back to article Mac malware piggybacks on pirated iWork

Malware masquerading as part of Apple's iWork 09 productivity suite is targeting unsuspecting Mac users foolish enough to install pirated software downloaded on warez sites. Once installed, iServices.A has unfettered root access, which it promptly uses to connect to a remote server over the internet, according to Intego, which …

COMMENTS

This topic is closed for new posts.
  1. Pierre

    Ha-ha

    (/Nelson Muntz)

  2. Anonymous Coward
    Anonymous Coward

    run for the hills ... the world is coming to an end

    When mac users start to pirate software it's the end of the world as we know it ...

  3. Anonymous Coward
    Paris Hilton

    iN00bs

    Seriously, you would have to be mentally retar —sorry, intellectually challenged— to download the bittorrent version of iWork, when you can just download the trial and enter a serial that you can download from just about anywhere... Ah, well, evolution at iWork I suppose.

    Paris, because only she should get to piggyback on pirates.

  4. Robert Moore
    Linux

    The Mac has finally arrived

    The malware writers have targeted it, take that you Linux freaks. :)

  5. Anonymous Coward
    Anonymous Coward

    Mac Security

    At least I can safley use my wonderful Apple Mac with no virus checker without having to worry about this Windows rubbish.

    Wait, what?

  6. DZ-Jay

    So what's new?

    This malware still needs someone to download it, from a site of dubious reputation, then install it manually (and pressumably give it the admin password when installing to gain access), so what's the threat?

    That idiots are installing stuff without knowing where it really comes from? So what else is new?

    -dZ.

  7. Anonymous Coward
    Unhappy

    It's a trojan, not a virus

    Good God. You'd think that at least some of the Mac-bashers would grasp the difference between a virus and a trojan.

    Let's make it simple: If I write a program that formats harddrives and socially engineer you to run it, it's not a virus m'kay?

  8. Anthony Hulse
    Happy

    Playing the world's smallest violin...

    Firstly, anyone who installs pirate downloads is asking for trouble, whatever platform they're on. Secondly, just how cheap do you have to be to pirate iWork, especially these days when you have all sorts of free office suites to choose from?

    That's the trouble with all these kids now buying Macs. They bring their dirty dirty habits with them ;-)

  9. Anonymous Coward
    Happy

    @ Buck Futter

    Best thing: You don't even need to bother with illegal serials. From what I read, you can just change a word preference file to something else and there you go. It seriously looks as if Apple actually wants you to pirate iWork. I am confused if with this level of "come get it" it could even still be considered piracy. Maybe the want more users to get hooked in their cloud service.

  10. Thomas

    I guess they'll all have to warez themselves a viru

    In order to obtain this trojan, you need to download the warez iWork, then type in your superuser account name and password. That does make it somewhat hard to feel sympathy for infectees.

  11. Anonymous Coward
    Anonymous Coward

    But Macs don't get viruses

    But apple said that Mac's don't get viruses.

    I quote from one of their Mac and PC commercials "I run Mac OS X so you don't have to worry about the viruses and spyware that PCs do"."

    I guess they literally meant viruses. Trojans are another story.

    As a previous poster said The Mac has finally arrived. Hopefully as this becomes more prevalent people will loose the smugness and but AV software and maybe even remember that apple lied to them.

  12. Pierre

    @ DZ-Jay

    Yes, you need to download the troj/visit a trapped page/insert a contaminated medium/ whatever. But where do you think Windoze viruses come from? They spawn from thin air? Sheesh...

    "What's the threat?" Well, I do know many Mac users who work as admin all the time (most of the Mac users I know actually). Apparently it's the default on MBs and MBPs, or something (can't be bothered to check. Maybe they're just plain stupid). So here's your threat. Exact same thing as for Windoze users. A patched Windoze machine with decent settings and no PBCAK is reasonably secure, but it doesn't prevent the clueless mass from feeding the spam botnets.

