Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > macOS > OSX.Trojan.iServices.A : Trojan in pirated copies of iWork 09? (according to Intego)

OSX.Trojan.iServices.A : Trojan in pirated copies of iWork 09? (according to Intego)
Thread Tools
FireWire
Mac Elite
Join Date: Oct 1999
Location: Montréal, Québec (Canada)
Status: Offline
Reply With Quote
Jan 24, 2009, 05:55 AM
 
I read in my newspaper yesterday that Intego had found a trojan in pirated copies of iWork 09 obtained from P2P. I don't normally trust Intego as they just want to scare people and drive them to buy their currently useless product, but this looks real.

Here's the original article (in French), and the Intego bulletin

Exploit: OSX.Trojan.iServices.A Trojan Horse

Discovered: January 21, 2009

Risk: Serious

Description: Intego has discovered a new Trojan horse, OSX.Trojan.iServices.A, which is currently circulating in copies of Apple’s iWork 09 found on BitTorrent trackers and other sites containing links to pirated software. The version of iWork 09, Apple’s productivity suite, are complete and functional, but the installer contains an additional package called iWorkServices.pkg.

When installing iWork 09, the iWorkServices package is installed. The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer’s request of an administrator password. This software is installed as a startup item (in /System/Library/StartupItems/iWorkServices, a location reserved normally for Apple startup items), where it has read-write-execute permissions for root. The malicious software connects to a remote server over the Internet; this means that a malicious user will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac.
What do you think?
     
Spheric Harlot
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Offline
Reply With Quote
Jan 24, 2009, 06:08 AM
 
Reminds me of the Office v. X "installer" on p2p networks that erased a user's entire home directory.

It only weighed in at 180 kilobytes, though, so it took some monumental stupidity.
     
JKT
Professional Poster
Join Date: Jan 2002
Location: London, UK
Status: Offline
Reply With Quote
Jan 24, 2009, 06:14 AM
 
I think it is finally time for the morons who think they are immune to malware just because they use a Mac to wake up and smell the coffee. I also think it is about time that Apple closes the gaping security hole that is the Startup Items folder which they have known about for nearly 5 years yet have done nothing at all about... If I am right in my thinking, this particular Trojan wouldn't be able to work the way it does if they had.

However, it isn't the apocalyps and nor is it the first Trojan for OS X (that would have been Apple's very own iTunes installer which wiped your drive if it had a space in the name). However, this is definitely one of the first truly serious ones to hit a large number of users (and deservedly so, the fricking idiots!).
     
Simon
Posting Junkie
Join Date: Nov 2000
Location: in front of my Mac
Status: Offline
Reply With Quote
Jan 24, 2009, 06:42 AM
 
I guess this should come as no big surprise. Even more so when everybody knows you have to enter an admin password to install iWork. If the installer gets hijacked by some malicious code it can do pretty much anything to your system. So if you use such an installer, why would you trust a P2P source?

Pirating an excellent piece of $79 software is not just bad karma, it's quite simply a bad idea in the first place.
     
Art Vandelay
Professional Poster
Join Date: Sep 2002
Location: New York, NY
Status: Offline
Reply With Quote
Jan 24, 2009, 12:59 PM
 
How is StartupItems any more of a security hole than any other system folder, including the launchd folders? You have to authenticate to make any changes to it.
Vandelay Industries
     
iPublius
Fresh-Faced Recruit
Join Date: Jan 2009
Status: Offline
Reply With Quote
Jan 24, 2009, 01:06 PM
 
Something tells me Apple isn't going to care that much about the security of those who choose to pirate its software. As Mr. Vandelay points out, this isn't a security hole.
     
bearcatrp
Senior User
Join Date: Dec 2005
Location: Minnesota
Status: Offline
Reply With Quote
Jan 24, 2009, 01:39 PM
 
Folks how download the pirated stuff and get burned deserve it. Though true the mac platform is growing and its just a matter of time before the viruses and trojan horses get bigger. Most mac users already know how to keep there system secure and the software is imho almost rock solid. I don't believe there is any system 100 percent bullet proof, but mac OS X comes real close.
( Last edited by bearcatrp; Jan 24, 2009 at 01:40 PM. Reason: corrected a word)
2010 Mac Mini, 32GB iPod Touch, 2 Apple TV (1)
Home built 12 core 2.93 Westmere PC (almost half the cost of MP) Win7 64.
     
turtle777
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Jan 24, 2009, 01:58 PM
 
Originally Posted by bearcatrp View Post
Though true the mac platform is growing and its just a matter of time before the viruses and trojan horses get bigger.
Call me when we get the first true virus. I can't wait.

