Filed under: Software, iWork, Security
BitTorrent copies of iWork '09 may contain nasty Trojan
Intego has released a security alert for a Trojan horse circulating in copies of iWork '09 downloaded from BitTorrent trackers and direct download (read: not official, but warez-esque) sites. The Trojan, known as OSX.Trojan.iServices.A is actually pretty clever: it exists as a package within the actual iWork '09 installer (meaning you can't see it unless you view every package in the installer bundle). Then when the installation begins and asks for your administrator password (which is what a non-infected version of iWork '09 would do), the Trojan package will install itself as a startup item in the /System/Library/StartupItems folder, where it has root permissions.Once this service is on your system (and it is called something that sounds innocuous: iWorkSerices), it will connect to a remote server online, making your computer a target for other malicious downloads and remote operations.
It is important to note that the iWork '09 files on these downloads are not affected in any way, they are merely a catalyst to get this Trojan on your system.
Intego has updated their virus definitions for its VirusBarrier programs. We recommend not downloading software from untrustworthy or unofficial sources. And you know, paying for a legitimate iWork license.
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 4)
Mike said 10:23AM on 1-22-2009
Sabotage by Apple?
Reply
BeyondtheTech said 11:47AM on 1-22-2009
Sabotage by Intego?
jjclark said 9:04PM on 1-22-2009
I thought crapple's Mac OS X was immune to viruses and trojans?
Ooops...Now that Apple has made billions of dollars out of you dumb illiterate mac users, now you realize you've been lied to and tricked again by Steve Jobs and his gang of iTards because you didn't bother doing any research. :)
jmv290 said 11:55PM on 1-22-2009
jjclark, are you retarded?
How is being stupid enough to enter your admin password and manually installing a trojan "being tricked by Steve Jobs"? Regardless of the OS–Windows, OS X, Linux, Solaris, anything–if the end user is enough of a moron to install a trojan with administrative permissions then it is not the fault of Apple(nor Microsoft if the user specifically cleared the file to run on Vista with the security warnings.), the fault lies solely with the idiot installing it.
I'd take the security of OS X and Linux where the only infections I've heard of involve giving some suspicious download(pirated software, a "codec" from a porn site, etc) over a situation where simply browsing to the wrong site can end up infecting you.
eric f. said 10:56AM on 1-23-2009
"jjclark", you are a very dedicated troll to read a site dedicated to something you despise so much.
KomputarGuy said 10:27AM on 1-22-2009
Serves them right for trying to pirate software instead of buying it.
Reply
Boyo said 7:23PM on 1-22-2009
....or for not downloading it from apple directly.
ANYWAY, if you think you have it.
Look for /System/Library/StartupItems/iWorkServices
To remove it.
1) (open Terminal.app)
2) sudo su (enter password)
3) rm -r /System/Library/StartupItems/iWorkServices
4) rm /private/tmp/.iWorkServices
5) rm /usr/bin/iWorkServices
6) rm -r /Library/Receipts/iWorkServices.pkg
7) killall -9 iWorkServices
8) Stop downloading Pirated software
(removal instructions originally found on Engadget and Mac Rumors)
Mike said 10:33AM on 1-22-2009
What is even more humorous is that these infected iWork CDs require a serial. Why not just download the official trial from Apple then enter the stolen serial.
Seems dumb, eh?
Reply
Tyrannous said 12:23PM on 1-22-2009
SHHHHHHHHHHHHH!!
Jash Sayani said 1:14PM on 1-22-2009
@Tyrannous
Everyone does that... Even the dumbet people are aware of the trick... I guess its time to give up on piracy....
Luigi193 said 3:36PM on 1-22-2009
My thoughts exactly.
Odineye said 8:55PM on 1-22-2009
Maybe it was a typo on your part, but this isn't referencing installs from CD, but rather from download.
Vince said 11:43PM on 1-22-2009
@Tash:
You need to work on your sarcasm detector.
Vince said 11:44PM on 1-22-2009
That was meant to say Jash.
Mike said 1:41AM on 1-23-2009
@Odineye
I am assuming the bittorrent downloads are either .ISO or .DMG files. In eithercase, they are an image. But I should have been more clear.
Quagmire said 10:37AM on 1-22-2009
"serves them right"
uh, yes and no. Mac fanboys have spent the past few years being really obnoxious about how Macs don't have viruses and trojans—now it does. That this exists in the wild means that others are coming. Just because this came from an illegitimate source doesn't mean it can't spread or that 'free trials' of useful software in the future might not be a source of malware.
the time of trust is over.
Reply
nayre said 10:48AM on 1-22-2009
Yes and no, yes there is a trojan, but it isn't a very hi tech one like for starters you can just go into the installer and delete it and two it's just a start up item and you can go and remove it plus if you look at your activity that one would stand out to me because it is missed spelt.
But the threat is becoming stronger but don't think it will too that bad I will need some kind of protection for at least a few years or longer depending on what apple do.
Apple really like having the rep of not having to install protection software so they will prob make defenses against this.
P.S why are you on you a mac blog site if you are going to be all like mac fanboy and like we know nothing.
Paul said 11:04AM on 1-22-2009
We've had these kinds of things before, always embedded in illegal copies of software. Last time was in Office, iirc.
And every time someone shows a vulnerability in OS X, some chucklehead starts crying doom and gloom for the Mac OS.
The simple fact is that a trojan isn't the same as a virus, and we still don't have any significant viruses in the wild. Now, stupid people downloading illegal software that contains malicious code, that we got. Never said we didn't ;-)
Simon Arch said 4:27PM on 1-22-2009
"Macs don't have viruses and trojans—now it does"
Oh? Has anyone (apart from Intego) actually SEEN this trojan? So far all we have is their word for it, and frankly I don't trust Intego. They've got a vested interest in scaring you into buying their software. And even if this DOES actually exist, what of it? Only idiots who pirate software are going to get bitten by this.
And I'd like you to name ONE virus for MacOS X. Just one. Don't worry, I'll wait while you go and dredge one up from Intego's list of "threats" to MacOS X security.
Brad Green said 10:22AM on 1-23-2009
What the Mac fanboys dont realize is that giving admin permissions to the installer is the way that many, many Windows virii and trojans are installed. Its always easier to trust in the stupidity of the user than the inadequacy of the operating system.