|
|
OSX.Trojan.iServices.A : Trojan in pirated copies of iWork 09? (according to Intego)
|
|
|
|
Mac Elite
Join Date: Oct 1999
Location: Montréal, Québec (Canada)
Status:
Offline
|
|
I read in my newspaper yesterday that Intego had found a trojan in pirated copies of iWork 09 obtained from P2P. I don't normally trust Intego as they just want to scare people and drive them to buy their currently useless product, but this looks real.
Here's the original article (in French), and the Intego bulletin
Exploit: OSX.Trojan.iServices.A Trojan Horse
Discovered: January 21, 2009
Risk: Serious
Description: Intego has discovered a new Trojan horse, OSX.Trojan.iServices.A, which is currently circulating in copies of Apple’s iWork 09 found on BitTorrent trackers and other sites containing links to pirated software. The version of iWork 09, Apple’s productivity suite, are complete and functional, but the installer contains an additional package called iWorkServices.pkg.
When installing iWork 09, the iWorkServices package is installed. The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer’s request of an administrator password. This software is installed as a startup item (in /System/Library/StartupItems/iWorkServices, a location reserved normally for Apple startup items), where it has read-write-execute permissions for root. The malicious software connects to a remote server over the Internet; this means that a malicious user will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac.
What do you think?
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status:
Offline
|
|
Reminds me of the Office v. X "installer" on p2p networks that erased a user's entire home directory.
It only weighed in at 180 kilobytes, though, so it took some monumental stupidity.
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jan 2002
Location: London, UK
Status:
Offline
|
|
I think it is finally time for the morons who think they are immune to malware just because they use a Mac to wake up and smell the coffee. I also think it is about time that Apple closes the gaping security hole that is the Startup Items folder which they have known about for nearly 5 years yet have done nothing at all about... If I am right in my thinking, this particular Trojan wouldn't be able to work the way it does if they had.
However, it isn't the apocalyps and nor is it the first Trojan for OS X (that would have been Apple's very own iTunes installer which wiped your drive if it had a space in the name). However, this is definitely one of the first truly serious ones to hit a large number of users (and deservedly so, the fricking idiots!).
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Nov 2000
Location: in front of my Mac
Status:
Offline
|
|
I guess this should come as no big surprise. Even more so when everybody knows you have to enter an admin password to install iWork. If the installer gets hijacked by some malicious code it can do pretty much anything to your system. So if you use such an installer, why would you trust a P2P source?
Pirating an excellent piece of $79 software is not just bad karma, it's quite simply a bad idea in the first place.
|
•
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Sep 2002
Location: New York, NY
Status:
Offline
|
|
How is StartupItems any more of a security hole than any other system folder, including the launchd folders? You have to authenticate to make any changes to it.
|
Vandelay Industries
|
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Jan 2009
Status:
Offline
|
|
Something tells me Apple isn't going to care that much about the security of those who choose to pirate its software. As Mr. Vandelay points out, this isn't a security hole.
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Dec 2005
Location: Minnesota
Status:
Offline
|
|
Folks how download the pirated stuff and get burned deserve it. Though true the mac platform is growing and its just a matter of time before the viruses and trojan horses get bigger. Most mac users already know how to keep there system secure and the software is imho almost rock solid. I don't believe there is any system 100 percent bullet proof, but mac OS X comes real close.
(
Last edited by bearcatrp; Jan 24, 2009 at 01:40 PM.
Reason: corrected a word)
|
2010 Mac Mini, 32GB iPod Touch, 2 Apple TV (1)
Home built 12 core 2.93 Westmere PC (almost half the cost of MP) Win7 64.
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status:
Offline
|
|
Originally Posted by bearcatrp
Though true the mac platform is growing and its just a matter of time before the viruses and trojan horses get bigger.
Call me when we get the first true virus. I can't wait.
-t
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
I think you guys may be barking up the wrong tree.
It may not be worth it to put in the time to write a self-propagating virus due to a multitude of factors, but there is still money to be had turning Macs (or any other computer) into spam zombies and preying on Mac users with Mac related phishing attacks. It would seem to me that if I were in this business, this is where I would focus my attention regardless of the platform.
I don't know this for certain, but I'm willing to bet that right now the big malware business is now about spam and phishing far more so than self propagating viruses. It doesn't take self propagating code to engineer these attacks, just a clever enough approach to get a user to visit your phishing site and download and install something. Start your own email server, disable any virus or spam checking and I would be willing to bet that you get far more phishing attempts than you do viruses, and obviously far more spam.
Again, I don't know this for certain, but I suspect that the game has changed a great deal.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status:
Offline
|
|
Originally Posted by CharlesS
Virus.
I said VIRUS !!!1!1oneone
-t
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status:
Offline
|
|
Originally Posted by besson3c
I think you guys may be barking up the wrong tree.