  13. Anonymous Coward
    Paris Hilton

    RE: But Macs don't get viruses

    I'm just a stoopid little bugling — could you explain to me how buying AV software will keep me from giving my superuser password to a piece of software I do not consider dubious? Will Mac AV software add three levels of "are you sure?" to each and every action, Windows-style?

    A trojan is not a virus. At this time, there is no OS X virus in the wild.

  14. Tony W

    Good commercial idea

    Allowing some software piracy is a good way to increase market share. When Apple feel they've done this enough, they will try to tighten up again, just like MS has done.

  15. Mike Moyle
    Coat

    Re: But Macs don't get viruses

    @ AC -- 22:49 GMT

    "I quote from one of their Mac and PC commercials "I run Mac OS X so you don't have to worry about the viruses and spyware that PCs do"."

    True enough, in the sense that viruses and spyware written specifically to take advantage of Windows -- anything that looks for files on Drive C, as a trivial example -- will fail to run under OS X. Therefore the malware that users of (Windows) PCs have to worry about are not the same ones that Mac OS X users do.

    It's all in how you phrase it, isn't it?

    Why, yes; I HAVE worked in advertising before...

  16. Chris

    RE: RE: But Macs don't get viruses

    Any operating system is liable to viruses, as long as people are actually bothering to write them.

    The second you do give the rights to actually run something, it could be a virus. The argument of just never giving anything permissions to actually run is invalid as soon as you do use any third party software.

    "A trojan is not a virus. At this time, there is no OS X virus in the wild." - see this:

    http://www.sophos.com/pressoffice/news/articles/2006/02/macosxleap.html

    It would seem you are incorrect.

  17. bruceld
    Thumb Down

    I'm lucky...

    I am using a Mac. I am NOT vulnerable to the same attacks that Microsoft software users are prone to. I am a MAC user! I am superior! My penis is bigger than yours! I am cooler than you are!!!

    Oops...what the hull? Oh...this is a Mac virus. Ooopsie...

    that was my bad....i am mactard

  18. Pierre

    Macs don't get viruses

    Not yet. But then again, when was the last time you saw a Windoze virus in real life? As for the few tens of boxes I administer, it's been several years actually. And I did come across thousands of trojan/backdoors/spyware (stoopid lusers). Wake up guys, viruses are not really a threat anymore, at least for the common user. Black hats know better, trojans and backdoor can make you rich, viruses can't. There are no Mac-targeting flying saucers in the wild, so you're safer than Windows users, right?

    To AC Thursday 22nd January 2009 23:31 GMT:

    "how buying AV software will keep me from giving my superuser password to a piece of software I do not consider dubious? Will Mac AV software add three levels of "are you sure?" to each and every action, Windows-style?" please, tell me you're just trolling. One can't possibly be _that_clueless. Especially when trying to be pedantic with a "A trojan is not a virus" right afterwards.

    Disclaimer: I hate Windows because it's a pain in the... neck. But smug and clueless Mactard tend to get on my tits (and in general, the dumbest the smuggest). It's people like you who make the sysadmins' lives a nightmare.

  19. snafu
    Jobs Horns

    "When mac users start to pirate"?

    They always did, since the Apple II days. Floppies, CDs, those Hotline/Carracho sites, p2p... I wonder where this idea of mac user sanctity ever came from.

    Jobs, because he wants us to pirate iWork's serials so that we buy those doc sharing services they are betatesting.

  20. Anonymous Coward
    Pirate

    The power of p2p...

    Ok so you've bought a mac - you're probably not skint.

    iWork'09 - £69

    MS Office Standard/Pro - £321/£419 (from PC World)

    Openoffice - Free!

    It just goes to show that people *like* using p2p, regardless of the economics.

  21. Anonymous Coward
    Anonymous Coward

    @bruceld

    Big penis: check!

    Mac: Check!

    Just to add some confirmation: I have a very small car.

    Maybe I should get a big wobbly penis (iKnob) for my MAC? (a la Idiocracy) so you can see me coming (Oh wait...).

