informa
/
Strategic CIO
News

Mac OS X Trojan Found In Pirated iWork 09

Intego identified the Trojan file name as "iWorkServices" and said it gets installed when the user installs an infected copy of the iWork 09 suite.
Mac security software company Intego on Wednesday said it had identified previously unknown Trojan software that affects computers running Mac OS X.

The Trojan was found with some unauthorized copies of Apple's new iWork 09 productivity suite on sites that traffic in illegally copied software.

Intego identified the Trojan file name as "iWorkServices" and said it gets installed when the user installs an infected copy of the iWork 09 suite.

"The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer’s request of an administrator password (in older versions of Mac OS X, 10.5.1 or earlier, there will be no password request)," the company said. "This software is installed as a startup item (in /System/Library/StartupItems/iWorkServices, a location reserved normally for Apple startup items), where it has read-write-execute permissions for root."

Once installed, the malware connects to a remote server over the Internet, potentially allowing the malware author to steal information, control the compromised computer remotely, or trigger the downloading of additional malicious components. Intego claims that at least 20,000 people have downloaded infected versions of iWork 09. It urges Mac owners not to download iWork from disreputable sites.

By the standards of Windows malware, that figure represents a rounding error. The Downadup worm that has been circulating is believed to have infected about 9 million PCs.

Intego is issuing this alert to warn Mac users not to download iWork 09 installers from sites offering pirated software. (As of 6 am EST, at least 20,000 people have downloaded this installer.) The risk of infection is serious, and users may face extremely serious consequences if their Macs are accessible to malicious users.

Apple on Monday said that customers who bought boxed retail copies of iWork don't need a serial number to run the software with full functionality. Customers who download the trial version from Apple and decide to purchase the software are still required to supply a serial number, however. It remains to be seen whether not requiring a serial number will increase or decrease the illegal copying of iWork.

Earlier this week, Apple patched seven critical flaws in its QuickTime software.