It may not be worth it to put in the time to write a self-propagating virus due to a multitude of factors, but there is still money to be had turning Macs (or any other computer) into spam zombies and preying on Mac users with Mac related phishing attacks. It would seem to me that if I were in this business, this is where I would focus my attention regardless of the platform.
I don't know this for certain, but I'm willing to bet that right now the big malware business is now about spam and phishing far more so than self propagating viruses. It doesn't take self propagating code to engineer these attacks, just a clever enough approach to get a user to visit your phishing site and download and install something. Start your own email server, disable any virus or spam checking and I would be willing to bet that you get far more phishing attempts than you do viruses, and obviously far more spam.
Again, I don't know this for certain, but I suspect that the game has changed a great deal.
They're completely different lines of work, from what I've read.
Phishing allows you to scam money using compromised accounts and information. Because it relies on active cooperation of the user, it's useful mostly for gleaning salient information to do **** with.
Worms and viruses make money by turning AS MANY MACHINES AS POSSIBLE into zombies that can then be rented out for nefarious purposes - spam, illicit content distribution (e.g. childporn/piracy), DoS attacks, distributed-computing password crunching (guessing this one), etc. This is only effective if as many machines are attacked and compromised as possible at any given time - since the compromised machines are rented out by the quarter-hour, and the more machines are online at any time, the more machine hours can be sold (again, from what I've read).
Of course, compromised machines can then ALSO be used for phishing purposes (through password file search/keyloggers/etc.)...
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
Originally Posted by turtle777
Virus.
I said VIRUS !!!1!1oneone
-t
Why?
Most of the really nasty "viruses" you hear about on Windows that spread via the network are actually worms. True viruses are somewhat out of "favor" these days.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Jul 2002
Status:
Offline
|
|
Is it really even a worm when the user has to do 3 manual steps to get it to work? Accept the file, unarchive the file, open the fake .jpg.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Aug 2007
Status:
Offline
|
|
Originally Posted by Thinine
Is it really even a worm when the user has to do 3 manual steps to get it to work? Accept the file, unarchive the file, open the fake .jpg.
Well, my experience with Windows users is that they are TOO trusting and will do anything to open a file, regardless of where they obtained it. Now that Apple has a lot of switchers and is running a campaign that sells the Mac as trouble free, those same users will be too trusting because we all know bad habits are hard to break (for most people anyway). So for the veteran Mac users, it's easy to say we don't need AV software, just common sense. Unfortunately, not everyone has that :/
|
MacBook Pro 13" 2.8GHz Core i7/8GB RAM/750GB Hard Drive - Mac OS X 10.7.3
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status:
Offline
|
|
Originally Posted by CharlesS
Why?
Most of the really nasty "viruses" you hear about on Windows that spread via the network are actually worms. True viruses are somewhat out of "favor" these days.
As long as there is user interaction required ("social engineering"), all bets are off anyways.
When I said "call me once there is a virus" I meant "call me once there is something out there that could infect me even if I don't do anything stupid."
There.
-t
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
And this isn't a virus - it's a trojan, right? Unless we're talking about a second threat in this thread.
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status:
Offline
|
|
Originally Posted by Big Mac
And this isn't a virus - it's a trojan, right? Unless we're talking about a second threat in this thread.
Are you referring to CharlesS' example ?
He posted a link to a worm.
-t
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Jun 2006
Location: New Windsor, NY
Status:
Offline
|
|
I dont want to sound stupid, but does this include the one downloaded directly from apple? I noticed my computer takes a little bit longer to boot up now since installing iwork 09, but i downloaded it directly from apples website.
|
MPB 2.8GHz, 4GB Ram, 320GB HDD
2TB Raid 1 setup, Wacom 12x19, 24" ACD, Bose SS
FCS 2, Shake, Adobe CS4, Lightroom > Aperture
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: May 2001
Status:
Offline
|
|
I'm glad I haven't been pirating lately.
|
Bush Tax Cuts == Job Killer
June 2001: 132,047,000 employed
June 2003: 129,839,000 employed
2.21 million jobs were LOST after 2 years of Bush Tax Cuts.
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Nov 2000
Location: in front of my Mac
Status:
Offline
|
|
Originally Posted by cbrfanatic
I dont want to sound stupid, but does this include the one downloaded directly from apple?
No.
|
•
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
Originally Posted by turtle777
Are you referring to CharlesS' example ?
He posted a link to a worm.
-t
Oh, OS X Leap A! Old, old news that was never really a credible threat to anyone, AFAIK.
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
|
|
|
|
|
|
|
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Online
|
|
Originally Posted by Big Mac
Oh, OS X Leap A! Old, old news that was never really a credible threat to anyone, AFAIK.
