicious server to notify the hacker that the Mac has been compromised, and to await instructions."

48 of 431 comments (clear)

Now unveiling... by Majik+Sheff · 2009-01-22 15:42 · Score: 5, Funny

The iPwn!

--
Women are like electronics: you don't know how damaged they are until you try to turn them on.
1. Re:Now unveiling... by Anonymous Coward · 2009-01-22 17:13 · Score: 5, Insightful
  
  Go learn about the difference between a virus and a trojan.
2. Re:Now unveiling... by guitarpy · 2009-01-22 17:14 · Score: 5, Funny
  
  I'd like to take this opportunity to welcome mac users to the pc world...I mean really....pirated software with a virus...who would have seen that one coming?
  
  --
  In the immortal words of Sorates, "I drank what?"
3. Re:Now unveiling... by Anonymous Coward · 2009-01-22 17:39 · Score: 5, Funny
  
  Go explain the difference to a Mac user.
4. Re:Now unveiling... by darkpixel2k · 2009-01-22 17:42 · Score: 5, Funny
  
  I'd like to take this opportunity to welcome mac users to the pc world...I mean really....pirated software with a virus...who would have seen that one coming?
  I just wish someone would do this for the Linux world. I've tried nearly every ISO download under "Applications -> Unix" on The Pirate Bay, but everything seems to be *legal*.
  
  It won't be the year of Linux on the Desktop(tm) until you can download pirated linux applications from The Pirate Bay complete with virii and rootkits.
  
  --
  There's no place like ::1 (I've completed my transition to IPv6)
5. Re:Now unveiling... by powerspike · 2009-01-22 18:07 · Score: 3, Interesting
  
  to be a little serious here, i think you are more right then you realize, do you think computer shops are going to be more or less likely to sell an OS, that they know will have to come back at some stage to get "cleaned" up?
6. Re:Now unveiling... by Anonymous Coward · 2009-01-22 19:03 · Score: 5, Funny
  
  Argh. Please don't say "virii", even ironically. It encourages idiots.
  QED
7. Re:Now unveiling... by jo_ham · 2009-01-22 19:18 · Score: 4, Insightful
  
  Is this a virus?
  Didn't think so.
  This is social engineering at its finest - an untrusted source, launching executable code (via user action) and gaining elevated privileges (via user input of password).
  Welcome to any operating system's severe vulnerability to attack.
  Still no viruses on OS X though, beyond that proof of concept thing a while back. Still, 1 versus.... how many on Windows? So many you *require* a dedicated third party app to bog down your system and act as doctor, surgeon and nurse to keep the machine clean?
  I'll take OS X thanks.
  Also, don't steal software. You're just asking for trouble. This isn't the first time that OS X has been targeted with dodgy copies of software from download sites - I seem to remember an app that claimed to be the MS Office for Mac installer that did nothing except delete the contents of your home folder.
  Moral of the story again: Untrusted code could do anything. Don't download copied software.
8. Re:Now unveiling... by Zencyde · 2009-01-22 20:01 · Score: 3, Interesting
  
  Apparently it's not that easy: http://www.linux.com/articles/42031
  Stupid Linux.. not letting me run viruses. :(
  
  --
  What day is it? Could you please tell me?
9. Re:Now unveiling... by Anonymous Coward · 2009-01-22 20:05 · Score: 4, Funny
  
  no, no, no. Virii in Linux world work on the honor system. You randomly delete a dozen of your files and mail the virus on to everyone in your address book.
10. Re:Now unveiling... by jo_ham · 2009-01-22 22:05 · Score: 4, Insightful
  
  That was exactly my point. It's a trojan that relies on social engineering to defeat system security, and that's not unique to any one operating system, Windows, Mac or even your favourite flavour of Linux if you're in the market of using dodgy packages.
  I didn't mention anything about porn or music.
11. Re:Now unveiling... by Shadowmist · 2009-01-22 23:58 · Score: 3, Insightful
  
  The installation of this virus still requires the user to authorise it to do so by entering an admin password. It's far different than many Windows worms which can infect simply by the built-in autorun feature of windows which will feed a worm into your machine as soon as you stick in a USB or floppy inside your box. Macs do have protections from viruses that Windows does not, but like any protection, if you give the vampire entrance, it's all over.
12. Re:Now unveiling... by Sfing_ter · 2009-01-23 00:09 · Score: 3, Funny
  
  yeah, but viruses sounds like breastuses.
  
