Two new trojan horses threaten Mac software pirates
Tens of thousands of users who've downloaded pirated versions of iWork '09 or Photoshop CS4 may have opened their Macs to remote attacks from malicious users.
iWork '09
Mac security software maker Intego discovered last week what it calls "OSX.Trojan.iServices.A" in pirated copies of Apple's iWork '09 making the rounds on BitTorrent file sharing networks.Â* An additional package not found in retail copies of the iWork installer called "iWorkServices.pkg" is installed as a startup item with read/write/execute abilities with the pirated versions.
According to Intego, the rogue software connects to a remote server to notify its creator that the trojan has been installed on different Macs, and he or she can "connect to them and perform various actions remotely", including downloading additional components to the machine.
Intego considers the risk of infection to be serious, warning of "extremely serious consequences" if a user's Mac is compromised by software. The security firm said 20,000 people had already downloaded the installer at the time of its alert.Â* As of now, Intego counts 1,000 more since the initial warning.
In an update on the matter Monday morning, Intego said Macs infected with the trojan are being pushed new code that downloads in the background, which is then being used to facilitate a DDoS (distributed denial of service) attack on certain websites.
Photoshop CS4
As part of its update, Intego also says it has discovered a new variant of the same Trojan horse called "OSX.Trojan.iServices.B", which can be found in pirated versions of Adobe Photoshop CS4.Â* This installer has already been downloaded by 5,000 people who are now at risk, the firm says.
This installer compromises the system not by installing an additional package, but through a crack application that serializes the program for use without a purchased retail key.Â* This app extracts an executable from its data and installs a backdoor in /var/tmp/.Â* If the user runs the crack app again, a new executable with a different random name is created, making it difficult to safely remove the malware.
Once the administrator password is entered, a backdoor with root privileges is launched, copying the executable to /usr/bin/DivX and a startup item in /System/Library/StartupItems/DivX.Â* It then makes repeated connections to two IP addresses, according to Intego.
A malicious user can then connect to the affected Macs and perform various actions and downloads remotely.Â* Intego predicts this Trojan horse may also be used to execute similar DDoS attacks.
Warning
As a result of these two very serious risks, Intego is warning Mac users not to download any cracking software from sites that distribute it.
"The risk of infection is serious, due to the number of infected users, and these users may face extremely serious consequences if their Macs are accessible to malicious users," reads a notice on the security firm's website.
Intego recommends that users never download and install software from untrusted sources or questionable websites.Â*Â*It says its own VirusBarrier X4 and X5 products with virus definitions dated January 22, 2009, or later will protect against these two Trojan horses.
iWork '09
Mac security software maker Intego discovered last week what it calls "OSX.Trojan.iServices.A" in pirated copies of Apple's iWork '09 making the rounds on BitTorrent file sharing networks.Â* An additional package not found in retail copies of the iWork installer called "iWorkServices.pkg" is installed as a startup item with read/write/execute abilities with the pirated versions.
According to Intego, the rogue software connects to a remote server to notify its creator that the trojan has been installed on different Macs, and he or she can "connect to them and perform various actions remotely", including downloading additional components to the machine.
Intego considers the risk of infection to be serious, warning of "extremely serious consequences" if a user's Mac is compromised by software. The security firm said 20,000 people had already downloaded the installer at the time of its alert.Â* As of now, Intego counts 1,000 more since the initial warning.
In an update on the matter Monday morning, Intego said Macs infected with the trojan are being pushed new code that downloads in the background, which is then being used to facilitate a DDoS (distributed denial of service) attack on certain websites.
Photoshop CS4
As part of its update, Intego also says it has discovered a new variant of the same Trojan horse called "OSX.Trojan.iServices.B", which can be found in pirated versions of Adobe Photoshop CS4.Â* This installer has already been downloaded by 5,000 people who are now at risk, the firm says.
This installer compromises the system not by installing an additional package, but through a crack application that serializes the program for use without a purchased retail key.Â* This app extracts an executable from its data and installs a backdoor in /var/tmp/.Â* If the user runs the crack app again, a new executable with a different random name is created, making it difficult to safely remove the malware.
Once the administrator password is entered, a backdoor with root privileges is launched, copying the executable to /usr/bin/DivX and a startup item in /System/Library/StartupItems/DivX.Â* It then makes repeated connections to two IP addresses, according to Intego.
A malicious user can then connect to the affected Macs and perform various actions and downloads remotely.Â* Intego predicts this Trojan horse may also be used to execute similar DDoS attacks.
Warning
As a result of these two very serious risks, Intego is warning Mac users not to download any cracking software from sites that distribute it.
