Mac malware piggybacks on pirated iWork
Over 20,000 served
Malware masquerading as part of Apple's iWork 09 productivity suite is targeting unsuspecting Mac users foolish enough to install pirated software downloaded on warez sites.
Once installed, iServices.A has unfettered root access, which it promptly uses to connect to a remote server over the internet, according to Intego, which sells anti-virus software for Macs. A secondary download installs malware that makes victims part of a botnet that's attacking undisclosed websites.
More than 20,000 people have already downloaded the rogue installer, which is bundled with a complete and fully functional version of iWork. Intego didn't say how many of those marks have actually installed the program.
Intego's advisory is the latest reminder that the growing popularity of Apple's OS X hasn't been lost on malware developers. Over the past 18 months, a variety of trojans and exploits have increasingly targeted the Mac.
Word of this latest trojan comes a day after Apple said it would no longer require iWork users to enter company-issued serial numbers when installing the app. So, if you must pirate the program, simply borrow your co-worker's disk. Online cracking software is no longer required. ®
It Doesn't Stop With the Software Thief Though...
What the brief article did NOT mention and many of the commenters may not be aware of, is that this vulnerability not only puts the Mac user that downloaded the pirated sofware at risk, but the trojan itself is designed to set up a botnet to use those computers as slaves to the master's whim. I'm ALL for wagging my finger and saying "shame shame... " to those who download pirated software when there's a perfectly good trial version available for 30 days from the source. And if something bad should happen to their system as a result of their thievery, then so be it. However, this was used as a weapon against an innocent third party. Whoever did this can launch instructions to those 20,000 computers to execute some other dastardly deed against someone (or some people) who have nothing to do with their software or P2P networks, etc...
How do I know this? I was actually the victim of a DDOS attack from those 20,000+ computers that nearly put an end to my business by crippling our host's servers and pushing our bandwidth over 600Gb within a week's time and sending millions of bot "visits" to our DollarCardMarketing.com site. We have no way of knowing whether the coder had something against us, or we were just a randomly picked "test" site, or if someone hired them to write and distribute it. A more comprehensive article was written and is being followed up on at the Washington Post: http://voices.washingtonpost.com/securityfix/2009/01/pirated_iwork_software_infects.html?hpid=sec-tech
which "anti-virus" vendor?
Let's at least name and shame the people who are trying to profit from this!
Not quite; the root account is disabled by default – even sudoers can't actually become root unless it's been enabled. I haven't tested it, of course, but you might need to use 'rm -rf' instead of just 'rm -r'.
1) (open Terminal.app)
2) sudo rm -r /System/Library/StartupItems/iWorkServices
3) enter password
4) sudo rm /private/tmp/.iWorkServices
(no need for password again, sudo privilege is retained for a few minutes)
5) sudo rm /usr/bin/iWorkServices
6) sudo rm -r /Library/Receipts/iWorkServices.pkg
7) sudo killall -9 iWorkServices
@AC RE: RE: But Macs don't get viruses
"Pierre might still thing I'm stupid, but I do not quite see how AV will keep me from making bad decisions in the first place."
It won't. On the other hand, it will prevent the malware from running at all, let alone ask you for your password. So, wait, yes it will prevent you from making bad decisions. And if you insist in your mistaken ways, it will likely mitigate the consequences (most of the time, suppress all consequences).
And the stupid annoying "are you sure?" boxes have nothing to do with any anti-malware software: it's pure Windoze crap.
Of course, not being stupid remains the best security strategy. It's free, and it works with every OS.
As explained by Thomas, it would be quite easy to run any malicious code on a Mac if one wanted to. And "one" seems to feel some interest for that target. As in any good horror movie, the smuggest lusers will die first.
"Anyway in a more constructive vein....removing the Trojan from infected systems."
Infected systems? I think you are confused, maybe you should lie down for a while? There can't be no infected systems. Macs are secure.