-t
     
CharlesS
Posting Junkie
Join Date: Dec 2000
Status: Offline
Reply With Quote
Jan 24, 2009, 03:09 PM
 

Ticking sound coming from a .pkg package? Don't let the .bom go off! Inspect it first with Pacifist. Macworld - five mice!
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jan 24, 2009, 04:10 PM
 
I think you guys may be barking up the wrong tree.

It may not be worth it to put in the time to write a self-propagating virus due to a multitude of factors, but there is still money to be had turning Macs (or any other computer) into spam zombies and preying on Mac users with Mac related phishing attacks. It would seem to me that if I were in this business, this is where I would focus my attention regardless of the platform.

I don't know this for certain, but I'm willing to bet that right now the big malware business is now about spam and phishing far more so than self propagating viruses. It doesn't take self propagating code to engineer these attacks, just a clever enough approach to get a user to visit your phishing site and download and install something. Start your own email server, disable any virus or spam checking and I would be willing to bet that you get far more phishing attempts than you do viruses, and obviously far more spam.

Again, I don't know this for certain, but I suspect that the game has changed a great deal.
     
turtle777
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Jan 24, 2009, 04:21 PM
 
Originally Posted by CharlesS View Post
Virus.

I said VIRUS !!!1!1oneone

-t
     
Spheric Harlot
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Offline
Reply With Quote
Jan 24, 2009, 04:48 PM
 
Originally Posted by besson3c View Post
I think you guys may be barking up the wrong tree.

It may not be worth it to put in the time to write a self-propagating virus due to a multitude of factors, but there is still money to be had turning Macs (or any other computer) into spam zombies and preying on Mac users with Mac related phishing attacks. It would seem to me that if I were in this business, this is where I would focus my attention regardless of the platform.

I don't know this for certain, but I'm willing to bet that right now the big malware business is now about spam and phishing far more so than self propagating viruses. It doesn't take self propagating code to engineer these attacks, just a clever enough approach to get a user to visit your phishing site and download and install something. Start your own email server, disable any virus or spam checking and I would be willing to bet that you get far more phishing attempts than you do viruses, and obviously far more spam.

Again, I don't know this for certain, but I suspect that the game has changed a great deal.
They're completely different lines of work, from what I've read.

Phishing allows you to scam money using compromised accounts and information. Because it relies on active cooperation of the user, it's useful mostly for gleaning salient information to do **** with.

Worms and viruses make money by turning AS MANY MACHINES AS POSSIBLE into zombies that can then be rented out for nefarious purposes - spam, illicit content distribution (e.g. childporn/piracy), DoS attacks, distributed-computing password crunching (guessing this one), etc. This is only effective if as many machines are attacked and compromised as possible at any given time - since the compromised machines are rented out by the quarter-hour, and the more machines are online at any time, the more machine hours can be sold (again, from what I've read).

Of course, compromised machines can then ALSO be used for phishing purposes (through password file search/keyloggers/etc.)...
     
CharlesS
Posting Junkie
Join Date: Dec 2000
Status: Offline
Reply With Quote
Jan 24, 2009, 05:01 PM
 
Originally Posted by turtle777 View Post
Virus.

I said VIRUS !!!1!1oneone

-t
Why?

Most of the really nasty "viruses" you hear about on Windows that spread via the network are actually worms. True viruses are somewhat out of "favor" these days.

Ticking sound coming from a .pkg package? Don't let the .bom go off! Inspect it first with Pacifist. Macworld - five mice!
     
Thinine
Mac Elite
Join Date: Jul 2002
Status: Offline
Reply With Quote
Jan 25, 2009, 12:53 AM
 
Is it really even a worm when the user has to do 3 manual steps to get it to work? Accept the file, unarchive the file, open the fake .jpg.
     
64stang06
Mac Elite
Join Date: Aug 2007
Status: Offline
Reply With Quote
Jan 25, 2009, 12:27 PM
 
Originally Posted by Thinine View Post
Is it really even a worm when the user has to do 3 manual steps to get it to work? Accept the file, unarchive the file, open the fake .jpg.
Well, my experience with Windows users is that they are TOO trusting and will do anything to open a file, regardless of where they obtained it. Now that Apple has a lot of switchers and is running a campaign that sells the Mac as trouble free, those same users will be too trusting because we all know bad habits are hard to break (for most people anyway). So for the veteran Mac users, it's easy to say we don't need AV software, just common sense. Unfortunately, not everyone has that :/
MacBook Pro 13" 2.8GHz Core i7/8GB RAM/750GB Hard Drive - Mac OS X 10.7.3
     
turtle777
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Jan 25, 2009, 01:52 PM
 
Originally Posted by CharlesS View Post
Why?

