iWork Trojan Also Found in Photoshop CS4

Last time, Intego, an antivirus vendor posted a security alert about a trojan found in torrented copies of iWork. The Trojan, which Intego has classified as a “serious” risk and named OSX.Trojan.iServices.A, allows a malicious user to connect to an infected machine and perform various functions, as well as download additional software to the machine.

intego-090126-1

In their latest update, Intego also says it has discovered a new variant of the same Trojan horse called “OSX.Trojan.iServices.B”, which can be found in pirated versions of Adobe Photoshop CS4.

intego-090126-2

This installer compromises the system not by installing an additional package, but through a crack application that serializes the program for use without a purchased retail key.  This app extracts an executable from its data and installs a backdoor in /var/tmp/.  If the user runs the crack app again, a new executable with a different random name is created, making it difficult to safely remove the malware.

intego-090126-3

Once the administrator password is entered, a backdoor with root privileges is launched, copying the executable to /usr/bin/DivX and a startup item in /System/Library/StartupItems/DivX.  It then makes repeated connections to two IP addresses, according to Intego.

A malicious user can then connect to the affected Macs and perform various actions and downloads remotely.  Intego predicts this Trojan horse may also be used to execute similar DDoS attacks.

If you downloaded iWork or Photshop and you feel that your machines are infected, Intego suggests you run their VirusBarrier program, or if you are feeling lucky, you can wait and hope SecureMac saves you by releasing a free Trojan removal tool. Prevention is always the best tactic and to avoid this kind of thing altogether you should not be giving pirated software root access whenever it asks for it. [AppleInsider]

Related posts:

Categories: News 0 like

Leave a Reply