Headline Feeds
Mac security firm Intego sounded the alarm Thursday on a trojan horse it spotted hiding in pirated copies of Apple's (Nasdaq: AAPL) iWork '09. Since then, several more security solution providers have responded.
On the surface, the trojan -- OSX.Trojan.iServices.A -- might seem relatively benign. After all, only those who stole a copy of iWork '09 can get it. While those numbers may edge into the thousands, pirate Mac lovers tend not to be clients of enterprise Mac security solution providers.
Symantec (Nasdaq: SYMC) Security Response rates OSX.iWork a low-level threat, presumably because its reach is limited to a relatively small number of users looking to nab a pirated copy of iWork. Intego, on the other hand, rates it as serious.
What Gives?
"The risk is extremely low -- you can only get infected if you are downloading illegal software," Rich Mogull, an independent security expert with Securosis.com, told MacNewsWorld.
But what if a user, ahem, does download the illegal software?
"You're screwed," he said.
So What Does It Do?
First of all, Mac installer packages are made-up scripts that install the applications and various files in the correct places on a Mac's hard drive. When installing iWork 09, Intego reports, the iWorkServices package is installed, and the installer for the trojan horse is launched as soon as a user begins the installation of iWork, following the installer's request of an administrator password.
This trojan is installed as a startup item in /System/Library/StartupItems/iWorkServices, where it has read-write-execute permissions for root. The malicious software then connects to a remote server over the Internet and essentially holds open a back door to the Mac.
"The trojan itself is severe just because it is installed with root privileges and has full access from the malicious source to change or modify," Nicholas Raba, president of SecureMac, told MacNewsWorld. "The trojan knows where it's located at, and once installed, it connects to the source and it notifies its location -- its IP address -- and awaits commands."
The trojan could scan the infected Mac for sensitive information, track Internet activity, record logins and passwords, and do just about anything nefarious thing the bad guy pulling the strings wants.
But Aren't These Just Pirates?
For those who toe the software line, there might be a tendency to simply dismiss the trojan as something the iWork '09 robbers deserve. Still, in a tough economy -- and with teenagers running rampant over the household WiFi connection -- newbie software robbers might snag something they hadn't bargained for. Intego says that as of last night, 20,000 people had downloaded the pirated iWork '09 installer.
For good or bad, it seems as if security solution providers are keeping their eye focused on the issues of viruses and malware, no matter where or how they appear.
"In regards to pirated software, we don't condone piracy; however, SecureMac does protect against malware, and just because it was included in the iWorks package isn't to say it couldn't be included in any other package, such as freeware or open source or something like that," Raba explained.
From its home page, SecureMac is offering a free download, iWorksServices Trojan Removal Tool, that will remove the trojan from compromised Macs.
"Right now it's specifically called 'iWorksServices,' but if they decide to package it with anything else it will evolve from there," he added.
In an update to its original alert, Intego is now reporting that the iServices.A Trojan horse is actively "downloading new code and acting as a botnet, participating in distributed denial of service attacks on certain Web sites."
Talkback: 