    Forgive me, its gone from being far too late to far too early. Only the paranoid survive and those of us that are, are in a minority. The rest will do whatever human psychology dictates for the freetard impulse. It ain't ever going to change. We who know this tech stuff have to continue to wage a cold war on the black hats. Are you an elitist and 'I'm all right jack' or help the unfortunates out by not writing cruddy code, skipping QA tests or slacking on the error checking? - don't give me that "`My manager..." BS either! Its our fault that the holes are there, not Mr. McNumpty and his interweb porn habit.

  22. Mark
    Stop

    Whatever

    Irrelevant of OS if you're stupid enough to download warez and pop in the old super user credentials, when you could install the trial version from the official source and use a knock-off serial number instead, you're dumb and get what you deserve.

    AV software is gate shutting post horse bolted BS. They're retroactive which is unfortunate if you're an early victim of the latest malware. I've never had a hit ever in over 10 years. I'm guessing it's mainly because I don't download any old crap, don't open attachments that look suspicious or are unexpected/from strange e-mail addresses etc. Sensible use of a computer (not running as admin for example) beats use of cpu-sapping, yearly fee bloatware every time.

    I'm a mac user and I don't use AV software etc, but I come from a windows background so I use my machine with caution and the respect my data deserves. I too predict there will be plenty of red-faced mac-tards in future (just like the run-as-admin windows fools) due to the falsehoods that have been imparted on them. However, I do like not having the machine slow down after I've had to install the 50,000th update/patch a la XP.

    @Pierre: 23:01

    "Well, I do know many Mac users who work as admin all the time (most of the Mac users I know actually). Apparently it's the default on MBs and MBPs, or something (can't be bothered to check. Maybe they're just plain stupid)."

    Default is no rights and an effective sudo to get them (very much like Ubuntu or other *nux distros), but only if you're on the super user list. I'd be interested in seeing these users working as admin all the time on a Mac. It's the default on just two types of machine in the range? Interesting. No, make that BULLSHIT.

  23. Robert A. Rosenberg
    Go

    Defanging the Installer

    The alert says the Trojan is the full install package with another package file (iWorkServices.pkg) added. To fix the installer, all that is needed is to ALT-CLICK the installer, select "Show Package Contents", scroll CONTENTS->PACKAGES, move iWorkServices.pkg to the trash, and close. you should now have a safe defanged installer.

  24. Anonymous Coward
    Paris Hilton

    Bwahahahahahaha

    What will the Mactards do now their Ivory tower has been demolished?

    Paris, the mactards could do worse than check her to see what it's like getting royally screwed

  25. Gulfie

    @Mark

    Like you I have a long Windows history followed by conversion (Hallelulia, praise the Steve ;-) to Mac and am always extremely careful over emails opened, sites visited etc.

    However I would never dream of putting a Windows box on the 'net without full AV, firewall, etc etc because of the size of the problem with Windows. £25 a year is a small price to pay for not having to trash and rebuild a PC hard drive, even if it only happened once. The platform is too widely used and there are lots of people actively exploiting its weaknessess.

    The Mac still has the benefit of security through obscurity although I do use the supplied firewall and configure it with WaterRoof. However as and when the Mac achieves a larger market share I expect to end up with similar protective software for the same reason. Not because I partake in risky behaviour, but because prevention is more cost effective than cure.

  26. dave hands

    forthcoming subscription model

    iWork is going online in some form or other.

    So, Apple make it easy to get iWork and then sometime soon you'll need an online subscription for it to work - by which time, hopefully, many people will have got used to the suite and won't want to lose what they've done with it.

    It's much cheaper than MSOffice. It's much nicer than MSOffice. It's not MSOffice.

    Marketing, marketing, marketing.

  27. snafu

    The NeXTStep greybeards' opinion on OS X

    Some of these are an interesting read: NeXTStep greybeards cursing all the Macintosh crap their beloved OS has adquired in its way to OS X Leotard. Their angle is not quite that well aimed, current user-base needs-wise, but there really are monsters in dark places.

    http://rixstep.com/2/

    See:

    http://rixstep.com/2/2/20081231,00.shtml

    http://rixstep.com/2/4/20090118,00.shtml

  28. Anonymous Coward
    Anonymous Coward

    well.

