Two new trojan horses threaten Mac software pirates

Posted:
in Mac Software edited January 2014
Tens of thousands of users who've downloaded pirated versions of iWork '09 or Photoshop CS4 may have opened their Macs to remote attacks from malicious users.



iWork '09



Mac security software maker Intego discovered last week what it calls "OSX.Trojan.iServices.A" in pirated copies of Apple's iWork '09 making the rounds on BitTorrent file sharing networks.Â* An additional package not found in retail copies of the iWork installer called "iWorkServices.pkg" is installed as a startup item with read/write/execute abilities with the pirated versions.



According to Intego, the rogue software connects to a remote server to notify its creator that the trojan has been installed on different Macs, and he or she can "connect to them and perform various actions remotely", including downloading additional components to the machine.



Intego considers the risk of infection to be serious, warning of "extremely serious consequences" if a user's Mac is compromised by software. The security firm said 20,000 people had already downloaded the installer at the time of its alert.Â* As of now, Intego counts 1,000 more since the initial warning.







In an update on the matter Monday morning, Intego said Macs infected with the trojan are being pushed new code that downloads in the background, which is then being used to facilitate a DDoS (distributed denial of service) attack on certain websites.



Photoshop CS4



As part of its update, Intego also says it has discovered a new variant of the same Trojan horse called "OSX.Trojan.iServices.B", which can be found in pirated versions of Adobe Photoshop CS4.Â* This installer has already been downloaded by 5,000 people who are now at risk, the firm says.







This installer compromises the system not by installing an additional package, but through a crack application that serializes the program for use without a purchased retail key.Â* This app extracts an executable from its data and installs a backdoor in /var/tmp/.Â* If the user runs the crack app again, a new executable with a different random name is created, making it difficult to safely remove the malware.







Once the administrator password is entered, a backdoor with root privileges is launched, copying the executable to /usr/bin/DivX and a startup item in /System/Library/StartupItems/DivX.Â* It then makes repeated connections to two IP addresses, according to Intego.



A malicious user can then connect to the affected Macs and perform various actions and downloads remotely.Â* Intego predicts this Trojan horse may also be used to execute similar DDoS attacks.



Warning



As a result of these two very serious risks, Intego is warning Mac users not to download any cracking software from sites that distribute it.



"The risk of infection is serious, due to the number of infected users, and these users may face extremely serious consequences if their Macs are accessible to malicious users," reads a notice on the security firm's website.



Intego recommends that users never download and install software from untrusted sources or questionable websites.Â*Â*It says its own VirusBarrier X4 and X5 products with virus definitions dated January 22, 2009, or later will protect against these two Trojan horses.
«1345

Comments

  • Reply 1 of 91
    Quote:
    Originally Posted by AppleInsider View Post


    Tens of thousands of users who've downloaded pirated versions of iWork '09 or Photoshop CS4 may have opened their Macs to remote attacks from malicious users.

    *snip*



    Stupid question: Why do these apps need an installer at all? Most OS X apps are .app folders that you simply need to drag and drop into the Applications folder. I understand there are exceptional cases like iTunes that need to write to the system folders, but why do iLife and iWork need to do so?
  • Reply 2 of 91
    Quote:
    Originally Posted by JavaCowboy View Post


    Stupid question: Why do these apps need an installer at all? Most OS X apps are .app folders that you simply need to drag and drop into the Applications folder. I understand there are exceptional cases like iTunes that need to write to the system folders, but why do iLife and iWork need to do so?



    Well, it depends. IMO, there are two different kind of apps - one that have installer such as CS4, iWork, iLife, Apple Pros, etc. and other that doesn't have installers are FF3, AppZap, etc. that enable to drag and drop into App folder from DMG.



    I may be wrong but that is what I think.
  • Reply 3 of 91
    Quote:
    Originally Posted by AppleInsider View Post


    Tens of thousands of users who've downloaded pirated versions of iWork '09 or Photoshop CS4 may have opened their Macs to remote attacks from malicious users.



    iWork '09



    Mac security software maker Intego discovered last week what it calls "OSX.Trojan.iServices.A" in pirated copies of Apple's iWork '09 making the rounds on BitTorrent file sharing networks.* An additional package not found in retail copies of the iWork installer called "iWorkServices.pkg" is installed as a startup item with read/write/execute abilities with the pirated versions.



    According to Intego, the rogue software connects to a remote server to notify its creator that the trojan has been installed on different Macs, and he or she can "connect to them and perform various actions remotely", including downloading additional components to the machine.



    Intego considers the risk of infection to be serious, warning of "extremely serious consequences" if a user's Mac is compromised by software. The security firm said 20,000 people had already downloaded the installer at the time of its alert.* As of now, Intego counts 1,000 more since the initial warning.