"The risk of infection is serious, due to the number of infected users, and these users may face extremely serious consequences if their Macs are accessible to malicious users," reads a notice on the security firm's website.
Intego recommends that users never download and install software from untrusted sources or questionable websites.Â*Â*It says its own VirusBarrier X4 and X5 products with virus definitions dated January 22, 2009, or later will protect against these two Trojan horses.
Comments
Tens of thousands of users who've downloaded pirated versions of iWork '09 or Photoshop CS4 may have opened their Macs to remote attacks from malicious users.
*snip*
Stupid question: Why do these apps need an installer at all? Most OS X apps are .app folders that you simply need to drag and drop into the Applications folder. I understand there are exceptional cases like iTunes that need to write to the system folders, but why do iLife and iWork need to do so?
Stupid question: Why do these apps need an installer at all? Most OS X apps are .app folders that you simply need to drag and drop into the Applications folder. I understand there are exceptional cases like iTunes that need to write to the system folders, but why do iLife and iWork need to do so?
Well, it depends. IMO, there are two different kind of apps - one that have installer such as CS4, iWork, iLife, Apple Pros, etc. and other that doesn't have installers are FF3, AppZap, etc. that enable to drag and drop into App folder from DMG.
I may be wrong but that is what I think.
Tens of thousands of users who've downloaded pirated versions of iWork '09 or Photoshop CS4 may have opened their Macs to remote attacks from malicious users.
iWork '09
Mac security software maker Intego discovered last week what it calls "OSX.Trojan.iServices.A" in pirated copies of Apple's iWork '09 making the rounds on BitTorrent file sharing networks.* An additional package not found in retail copies of the iWork installer called "iWorkServices.pkg" is installed as a startup item with read/write/execute abilities with the pirated versions.
According to Intego, the rogue software connects to a remote server to notify its creator that the trojan has been installed on different Macs, and he or she can "connect to them and perform various actions remotely", including downloading additional components to the machine.
Intego considers the risk of infection to be serious, warning of "extremely serious consequences" if a user's Mac is compromised by software. The security firm said 20,000 people had already downloaded the installer at the time of its alert.* As of now, Intego counts 1,000 more since the initial warning.
In an update on the matter Monday morning, Intego said Macs infected with the trojan are being pushed new code that downloads in the background, which is then being used to facilitate a DDoS (distributed denial of service) attack on certain websites.
Photoshop CS4
As part of its update, Intego also says it has discovered a new variant of the same Trojan horse called "OSX.Trojan.iServices.B", which can be found in pirated versions of Adobe Photoshop CS4.* This installer has already been downloaded by 5,000 people who are now at risk, the firm says.
This installer compromises the system not by installing an additional package, but through a crack application that serializes the program for use without a purchased retail key.* This app extracts an executable from its data and installs a backdoor in /var/tmp/.* If the user runs the crack app again, a new executable with a different random name is created, making it difficult to safely remove the malware.
Once the administrator password is entered, a backdoor with root privileges is launched, copying the executable to /usr/bin/DivX and a startup item in /System/Library/StartupItems/DivX.* It then makes repeated connections to two IP addresses, according to Intego.
A malicious user can then connect to the affected Macs and perform various actions and downloads remotely.* Intego predicts this Trojan horse may also be used to execute similar DDoS attacks.
Warning
As a result of these two very serious risks, Intego is warning Mac users not to download any cracking software from sites that distribute it.
"The risk of infection is serious, due to the number of infected users, and these users may face extremely serious consequences if their Macs are accessible to malicious users," reads a notice on security firm's website.
Intego recommends that users never download and install software from untrusted sources or questionable websites.**It says its own VirusBarrier X4 and X5 products with virus definitions dated January 22, 2009, or later will protect against these two Trojan horses.
[ View this article at AppleInsider.com ]
HA! I don't feel sorry for those people. Pirate software will always come with Trojan, viruses, etc. I'd rather stick to legit software though.
Honestly, they get what is coming to them.
Stupid question: Why do these apps need an installer at all? Most OS X apps are .app folders that you simply need to drag and drop into the Applications folder. I understand there are exceptional cases like iTunes that need to write to the system folders, but why do iLife and iWork need to do so?
If you try to run the apps without installing you'll get a dialog box that says something to the effect of "Pages is missing files iWork needs. Please run the iWork installer from your disc". You can choose to Run Anyway, or Quit, as I found out recently after reinstalling OS X. How did this happen? I bought my copy of iWork after using the trial download, but Apple no longer offers iWork '08 trial downloads now that iWork '09 is around. Unfortunately it wasn't as easy as I'd hoped.
