Home > Mac News > First Serious Mac Trojan

First Serious Mac Trojan

January 23rd, 2009

It’s still a trojan, and not a virus or worm, but this one seems to be the first serious malware for the Mac found out there in the wild. It’s been dubbed “OSX.Trojan.iServices.A” and is embedded in some pirated versions of iWork 09 downloaded from Warez and BitTorrent sites. There are reports of people having downloaded installed the trojan, and as many as 20,000 may have downloaded the file. Once installed, the trojan then sends out a signal to its creators telling them that the machine has the trojan; the hackers can then “perform various actions” and install additional malicious software. There are reports that already such software is being used to launch denial-of-service attacks on some web sites.

It is simple to find out if you have been infected. First, did you download a complete iWork installer package from BitTorrent or from a warez site? If so, did you install it? If so, then you should go to your main hard drive directory, open “System,” open “Library,” and then check inside the folder called “StartrupItems.” If there is a file in there called “iWorkServices,” then you’re infected. If not, then relax.

To remove the trojan, this procedure is recommended:

1) (open Terminal.app)
2) sudo su (enter password)
3) rm -r /System/Library/StartupItems/iWorkServices
4) rm /private/tmp/.iWorkServices
5) rm /usr/bin/iWorkServices
6) rm -r /Library/Receipts/iWorkServices.pkg
7) killall -9 iWorkServices

However, if the hackers installed other software on your computer, it may be hard to find it. Most recommended is to back up all data (though not applications or system files), then do a clean wipe-and-reinstall of the OS, re-install your software, and then copy back all your backed-up data files.

Frankly, when I saw the iWork 09 torrent files pop up immediately after the software was released, I was somewhat puzzled. Even if you’re not willing to spring for the $80 package ($71 if you’re in education; I’ve bought every new version that came out), then why were people downloading the torrent anyway? All it is is the exact same installer Apple provides as a test-drive download, but with serials attached. All that’s needed, really, are the serials which people list in the torrent’s comments, and the download from Apple is much, much faster.

This news does all come from Intego, an anti-virus software vendor, so the usual caveats of self-promotion apply. But this one has the ring of truth to it, plus there have been reports from actual users of having been infected.

Anyway, this is still significant in that up to 20,000 people could have been infected (it will be interesting to see how many really were hit by it), making this the first widespread piece of malware for the Mac which can actually have harmful effects on your computer. That said, it is a trojan, so it will not spread like a virus or worm. But it’s also still a major threat, even if to a limited community of Mac users, and likely few if any people from this time forward. But it could also pop up elsewhere–it doesn’t have to be iWork 09, it could probably be applied to any pirated software with an installer that accesses the System.

Categories: Mac News Tags: by
Comments are closed.