    In an update on the matter Monday morning, Intego said Macs infected with the trojan are being pushed new code that downloads in the background, which is then being used to facilitate a DDoS (distributed denial of service) attack on certain websites.



    Photoshop CS4



    As part of its update, Intego also says it has discovered a new variant of the same Trojan horse called "OSX.Trojan.iServices.B", which can be found in pirated versions of Adobe Photoshop CS4.* This installer has already been downloaded by 5,000 people who are now at risk, the firm says.







    This installer compromises the system not by installing an additional package, but through a crack application that serializes the program for use without a purchased retail key.* This app extracts an executable from its data and installs a backdoor in /var/tmp/.* If the user runs the crack app again, a new executable with a different random name is created, making it difficult to safely remove the malware.







    Once the administrator password is entered, a backdoor with root privileges is launched, copying the executable to /usr/bin/DivX and a startup item in /System/Library/StartupItems/DivX.* It then makes repeated connections to two IP addresses, according to Intego.



    A malicious user can then connect to the affected Macs and perform various actions and downloads remotely.* Intego predicts this Trojan horse may also be used to execute similar DDoS attacks.



    Warning



    As a result of these two very serious risks, Intego is warning Mac users not to download any cracking software from sites that distribute it.



    "The risk of infection is serious, due to the number of infected users, and these users may face extremely serious consequences if their Macs are accessible to malicious users," reads a notice on security firm's website.



    Intego recommends that users never download and install software from untrusted sources or questionable websites.**It says its own VirusBarrier X4 and X5 products with virus definitions dated January 22, 2009, or later will protect against these two Trojan horses.



    HA! I don't feel sorry for those people. Pirate software will always come with Trojan, viruses, etc. I'd rather stick to legit software though.
  • Reply 4 of 91
    The number of idiots downloading these astound me. Especially since they could both be downloaded directly from their respective manufacturer.



    Honestly, they get what is coming to them.
  • Reply 5 of 91
    Quote:
    Originally Posted by JavaCowboy View Post


    Stupid question: Why do these apps need an installer at all? Most OS X apps are .app folders that you simply need to drag and drop into the Applications folder. I understand there are exceptional cases like iTunes that need to write to the system folders, but why do iLife and iWork need to do so?



    If you try to run the apps without installing you'll get a dialog box that says something to the effect of "Pages is missing files iWork needs. Please run the iWork installer from your disc". You can choose to Run Anyway, or Quit, as I found out recently after reinstalling OS X. How did this happen? I bought my copy of iWork after using the trial download, but Apple no longer offers iWork '08 trial downloads now that iWork '09 is around. Unfortunately it wasn't as easy as I'd hoped.
  • Reply 6 of 91
    john.bjohn.b Posts: 2,716member
    Quote:
    Originally Posted by AppleInsider View Post


    Intego recommends that users never download and install software from untrusted sources or questionable websites.**It says its own VirusBarrier X4 and X5 products with virus definitions dated January 22, 2009, or later will protect against these two Trojan horses.



    People, don't download pirated software from the torrent sites!



    Without a reliable way of verifying the MD5 hash against the downloaded ISOs, you have no way of knowing how it has been tampered with.



    As much as this sucks for everyone, I have to say there is quite a helping of poetic justice for those that downloaded pirated versions vs. buying legitimate copies.
  • Reply 7 of 91
    How does Intego know the exact numbers how often these "spezial" software packages have been downloaded. I would think if these packages are on P2P no one can really know!

  • Reply 8 of 91
    brianusbrianus Posts: 138member
    Quote:
    Originally Posted by JavaCowboy View Post


    Stupid question: Why do these apps need an installer at all? Most OS X apps are .app folders that you simply need to drag and drop into the Applications folder. I understand there are exceptional cases like iTunes that need to write to the system folders, but why do iLife and iWork need to do so?



    Actually iLife does write to some system folders, I believe. The Adobe installers allow you to customize what exactly gets installed, which wouldn't be possible with drag-and-drop. I would think any time you need custom installation options, or you're installing multiple programs, or doing anything outside of /Applications, an installer is preferable.
  • Reply 9 of 91
    Quote:
    Originally Posted by ZachSpear View Post


    If you try to run the apps without installing you'll get a dialog box that says something to the effect of "Pages is missing files iWork needs. Please run the iWork installer from your disc". You can choose to Run Anyway, or Quit, as I found out recently after reinstalling OS X. How did this happen? I bought my copy of iWork after using the trial download, but Apple no longer offers iWork '08 trial downloads now that iWork '09 is around. Unfortunately it wasn't as easy as I'd hoped.