  --
  A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
13. Re:Now unveiling... by FireFlie · 2009-01-23 04:12 · Score: 3, Funny
  
  No, no. The affluence thing is actually spot on. See, I'm posting from a Mac and wearing a monocle.
Not that I condone piracy but by Anonymous Coward · 2009-01-22 15:43 · Score: 3, Funny

Why not download the Trial version and unlock it with one of the million serials out there?
1. Re:Not that I condone piracy but by FearForWings · 2009-01-22 16:41 · Score: 5, Funny
  
  Then you don't get the trojan from iWorks, but from the keygen that further frustrates you by playing an annoying and loud tune while you go through the serial generating process.
  Note to keygen creators: I do not want to hear your brother's crappy techno remixes when using your app. Is there some way I can pay you to disable this feature?
  
  --
  I don't know about angles, but it's fear that gives men wings. -Max Payne
2. Re:Not that I condone piracy but by Firehed · 2009-01-22 16:52 · Score: 4, Informative
  
  Not that I'd ever use a keygen or anything, but that's definitely only a Windows problem. From what I *cough* hear, most apps are either pre-cracked, have a drag-and-drop crack (how Mac-like), or just need any of a hundred serials floating around with no further mess.
  (Actually, I think all of my software is totally legit except for Photoshop, and I plan to buy it eventually)
  
  --
  How are sites slashdotted when nobody reads TFAs?
3. Re:Not that I condone piracy but by Em+Ellel · 2009-01-22 17:05 · Score: 5, Insightful
  
  Note to keygen creators: I do not want to hear your brother's crappy techno remixes when using your app. Is there some way I can pay you to disable this feature?
  Erm, you can indeed. You can pay money to buy a legit serial number - voila - no crappy techno music.
  -Em
  
  --
  RelevantElephants: A Somatic WebComic...
4. Re:Not that I condone piracy but by djupedal · 2009-01-22 17:09 · Score: 4, Informative
  
  Apple removed serial number requirements from iWork '09 - just install for the CD and go.
  Now, explain again how to use a sn with a crippled trail, please...
5. Re:Not that I condone piracy but by raju1kabir · 2009-01-22 19:15 · Score: 4, Funny
  
  Is that what they called the wheelchair ramp in national parks in the 1960s?
  
  --
  "Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- GBS
6. Re:Not that I condone piracy but by centuren · 2009-01-22 19:30 · Score: 4, Funny
  
  Then you don't get the trojan from iWorks, but from the keygen that further frustrates you by playing an annoying and loud tune while you go through the serial generating process.
  Note to keygen creators: I do not want to hear your brother's crappy techno remixes when using your app. Is there some way I can pay you to disable this feature?
  Send your money to me, and I'll reply with instructions on how to "mute" undesired sounds you find coming out of your computer. Never be forced to listen to crappy music again!
7. Re:Not that I condone piracy but by hachete · 2009-01-22 19:56 · Score: 5, Funny
  
  (Actually, I think all of my software is totally legit except for Photoshop, and I plan to buy it eventually)
  We all plan to buy Photoshop.
  
  --
  Patriotism is a virtue of the vicious
8. Re:Not that I condone piracy but by jonbryce · 2009-01-22 21:23 · Score: 4, Funny
  
  Will I be able to listen to my mp3s while using the keygen?
Of course by ColdWetDog · 2009-01-22 15:43 · Score: 5, Insightful

About Intego

Intego develops and sells desktop Internet security and privacy software for Macintosh.