    " This malware still needs someone to download it, from a site of dubious reputation, then install it manually (and pressumably give it the admin password when installing to gain access), so what's the threat?

    That idiots are installing stuff without knowing where it really comes from? So what else is new?

    -dZ.

    "

    excatly the same as what happens for 80-90% of windows malware! the weak point is the user.

  29. Anonymous Coward
    Anonymous Coward

    @ Anon Coward

    "MS Office Standard/Pro - £321/£419 (from PC World)"

    How about the "Home and Student Edition", you know the edition for the HOME and student which is about £90 i think.

    Use the correct versions if you are gonna compare price.

  30. Lionel Baden
    Gates Halo

    funnily enough

    This is probably how 80% of PC malware gets started !

    Anyhow How sad can you be to put a "i" infront of the name of your malware !!

    p.s. i hate any product with a passion if it has a "i" infront of it e.g. iplayer from the bbc

  31. Will Tisdale
    Alert

    Viruses? Trojans?

    Who needs either a virus or a trojan on OS X? All you need is Apple and it's untested, shoddy updates to hose the system.

    @Mark - In fact, the default user account when you first install OS X and create one is an Admin user account, which does have rights. Not as many as the root account (which is disabled by default) but it is still classed as an 'Admin' account and I would imagine that the majority of users use that.

    Secondly, this malware is part of an installer, correct? Well, the user executes the installer for a supposedly legitimate program (which contains the trojan) it requests their Admin password (sudo) and hey presto, both iWork and the trojan are installed with the user believing it was a legitimate program which is what Social Engineering is about. ;-)

    If you were to add antivirus into that equation, assuming the trojan has definitions or the AV heuristics pick it out, it will stop said trojan from installing, thats if the on-demand scanner didn't pick it out as soon as the download finished.

    Your argument of 'Not running as admin' does not count here as it will not make any difference.

    That is the value of antivirus software and you MacTards will learn that, the hard way.

  32. N

    They deserve it

    Mac users foolish enough to install pirated software downloaded on warez sites.

    Fools, all of them

  33. Anonymous Coward
    Linux

    Executables from TBP

    What are you insane ! Just leave your front door open and a big banner on your lawn saying " Burglars Welcome"

    Only an idiot runs executables from the TBP

  34. Anonymous Coward
    Anonymous Coward

    RE: RE: But Macs don't get viruses

    You mean Leap-A? That proof of concept kindy thingy from three years ago? That?

    http://en.wikipedia.org/wiki/Leap_virus

    Dude, I'm cowering in fear. You also don't "get" Leap-A, you have to install it yourself. Once you did, it won't be "in the wild", it will be in your LAN. Yawn. It is not that it would turn your machine into a disease spewing danger to everyone on the intertron, corrupting drives left and right.

    @ Mark: Just like that. Pierre might still thing I'm stupid, but I do not quite see how AV will keep me from making bad decisions in the first place.

  35. Anonymous Coward
    Paris Hilton

    Ok, What?

    I happen to own both a mac and a few WinDoze boxes, all running different OS versions. i am pleased to say that none of them have EVER got a virus/trojan. all you need to do is keep them patched and be halfway intellegent to not get infected, whatever OS you are using.

    BTW, all you ned to do - boot from linux USB drive, copy all important files to an external HDD, then format and reinstall. should take less than 1h30.

    paris, cos even she's not that dumb.

  36. Thomas

    @Pierre

    The default is to require the superuser password in order to install things like this trojan, which go in the StartupItems. However, by default the permissions are set up so that no password is required to read or write to /Applications, so for someone running a Mac with the default security, a trojan that presented itself as an ordinary drag install application* and, when run, modified something like Safari would have no problems. OS X v10.5 has a warning dialogue that pops up the very first time you run an application that has been drag installed to the effect that you should make sure you trust the source before you run it, but I doubt that purchasing a Mac instead of a Windows machine suddenly people more willing to read warning messages.