    I understand what you're saying, but that doesn't address my question.



    My question is why, from a design perspective, do iWork/iLife need to write to system directories, when apps like Firefox do not? The only reason a program should need an installer is if it writes to system directories, which /Applications is not.



    As an OS X user, I've been conditioned to be suspicious of any non-Apple installer that asks for my password, and thus, tries to write to system directories.
  • Reply 10 of 91
    Brian Krebs wrote about this last Thursday. I still can't get my head around why tens of thousands of idiots are installing software from utterly untrusted sources when Apple makes a 30-day trial copy freely available for download.
  • Reply 11 of 91
    bsenkabsenka Posts: 799member
    Quote:
    Originally Posted by copeland View Post


    How does Intego know the exact numbers how often these "spezial" software packages have been downloaded. I would think if these packages are on P2P no one can really know!





    They probably made it up, just like the other trojan and virus scares coming from an anti-virus software vendor.
  • Reply 12 of 91
    janusjanus Posts: 17member
    Shame they called it something as insipid as "OSX.Trojan.iServices.A"



    They should have named it "karma"
  • Reply 13 of 91
    Quote:
    Originally Posted by Janus View Post


    Shame they called it something as insipid as "OSX.Trojan.iServices.A"



    They should have named it "karma"



  • Reply 14 of 91
    wobegonwobegon Posts: 764member
    Quote:
    Originally Posted by copeland View Post


    How does Intego know the exact numbers how often these "spezial" software packages have been downloaded. I would think if these packages are on P2P no one can really know!





    Well Intego just counts how many times people download it from their servers...oops!



    But seriously, why are people trying to steal copies of iWork? It's a measly $80 ($71 for students) and as others here have noted, a free 30 day trial is available.
  • Reply 15 of 91
    Quote:
    Originally Posted by John.B View Post


    People, don't download pirated software from the torrent sites!

    Without a reliable way of verifying the MD5 hash against the downloaded ISOs, you have no way of knowing how it has been tampered with.



    Even knowing the MD5 of the original ISO, you still don't know how the file has been tampered with. MD5 is meant as a data integrity check, not as a security measure. Even if a file has been changed, it's relatively easy to craft the file such that its MD5 is the same as the original.
  • Reply 16 of 91
    ajmasajmas Posts: 554member
    Quote:
    Originally Posted by JavaCowboy View Post


    Stupid question: Why do these apps need an installer at all? Most OS X apps are .app folders that you simply need to drag and drop into the Applications folder. I understand there are exceptional cases like iTunes that need to write to the system folders, but why do iLife and iWork need to do so?



    Next stupid question: why do these applications need root privileges? Surely many of these applications need administrator privileges to be installed, but not have administrator ownership.



    Incidentally, shouldn't anything calling home be triggering a permissions warning with Leopard?
  • Reply 17 of 91
    Or it should be called "Your mom"
  • Reply 18 of 91
    solipsismsolipsism Posts: 25,726member
    Quote:
    Originally Posted by JavaCowboy View Post


    My question is why, from a design perspective, do iWork/iLife need to write to system directories, when apps like Firefox do not? The only reason a program should need an installer is if it writes to system directories, which /Applications is not.



    Yes, as previous stated they do need to write to the system directories. If it is the standard OS X installer app then you can see what files and directories are written if you go to File » Show Files. However, it would not be hard to spoof the installer if one were so inclined.
    PS: I think you can use this to see if the trojan was added to the installer before installing.
  • Reply 19 of 91
    Quote:
    Originally Posted by JavaCowboy View Post


    I understand what you're saying, but that doesn't address my question.



    My question is why, from a design perspective, do iWork/iLife need to write to system directories, when apps like Firefox do not? The only reason a program should need an installer is if it writes to system directories, which /Applications is not.



    As an OS X user, I've been conditioned to be suspicious of any non-Apple installer that asks for my password, and thus, tries to write to system directories.



    You asked why it needs an installer, so that's the question I attempted to answer. As for the clarified question, "Why does an Apple application like iWork 'need' to write to system directories?" Probably the same reason Apple applications like QuickTime and iWeb have helper files and components in the system directories -- user/Library/Application Support/ to name just one. I'm not a programmer, but it's probably a combination of minimizing clutter in Applications, permission requirements, cross-user availability, .plist files, preference files, and so forth. Perhaps a reader with a more technically proficient background can flesh out this answer for me.



    EDIT: Applications isn't the only place you'll find files related to Firefox, by the way.
  • Reply 20 of 91
    I think my favorite part was right after they say how you are perfectly safe from this Trojan as long as you don't pirate software, but then go on to say how you can pirate in safety if you just buy their software first.
Sign In or Register to comment.