--
Faster! Faster! Faster would be better!
1. Re:Of course by 0100010001010011 · 2009-01-22 15:57 · Score: 4, Interesting
  
  LittleSnitch is one of my favorite security programs. Shows any outgoing connections and I can allow for that session, once, or forever and to just that port, any port, that host, that host and port.
  Does anyone have a torrent to a file with the trojan? I'd like to open the .pkg and and look at it. It's surprisingly easy to look at the 'install' files. Right click on the pkg and open a few folders and look for pre-flight & post-flight scripts (which can be written in about any language). .pkgs are fun little things.
2. Re:Of course by calmofthestorm · 2009-01-22 16:08 · Score: 3, Insightful
  
  It's especially nice if such monitoring software is not "on the radar" of malware sites, since they could include a workaround for such software, as is frequently done for Norton and Symantic on Windows.
  
  --
  93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
3. Re:Of course by ColdWetDog · 2009-01-22 16:40 · Score: 4, Insightful
  
  (stares at the Macbook touchpad)
  You got two fingers? (If not, sorry, I'm an insensitive clod.)
  
  --
  Faster! Faster! Faster would be better!
cynicism by bwthomas · 2009-01-22 15:45 · Score: 5, Insightful

Sometimes I wonder if companies that create security software aren't sometimes guilty of either creating or funding the creation of viruses, trojans, worms, &c. simply to justify their own existence.
Is that cynical?
1. Re:cynicism by zappepcs · 2009-01-22 16:08 · Score: 5, Insightful
  
  They certainly use virus news to justify their existence and the cost of their products. The fact that they exist is tantamount to admitting that no OS can be fully secured.
  The harder anti-virus vendors bleat on about how good their product is, the more bragging rights a virus writer will get for walking around the security... among their own crowd. It's more or less a case of putting up a wall and telling the world, there, you can't get past this wall now.
  The real trouble with anti-virus vendors is that they tend to convince people that once their product is installed, the end user's pc is safe. It is NOT, and won't ever be. Some of the best virus programs in the world are still out in the wild, running as they were intended to run, collecting and passing information as they are supposed to. Since they are not destructive to normal computer activity, they go undetected. Don't say that such does not exist... I know you have not done forensics on all existent computers. Every now and then we hear about some corporate espionage or attacks from state military groups etc. All of this is just hinting at the real problems: The virus programs we don't know about.
  Think about it. If a virus program did some key logging for bank URLs then spread itself a bit, then self destructed... hmmmmm They are seeing more sophisticated virus programs now, and fortunately beginning to look for them. Sadly, you'll have some pretty incredibly long scan times to find some types of malicious software: none of this 45 minute scan by Symantec etc.
  Soon, you'll need a multicore CPU just to handle real time scanning. It's a giant whack-a-mole game. Always will be.
  
  --
  Support NYCountryLawyer RIAA vs People
2. Re:cynicism by warrigal · 2009-01-22 17:17 · Score: 3, Funny
  
  Hey! Just who are you calling cracker, boy?
3. Re:cynicism by zappepcs · 2009-01-22 17:44 · Score: 4, Interesting
  
  Actually, IMO we are in need of another category of malicious software. Social engineering allows code writers to get their code run by the user in a way that is neither stealthy or without their knowledge. It runs as a user program, and did not necessarily 'infect' the machine, yet is a virus by the definition that it has modified an executable. So we need either a new term, or be satisfied that the generic use of the term 'virus' fits such code.
  An example would be a screen saver that does it's work when the computer is idle and the screen saver itself has been run on the user's command to do so. That group of software that claims to be scanning software which does more than look for malicious code is also in this category. It's becoming quite confusing, and at any turn unvalidated code can be malicious. Many end users are unable to know the difference without much more training. Social engineering makes it fairly simple to get users to run malicious code.
  We've seen people repackage OOo software and sell it. It won't be long before we discover such tactics used to deliver malicious code. Would that be a virus or a worm?
  You see, my favorite scenario for malicious code is quite simple... spreads like a virus, then sits and waits patiently for the moment that it finds itself on a machine whose user is 'bill gates' (as an example) then every time the screen saver is activated, it searches the drive for the oldest .xls or .doc files and deletes two of them that are at least 45 days since last access. Every 17th time (or follow a Fibonacci number sequence) the screen saver is activated, it searches for Symantec installations and deletes the current virus definition file. Every 6th boot, it loads a key logger which looks for a select set of certain bank URLs. Every time you plug in a USB drive, it copies itself to the USB device if the screen saver is activated. You see, there are many ways to create hard to find problems. It won't be long before we are seeing them.
  