    My /Applications requires a superuser password for write privileges, but I'm cautious.

    * 99.9% of applications are drag and drop to install, iWork comes as a package, so runs through the built-in installer.

  37. Anonymous Coward
    Anonymous Coward

    @ Robert A. Rosenberg

    Someone needs a beating with the clue stick... you are assuming that the iWorkServices.pkg is the only bit of malware in the download. Don't be such an idiot!

  38. Anonymous Coward
    Paris Hilton

    Ah, yes, Watson..

    "Mrs Podbury's Singular Online Cracking Software", the famous remedy for dropsy, melancholy and warp spams...

  39. Brian Whittle
    Black Helicopters

    Virus ? Trojan? Worm ?

    To be honest the day of the Windows Virus is more or less dead what we see these days is mostly malware put onto their PC's with other stuff, just like this OS-x Trojan. Its enevatlbe seing the popularity of the macbook in the student population that this is going to get more prelevant.

    Change the scripts that target stupid PC Users on dodgy sites to target stupid Mac users and it will be rampent

    The MAC is more secure than a PC in the fact that you have to supply your password to install but you still have to account for the idiot behind the wheel

  40. Anonymous Coward
    Paris Hilton

    Get a VIC20

    I'm a great believer in getting what you pay for. In the case of file-sharers and warez users, this is the princely sum of nothing - the fact that this often comes with an added-value malware quotient is really nothing to surprised about, is it?

    It's human nature to want something for nothing but anyone half-sentient can and should question the providence of stuff like this. Said logic will then lead you to the obvious conclusion - 'I shouldn't be stealing stuff'. Let's face it, no matter how you dress up your fractured morals or broken, cod-ideological idealistic viewpoint on sharing copyrighted material, you know you shouldn't be doing it.

    Want iWork without a trojan? Then pay for it. It ain't free, and neither are the GB's or dare I say it TB's of data you may have pinched before, if your mindset is like this.

    Still, malware writers need only pray on the latent pikey in all of us. Luring us off the virtual high-street into a dark digital alley with the promise of a knock-off booty.

    If you take from the electronic 'man in the pub', that cheapo video machine is going to jump-up and bite you on your naive bottom.

    Paris, because admin permissions are never needed to write to her directories.

  41. Shakje

    Who cares what exactly it is?

    I'd say Macs were less secure. Just because the user has to auth operations (lol UAC) doesn't make it any more secure than anything else. The fact that the user expects not to be infected because of stupid fanboys mouthing off about how secure the system is, means that they are more naive and trusting when it comes to downloads.

    WINDOWS HAS ITS FAULTS. But instead of trying to constantly tout how much better your overpriced system is, how about you start educating Mac users in the art of intelligent browsing so that if Macs do ever take over, at least we won't have the same number of idiot Mac users as we have idiot PC users. I'd guess that it's probably stable at about 80% in both camps.

    ""I quote from one of their Mac and PC commercials "I run Mac OS X so you don't have to worry about the viruses and spyware that PCs do"."

    True enough, in the sense that viruses and spyware written specifically to take advantage of Windows -- anything that looks for files on Drive C, as a trivial example -- will fail to run under OS X. Therefore the malware that users of (Windows) PCs have to worry about are not the same ones that Mac OS X users do.

    It's all in how you phrase it, isn't it?"

    So if I get a virus on my PC I can sue can I? If that's a direct quote, him running OS X prevents me from getting a virus. Since my PC is a machine and doesn't worry about virii I'm assuming I don't need to anymore. Awesome.

  42. The Fuzzy Wotnot
    Thumb Up

    Warez sites?!

    Do they even exist anymore?! Last one I went to was back in the ole BBS dial-up days, I thought everyone ripped stuff off through torrents now.

  43. Marc

    Removal

    I'm going to /ignore all the retards shouting "I told you so- rotflmfao!!!1eleven

    Some people are just too stupid to bother arguing with.

    Anyway in a more constructive vein....removing the Trojan from infected systems.

