Intego has discovered a new Trojan horse, OSX.Trojan.iServices.A, which is currently circulating in copies of Apple's iWork 09 found on BitTorrent trackers and other sites containing links to pirated software. The version of iWork 09, Apple's productivity suite, are complete and functional, but the installer contains an additional package called iWorkServices.pkg.
When installing an infected pirated copy of iWork '09, an extra iWorkServices package is installed; this installation begins as soon as the user launches the iWork '09 installer. This package is installed as a system-wide startup item, where it has read-write permissions as root. In other words, this code can do anything to any part of the system, with full authorization.
The malicious software connects to remote servers over the internet, so a malicious remote user will know that the program has been installed. The malicious user will be able to connect to the infected Mac and perform various actions; the Trojan horse may also download additional components to an infected Mac.
This is not a virus—it cannot spread from one Mac to another on its own. It's also not a remote exploit; the user must download and install a pirated copy of iWork '09 to become infected. To check if you've been infected, look in /System/Library/StartupItems for an item named iWorkServices. If it exists, you've been infected with this Trojan horse.
No comments:
Post a Comment