There were quite a few people who bought into Leap A and managed to booger up their Macs. Not "enormous numbers" but I recall a fairly long discussion here about it. It was a pain, and more so because it took a few deliberate steps by the user to get infected. Sort of like the "pirated copy of new software here!" hook used on this new one.
|
Glenn -----OTR/L, MOT, Tx
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Sep 2000
Location: Isle of Manhattan
Status:
Offline
|
|
|
"Faster, faster! 'Till the thrill of speed overcomes the fear of death." - HST
|
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Jun 2006
Location: Santa Barbara, CA
Status:
Offline
|
|
Intego is a small and very lonely anti-virus-for-the-Mac software company. That alone should tell you WHY they are pushing public news releases about a non-verified, nobody has it Trojan. Intego claimed 20,000 Mac users downloaded the Trojan yet not one Mac user stepped forward to say they received it.
The Facts: PB, MiniNova and BTJunkie ran online surveys aimed at Mac users asking if they had received or found the Trojan. No one. Let me repeat that: NOT ONE MAC USER said "yeah, I got it from one of your Torrents". When Intego was confronted with the news they stood by their story. Soon MacNN and every other popular - as well as many Windows-MS sites, ran with the news but still no one has been able to corroborate the Intego claim.
So give it some thought. Apple has released two very big software products lately and neither one of them requires a serial or registration code to run. Download and install and that's all there is to it. Ingenious of Apple to do that despite the fact that they slapped a $79 price tag on each retail copy. Apple will recoup their development and marketing costs from those sales alone but what they have also done is ensured iWorks and iLife is loaded up on as many Mac systems as possible. BTW, they don't advertise the fact that no serial/registration is required because they know full well the Mac community will spread the word. And if you didn't know it already then you know it now.
Intego is obviously desperate to stay alive in these poor economic times. What better way to scare up sales of their own anti-virus software then to toss a scare press release about pirated Apple software to the Mac community? Of course, it didn't stop there because then MacScan, MacAfee, Norton and all the others wanted to catch a ride on the gravy train and they've been flooding Mac users with 20% email coupons, personal alerts, etc.
The bottom line is: if you want iWorks or the new iLife simply download it. And if you are scared poopless of the claimed Trojan then download the free Trojan remover available on the same sites.
And believe me when I say this - OS X is Apple's pride and joy. If there were ever a serious threat to the operating system from any Malware, Trojan, Worm or Virus then you can believe Apple would be the first entity to offer a free program to rid your Mac machine of it. They aren't stupid. In fact, they have demonstrated a great deal of brilliance.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status:
Offline
|
|
I believe your assessment is quite incorrect in most respects.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Dec 2000
Location: Caught in a web of deceit.
Status:
Offline
|
|
So, does anyone have half decent Mac anti-virus software yet?
When I checked last there wasn't, so I'm still just running ClamXav once in a while.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Aug 2007
Status:
Offline
|
|
Originally Posted by Eug
So, does anyone have half decent Mac anti-virus software yet?
When I checked last there wasn't, so I'm still just running ClamXav once in a while.
http://www.iantivirus.com/
|
MacBook Pro 13" 2.8GHz Core i7/8GB RAM/750GB Hard Drive - Mac OS X 10.7.3
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Nov 2000
Location: in front of my Mac
Status:
Offline
|
|
ClamXav is good enough for me. Mac malware is going to have to become much better and much more prevalent until I need anything else.
And BTW, what's the deal with so many people calling the thing iWorks lately? Sudden influx of Windows users?
|
•
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jan 2002
Location: London, UK
Status:
Offline
|
|
Originally Posted by OS2Guy
The bottom line is: if you want iWorks or the new iLife simply download it. And if you are scared poopless of the claimed Trojan then download the free Trojan remover available on the same sites.]
Yes, because this is going to be the only form of Trojan that malware writers will ever include in a .pkg on torrents. They are too stupid to, you know, modify or add different ones to their poisoned downloads... or is it that you are too stupid to know that this is very likely to happen? Bloody, moronic idiot.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status:
Offline
|
|
Originally Posted by Simon
And BTW, what's the deal with so many people calling the thing iWorks lately? Sudden influx of Windows users?
After 15 years of ClarisWorks/AppleWorks (not to mention the oxymoronic Microsoft Works for the switchers) I find it perfectly normal that people would tend to call this new package from Apple "iWorks".
I see this an awful lot, especially from veteran Mac users who haven't bothered keeping up much with "current events".
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Mar 2003
Location: Down by the river
Status:
Offline
|
|
ClamAV, Norton 4, and Intego are available... I doubt anyone would say they got the Trojan because doing so would be admitting to breaking the law.
I have always wondered if scammers wrote viruses so they could create a "legitimate" antivirus industry...never gonna be proven but it's a nice conspiracy theory.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|