The Register® — Biting the hand that feeds IT

Feeds

Mac malware piggybacks on pirated iWork

Over 20,000 served

By Dan Goodin, 22nd January 2009
  • print
  • alert

Customer Success Testimonial: Recovery is Everything

Malware masquerading as part of Apple's iWork 09 productivity suite is targeting unsuspecting Mac users foolish enough to install pirated software downloaded on warez sites.

Once installed, iServices.A has unfettered root access, which it promptly uses to connect to a remote server over the internet, according to Intego, which sells anti-virus software for Macs. A secondary download installs malware that makes victims part of a botnet that's attacking undisclosed websites.

More than 20,000 people have already downloaded the rogue installer, which is bundled with a complete and fully functional version of iWork. Intego didn't say how many of those marks have actually installed the program.

Intego's advisory is the latest reminder that the growing popularity of Apple's OS X hasn't been lost on malware developers. Over the past 18 months, a variety of trojans and exploits have increasingly targeted the Mac.

Word of this latest trojan comes a day after Apple said it would no longer require iWork users to enter company-issued serial numbers when installing the app. So, if you must pirate the program, simply borrow your co-worker's disk. Online cracking software is no longer required. ®

Ensure Ease of Recovery with Asigra’s Agentless Software

COMMENTS

House Rules Send Corrections
All Reader Comments (48)
Latest Comments
John

It Doesn't Stop With the Software Thief Though...

What the brief article did NOT mention and many of the commenters may not be aware of, is that this vulnerability not only puts the Mac user that downloaded the pirated sofware at risk, but the trojan itself is designed to set up a botnet to use those computers as slaves to the master's whim. I'm ALL for wagging my finger and saying "shame shame... " to those who download pirated software when there's a perfectly good trial version available for 30 days from the source. And if something bad should happen to their system as a result of their thievery, then so be it. However, this was used as a weapon against an innocent third party. Whoever did this can launch instructions to those 20,000 computers to execute some other dastardly deed against someone (or some people) who have nothing to do with their software or P2P networks, etc...

How do I know this? I was actually the victim of a DDOS attack from those 20,000+ computers that nearly put an end to my business by crippling our host's servers and pushing our bandwidth over 600Gb within a week's time and sending millions of bot "visits" to our DollarCardMarketing.com site. We have no way of knowing whether the coder had something against us, or we were just a randomly picked "test" site, or if someone hired them to write and distribute it. A more comprehensive article was written and is being followed up on at the Washington Post: http://voices.washingtonpost.com/securityfix/2009/01/pirated_iwork_software_infects.html?hpid=sec-tech

Be safe!

Best Regards,

John

0
0
Kanhef

which "anti-virus" vendor?

Let's at least name and shame the people who are trying to profit from this!

@Marc:

Not quite; the root account is disabled by default – even sudoers can't actually become root unless it's been enabled. I haven't tested it, of course, but you might need to use 'rm -rf' instead of just 'rm -r'.

1) (open Terminal.app)

2) sudo rm -r /System/Library/StartupItems/iWorkServices

3) enter password

4) sudo rm /private/tmp/.iWorkServices

(no need for password again, sudo privilege is retained for a few minutes)

5) sudo rm /usr/bin/iWorkServices

6) sudo rm -r /Library/Receipts/iWorkServices.pkg

7) sudo killall -9 iWorkServices

0
0
Pierre

@AC RE: RE: But Macs don't get viruses

"Pierre might still thing I'm stupid, but I do not quite see how AV will keep me from making bad decisions in the first place."

It won't. On the other hand, it will prevent the malware from running at all, let alone ask you for your password. So, wait, yes it will prevent you from making bad decisions. And if you insist in your mistaken ways, it will likely mitigate the consequences (most of the time, suppress all consequences).

And the stupid annoying "are you sure?" boxes have nothing to do with any anti-malware software: it's pure Windoze crap.

Of course, not being stupid remains the best security strategy. It's free, and it works with every OS.

As explained by Thomas, it would be quite easy to run any malicious code on a Mac if one wanted to. And "one" seems to feel some interest for that target. As in any good horror movie, the smuggest lusers will die first.

@ Mark

"Anyway in a more constructive vein....removing the Trojan from infected systems."

Infected systems? I think you are confused, maybe you should lie down for a while? There can't be no infected systems. Macs are secure.

0
0

More from The Register

breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15
Panda-peddlers cuffed for chess gambling gambit
More porridge on the menu for Chinese coders after second offence
13
breaking news
Yes, maybe we should keep hackers in the clink for YEARS, mulls EU
Watch out black hats, they just might throw away the key
39
Microsoft borks botnet takedown in Citadel snafu
Stupid Redmond kicked over our honeypots, wail white hats
19