  --
  Support NYCountryLawyer RIAA vs People
It's all Apple fault by pHatidic · 2009-01-22 15:47 · Score: 4, Funny

If only Apple hadn't stripped out the DRM this would have never happened!
It really should be noted... by Anonymous Coward · 2009-01-22 15:48 · Score: 4, Funny

That it is the easiest trojan to use ever. Bravo, Apple.
Re: But, but.... by JPortal · 2009-01-22 15:49 · Score: 4, Insightful

This requires user action and piracy. No one can -ever- claim that -any- computer is safe from, essentially, social engineering.
Re:No, that's impossible. by falcon5768 · 2009-01-22 15:58 · Score: 4, Insightful

Whos talking about a virus? I dont see ANYTHING about a virus. I DO see a story about a TROJAN. Whole different ball of wax there. No system EVER will be secure from a trojan, since for a trojan to work the USER has to willingly give his admini password to install it.

--
"Slashdot, where telling the truth is overrated but lying is insightful."
Re:Not a vulnerability by DurendalMac · 2009-01-22 16:02 · Score: 4, Insightful

I don't think anyone would blame Microsoft for user-installed malware. It's when you get something simply by going to a website, clicking a link, mounting a drive, or even just hooking it up to the internet that can be blamed on lousy code. When malicious nasties get onto OS X by any of the above with no real action on the user's part, then you we can all blame Apple just like we blamed Microsoft. Until then, it's just a PEBKAC issue.
Re:No, that's impossible. by onecheapgeek · 2009-01-22 16:03 · Score: 3, Interesting

And how long has it been since a true virus was attacking windows? It's always trojans, worms or adware and has been for several years.
Re: But, but.... by vux984 · 2009-01-22 16:05 · Score: 5, Insightful

This requires user action and piracy.
So does 99.99% of windows malware.
No one can -ever- claim that -any- computer is safe from, essentially, social engineering.
Again right. But what's the solution? That is the real question.
Because this is the ecosystem microsoft lives in, we've seen what they're trying... digital signatures on drivers, the inability to put admin items in your startup, UAC prompts... etc, etc.
What is Apple going to do in response to inevitable arrival of social-engineering malware as it gains marketshare?
What is Linux going to if/when it acheives enough marketshare among joe-sixpacks for social engineering to be profitable?
As much as /. likes to take shots at Microsoft, what would you do better? *nix security is just as vulnerable to social engineering as windows is, given the same users.
Re:No, that's impossible. by AKAImBatman · 2009-01-22 16:12 · Score: 5, Insightful

And how long has it been since a true virus was attacking windows?
Just this week.

It's always trojans, worms or adware and has been for several years.
A worm differs from a virus only in so much that it doesn't need to copy itself into a system program. For all intents and purposes however, the difference between the two terms is antiquated.

--
Javascript + Nintendo DSi = DSiCade
Re: But, but.... by calmofthestorm · 2009-01-22 16:13 · Score: 5, Interesting

Um most pirated software is clean of malware. The primary vectors are email and infected websites (often reputable ones that are compromised themselves, often due to sketchy)
The "piracy has VIRUSES!" myth is very much a content industry creation. I'm more concerned about malware in "genuine" software than pirated, and one more reason that I pirate things when I do. Of course, you -are- running an executable from a total stranger. At least "genuine" software makers have it tied to their name, so this could easily become truer.
Given that all three OSes have sudo, social engineering will ALWAYS work. Unless we take sudo away from average users (which is far easier to get away with on linux than windows and still have everything work smoothly)
If you're really paranoid, you might consider running your browser and mail client in a virtual machine

--
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
New anti-virus company by Narnie · 2009-01-22 16:34 · Score: 5, Funny

As long as there are crackers without girlfriends in the world, they don't need to.
I propose starting a new anti-virus company that will focus on dates for crackers rather than OS security.