Intego recommends that users never download and install software from untrusted sources or questionable websites.**It says its own VirusBarrier X4 and X5 products with virus definitions dated January 22, 2009, or later will protect against these two Trojan horses.
[ View this article at AppleInsider.com ]
People, don't download pirated software from the torrent sites!
Without a reliable way of verifying the MD5 hash against the downloaded ISOs, you have no way of knowing how it has been tampered with.
As much as this sucks for everyone, I have to say there is quite a helping of poetic justice for those that downloaded pirated versions vs. buying legitimate copies.
Stupid question: Why do these apps need an installer at all? Most OS X apps are .app folders that you simply need to drag and drop into the Applications folder. I understand there are exceptional cases like iTunes that need to write to the system folders, but why do iLife and iWork need to do so?
Actually iLife does write to some system folders, I believe. The Adobe installers allow you to customize what exactly gets installed, which wouldn't be possible with drag-and-drop. I would think any time you need custom installation options, or you're installing multiple programs, or doing anything outside of /Applications, an installer is preferable.
If you try to run the apps without installing you'll get a dialog box that says something to the effect of "Pages is missing files iWork needs. Please run the iWork installer from your disc". You can choose to Run Anyway, or Quit, as I found out recently after reinstalling OS X. How did this happen? I bought my copy of iWork after using the trial download, but Apple no longer offers iWork '08 trial downloads now that iWork '09 is around. Unfortunately it wasn't as easy as I'd hoped.
I understand what you're saying, but that doesn't address my question.
My question is why, from a design perspective, do iWork/iLife need to write to system directories, when apps like Firefox do not? The only reason a program should need an installer is if it writes to system directories, which /Applications is not.
As an OS X user, I've been conditioned to be suspicious of any non-Apple installer that asks for my password, and thus, tries to write to system directories.
How does Intego know the exact numbers how often these "spezial" software packages have been downloaded. I would think if these packages are on P2P no one can really know!
They probably made it up, just like the other trojan and virus scares coming from an anti-virus software vendor.
They should have named it "karma"
Shame they called it something as insipid as "OSX.Trojan.iServices.A"
They should have named it "karma"
How does Intego know the exact numbers how often these "spezial" software packages have been downloaded. I would think if these packages are on P2P no one can really know!
Well Intego just counts how many times people download it from their servers...oops!
But seriously, why are people trying to steal copies of iWork? It's a measly $80 ($71 for students) and as others here have noted, a free 30 day trial is available.
People, don't download pirated software from the torrent sites!
Without a reliable way of verifying the MD5 hash against the downloaded ISOs, you have no way of knowing how it has been tampered with.
Even knowing the MD5 of the original ISO, you still don't know how the file has been tampered with. MD5 is meant as a data integrity check, not as a security measure. Even if a file has been changed, it's relatively easy to craft the file such that its MD5 is the same as the original.
Stupid question: Why do these apps need an installer at all? Most OS X apps are .app folders that you simply need to drag and drop into the Applications folder. I understand there are exceptional cases like iTunes that need to write to the system folders, but why do iLife and iWork need to do so?
Next stupid question: why do these applications need root privileges? Surely many of these applications need administrator privileges to be installed, but not have administrator ownership.
Incidentally, shouldn't anything calling home be triggering a permissions warning with Leopard?
My question is why, from a design perspective, do iWork/iLife need to write to system directories, when apps like Firefox do not? The only reason a program should need an installer is if it writes to system directories, which /Applications is not.
Yes, as previous stated they do need to write to the system directories. If it is the standard OS X installer app then you can see what files and directories are written if you go to File » Show Files. However, it would not be hard to spoof the installer if one were so inclined. PS: I think you can use this to see if the trojan was added to the installer before installing.
I understand what you're saying, but that doesn't address my question.
My question is why, from a design perspective, do iWork/iLife need to write to system directories, when apps like Firefox do not? The only reason a program should need an installer is if it writes to system directories, which /Applications is not.
As an OS X user, I've been conditioned to be suspicious of any non-Apple installer that asks for my password, and thus, tries to write to system directories.
You asked why it needs an installer, so that's the question I attempted to answer. As for the clarified question, "Why does an Apple application like iWork 'need' to write to system directories?" Probably the same reason Apple applications like QuickTime and iWeb have helper files and components in the system directories -- user/Library/Application Support/ to name just one. I'm not a programmer, but it's probably a combination of minimizing clutter in Applications, permission requirements, cross-user availability, .plist files, preference files, and so forth. Perhaps a reader with a more technically proficient background can flesh out this answer for me.
EDIT: Applications isn't the only place you'll find files related to Firefox, by the way.