Most of the really nasty "viruses" you hear about on Windows that spread via the network are actually worms. True viruses are somewhat out of "favor" these days.
As long as there is user interaction required ("social engineering"), all bets are off anyways.

When I said "call me once there is a virus" I meant "call me once there is something out there that could infect me even if I don't do anything stupid."

There.

-t
     
Big Mac
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status: Offline
Reply With Quote
Jan 25, 2009, 02:50 PM
 
And this isn't a virus - it's a trojan, right? Unless we're talking about a second threat in this thread.

"The natural progress of things is for liberty to yield and government to gain ground." TJ
     
turtle777
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Jan 25, 2009, 03:08 PM
 
Originally Posted by Big Mac View Post
And this isn't a virus - it's a trojan, right? Unless we're talking about a second threat in this thread.
Are you referring to CharlesS' example ?

He posted a link to a worm.

-t
     
cbrfanatic
Mac Enthusiast
Join Date: Jun 2006
Location: New Windsor, NY
Status: Offline
Reply With Quote
Jan 27, 2009, 04:40 AM
 
I dont want to sound stupid, but does this include the one downloaded directly from apple? I noticed my computer takes a little bit longer to boot up now since installing iwork 09, but i downloaded it directly from apples website.
MPB 2.8GHz, 4GB Ram, 320GB HDD
2TB Raid 1 setup, Wacom 12x19, 24" ACD, Bose SS
FCS 2, Shake, Adobe CS4, Lightroom > Aperture
     
hyteckit
Addicted to MacNN
Join Date: May 2001
Status: Offline
Reply With Quote
Jan 27, 2009, 04:53 AM
 
I'm glad I haven't been pirating lately.
Bush Tax Cuts == Job Killer
June 2001: 132,047,000 employed
June 2003: 129,839,000 employed
2.21 million jobs were LOST after 2 years of Bush Tax Cuts.
     
Simon
Posting Junkie
Join Date: Nov 2000
Location: in front of my Mac
Status: Offline
Reply With Quote
Jan 27, 2009, 05:33 AM
 
Originally Posted by cbrfanatic View Post
I dont want to sound stupid, but does this include the one downloaded directly from apple?
No.
     
Big Mac
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status: Offline
Reply With Quote
Jan 27, 2009, 05:40 AM
 
Originally Posted by turtle777 View Post
Are you referring to CharlesS' example ?

He posted a link to a worm.

-t
Oh, OS X Leap A! Old, old news that was never really a credible threat to anyone, AFAIK.

"The natural progress of things is for liberty to yield and government to gain ground." TJ
     
ghporter
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Jan 27, 2009, 08:54 AM
 
Originally Posted by Big Mac View Post
Oh, OS X Leap A! Old, old news that was never really a credible threat to anyone, AFAIK.
There were quite a few people who bought into Leap A and managed to booger up their Macs. Not "enormous numbers" but I recall a fairly long discussion here about it. It was a pain, and more so because it took a few deliberate steps by the user to get infected. Sort of like the "pirated copy of new software here!" hook used on this new one.

Glenn -----OTR/L, MOT, Tx
     
osiris
Addicted to MacNN
Join Date: Sep 2000
Location: Isle of Manhattan
Status: Offline
Reply With Quote
Jan 27, 2009, 01:18 PM
 
http://www.eweek.com/c/a/Security/Mo...tware-for-Mac/

Now there's a similar trojan for the pirated CS4 serialization tool.
"Faster, faster! 'Till the thrill of speed overcomes the fear of death." - HST
     
OS2Guy
Fresh-Faced Recruit
Join Date: Jun 2006
Location: Santa Barbara, CA
Status: Offline
Reply With Quote
Jan 28, 2009, 06:40 PM
 
Intego is a small and very lonely anti-virus-for-the-Mac software company. That alone should tell you WHY they are pushing public news releases about a non-verified, nobody has it Trojan. Intego claimed 20,000 Mac users downloaded the Trojan yet not one Mac user stepped forward to say they received it.