--
greed@All_Evils:~#
Why not download directly from Apple? by WiiVault · 2009-01-22 16:49 · Score: 4, Informative

I don't steal software, ever, but it is a well known fact (among Mac users) that iWork can be downloaded direct from Apple. All it takes is a valid serial number and you are ready to go. Why the heck would anybody bother firing up a torrent?
1. Re:Why not download directly from Apple? by WiiVault · 2009-01-22 20:11 · Score: 3, Interesting
  
  I was using common terminology, I realize you are not "stealing". You are just depriving the owner of profits. Perhaps you would have never bought it it at all, but I wouldn't be proud of the habit. BT is great for trials, or getting lossless versions of songs you already bought, or Linux distros. But straight up long term use of pirated (another imperfect term) software is not good for our industry. I download tons of stuff against the "law" but I am certain to observe the moral law of paying my due.
Re: But, but.... by Doctor_Jest · 2009-01-22 16:59 · Score: 3, Insightful

They don't encourage users NOT to install... they simply don't hawk the virus software as a crutch to avoid good common sense. That's not to say that Windows (or more specifically Microsoft) does, it's just the nature of the OS itself that dictates what might be vs. what might not be.

You can safely say that, out of the box, Apple's OS is safer than Microsoft's (and you can make up your own reasons why), and this particular "virus" (it's a trojan, not a virus) isn't related to a vulnerability in the OS. It's related to a vulnerability in a trusting user. It's vastly different than an exploit that antivirus programs are designed to watch for. No antivirus would protect someone from this, unless it was known already as a trojan (then an update would have to show up, etc.) But you begin to see the fallacy of blaming Apple for social engineering. Educating the novices of ANY OS is something we should be doing, rather than trying to have a pissing contest between Jobs and Ballmer.

--
It's the Stay-Puft Marshmallow Man.
Pirates by shmlco · 2009-01-22 18:40 · Score: 4, Insightful

Not to troll, but as far as I'm concerned anyone who pirates software deserves it...

--
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
Re: But, but.... by brit74 · 2009-01-22 18:52 · Score: 4, Interesting

Um most pirated software is clean of malware. The primary vectors are email and infected websites (often reputable ones that are compromised themselves, often due to sketchy)
Well, if as few as 10% of the pirated software has viruses, then anyone who downloads and installs 10 software apps has roughly a 66% chance of getting something. It seems bizarre that malware creators wouldn't use pirated software to spread keyloggers and other nasty stuff. I mean - if I went to a website and got a popup to download and install an exe, or I got something in my email that said to run an exe, I'd NEVER do it. And neither would most tech-savy people. But, people who pirate software are installing the software they're downloading. That's a malware-creator's dream come true. I'm sure mafia and identity-theft criminals love the idea (and they can create lots of seeders to create the illusion of being legit).

The "piracy has VIRUSES!" myth is very much a content industry creation.
Uh huh. And the ""piracy has viruses" is a myth" myth is advocated by people who want to believe piracy is totally safe.

I'm more concerned about malware in "genuine" software than pirated, and one more reason that I pirate things when I do.
Well, pirated software has the "malware" created by the genuine software manufacturers plus the malware added to it by anyone who wants to add a trojan.
Re:Nice of them to tell you how to remove it. by nawcom · 2009-01-22 18:57 · Score: 5, Informative

Their alert, unlike every other antivirus company alert, does not tell you how to remove the trojan.
Nice.
sudo -s (enter password)
rm -r /System/Library/StartupItems/iWorkServices
rm /private/tmp/.iWorkServices
rm /usr/bin/iWorkServices
rm -r /Library/Receipts/iWorkServices.pkg
killall -9 iWorkServices
whew... thank gawd... by night_flyer · 2009-01-23 03:49 · Score: 3, Funny

Im running windows...

--

Thanks to file sharing, I purchase more CDs
Thanks to the RIAA, I buy them used...