    1) (open Terminal.app)

    2) sudo su (enter password)

    3) rm -r /System/Library/StartupItems/iWorkServices

    4) rm /private/tmp/.iWorkServices

    5) rm /usr/bin/iWorkServices

    6) rm -r /Library/Receipts/iWorkServices.pkg

    7) killall -9 iWorkServices

    As you were...

  44. A J Stiles
    Linux

    Probably a GOOD thing in the long run?

    It says *something* that they had to rely on a Trojan Horse to deliver malware to a Mac.

    If you don't want to pay for software, then that's fine -- you don't have to. But stick to Open Source, and then you know it will not do anything it shouldn't.

  45. Brian Whittle

    re It says *something* that they had to rely on a Trojan Horse to deliver malware to a Mac.

    "It says *something* that they had to rely on a Trojan Horse to deliver malware to a Mac."

    exactly how most of the malware gets onto windows boxes then ?

  46. Pierre

    @AC RE: RE: But Macs don't get viruses

    "Pierre might still thing I'm stupid, but I do not quite see how AV will keep me from making bad decisions in the first place."

    It won't. On the other hand, it will prevent the malware from running at all, let alone ask you for your password. So, wait, yes it will prevent you from making bad decisions. And if you insist in your mistaken ways, it will likely mitigate the consequences (most of the time, suppress all consequences).

    And the stupid annoying "are you sure?" boxes have nothing to do with any anti-malware software: it's pure Windoze crap.

    Of course, not being stupid remains the best security strategy. It's free, and it works with every OS.

    As explained by Thomas, it would be quite easy to run any malicious code on a Mac if one wanted to. And "one" seems to feel some interest for that target. As in any good horror movie, the smuggest lusers will die first.

    @ Mark

    "Anyway in a more constructive vein....removing the Trojan from infected systems."

    Infected systems? I think you are confused, maybe you should lie down for a while? There can't be no infected systems. Macs are secure.

  47. Kanhef
    Boffin

    which "anti-virus" vendor?

    Let's at least name and shame the people who are trying to profit from this!

    @Marc:

    Not quite; the root account is disabled by default – even sudoers can't actually become root unless it's been enabled. I haven't tested it, of course, but you might need to use 'rm -rf' instead of just 'rm -r'.

    1) (open Terminal.app)

    2) sudo rm -r /System/Library/StartupItems/iWorkServices

    3) enter password

    4) sudo rm /private/tmp/.iWorkServices

    (no need for password again, sudo privilege is retained for a few minutes)

    5) sudo rm /usr/bin/iWorkServices

    6) sudo rm -r /Library/Receipts/iWorkServices.pkg

    7) sudo killall -9 iWorkServices

  48. John
    Stop

    It Doesn't Stop With the Software Thief Though...

    What the brief article did NOT mention and many of the commenters may not be aware of, is that this vulnerability not only puts the Mac user that downloaded the pirated sofware at risk, but the trojan itself is designed to set up a botnet to use those computers as slaves to the master's whim. I'm ALL for wagging my finger and saying "shame shame... " to those who download pirated software when there's a perfectly good trial version available for 30 days from the source. And if something bad should happen to their system as a result of their thievery, then so be it. However, this was used as a weapon against an innocent third party. Whoever did this can launch instructions to those 20,000 computers to execute some other dastardly deed against someone (or some people) who have nothing to do with their software or P2P networks, etc...

    How do I know this? I was actually the victim of a DDOS attack from those 20,000+ computers that nearly put an end to my business by crippling our host's servers and pushing our bandwidth over 600Gb within a week's time and sending millions of bot "visits" to our DollarCardMarketing.com site. We have no way of knowing whether the coder had something against us, or we were just a randomly picked "test" site, or if someone hired them to write and distribute it. A more comprehensive article was written and is being followed up on at the Washington Post: http://voices.washingtonpost.com/securityfix/2009/01/pirated_iwork_software_infects.html?hpid=sec-tech

    Be safe!

    Best Regards,

    John

This topic is closed for new posts.

Other stories you might like