The Facts: PB, MiniNova and BTJunkie ran online surveys aimed at Mac users asking if they had received or found the Trojan. No one. Let me repeat that: NOT ONE MAC USER said "yeah, I got it from one of your Torrents". When Intego was confronted with the news they stood by their story. Soon MacNN and every other popular - as well as many Windows-MS sites, ran with the news but still no one has been able to corroborate the Intego claim.

So give it some thought. Apple has released two very big software products lately and neither one of them requires a serial or registration code to run. Download and install and that's all there is to it. Ingenious of Apple to do that despite the fact that they slapped a $79 price tag on each retail copy. Apple will recoup their development and marketing costs from those sales alone but what they have also done is ensured iWorks and iLife is loaded up on as many Mac systems as possible. BTW, they don't advertise the fact that no serial/registration is required because they know full well the Mac community will spread the word. And if you didn't know it already then you know it now.

Intego is obviously desperate to stay alive in these poor economic times. What better way to scare up sales of their own anti-virus software then to toss a scare press release about pirated Apple software to the Mac community? Of course, it didn't stop there because then MacScan, MacAfee, Norton and all the others wanted to catch a ride on the gravy train and they've been flooding Mac users with 20% email coupons, personal alerts, etc.

The bottom line is: if you want iWorks or the new iLife simply download it. And if you are scared poopless of the claimed Trojan then download the free Trojan remover available on the same sites.

And believe me when I say this - OS X is Apple's pride and joy. If there were ever a serious threat to the operating system from any Malware, Trojan, Worm or Virus then you can believe Apple would be the first entity to offer a free program to rid your Mac machine of it. They aren't stupid. In fact, they have demonstrated a great deal of brilliance.
     
Spheric Harlot
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Offline
Reply With Quote
Jan 28, 2009, 06:48 PM
 
I believe your assessment is quite incorrect in most respects.
     
Eug
Clinically Insane
Join Date: Dec 2000
Location: Caught in a web of deceit.
Status: Offline
Reply With Quote
Jan 28, 2009, 07:37 PM
 
So, does anyone have half decent Mac anti-virus software yet?

When I checked last there wasn't, so I'm still just running ClamXav once in a while.
     
64stang06
Mac Elite
Join Date: Aug 2007
Status: Offline
Reply With Quote
Jan 28, 2009, 10:08 PM
 
Originally Posted by Eug View Post
So, does anyone have half decent Mac anti-virus software yet?

When I checked last there wasn't, so I'm still just running ClamXav once in a while.
http://www.iantivirus.com/
MacBook Pro 13" 2.8GHz Core i7/8GB RAM/750GB Hard Drive - Mac OS X 10.7.3
     
Simon
Posting Junkie
Join Date: Nov 2000
Location: in front of my Mac
Status: Offline
Reply With Quote
Jan 29, 2009, 03:13 AM
 
ClamXav is good enough for me. Mac malware is going to have to become much better and much more prevalent until I need anything else.

And BTW, what's the deal with so many people calling the thing iWorks lately? Sudden influx of Windows users?
     
JKT
Professional Poster
Join Date: Jan 2002
Location: London, UK
Status: Offline
Reply With Quote
Jan 29, 2009, 05:18 AM
 
Originally Posted by OS2Guy View Post
The bottom line is: if you want iWorks or the new iLife simply download it. And if you are scared poopless of the claimed Trojan then download the free Trojan remover available on the same sites.]
Yes, because this is going to be the only form of Trojan that malware writers will ever include in a .pkg on torrents. They are too stupid to, you know, modify or add different ones to their poisoned downloads... or is it that you are too stupid to know that this is very likely to happen? Bloody, moronic idiot.
     
Spheric Harlot
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Offline
Reply With Quote
Jan 29, 2009, 05:43 AM
 
Originally Posted by Simon View Post
And BTW, what's the deal with so many people calling the thing iWorks lately? Sudden influx of Windows users?
After 15 years of ClarisWorks/AppleWorks (not to mention the oxymoronic Microsoft Works for the switchers) I find it perfectly normal that people would tend to call this new package from Apple "iWorks".

I see this an awful lot, especially from veteran Mac users who haven't bothered keeping up much with "current events".
     
cgc
Professional Poster
Join Date: Mar 2003
Location: Down by the river
Status: Offline
Reply With Quote
Jan 29, 2009, 10:03 PM
 
ClamAV, Norton 4, and Intego are available... I doubt anyone would say they got the Trojan because doing so would be admitting to breaking the law.

I have always wondered if scammers wrote viruses so they could create a "legitimate" antivirus industry...never gonna be proven but it's a nice conspiracy theory.
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 04:50 PM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,