Network News

X My Profile
View More Activity

Pirated iWork Software Infects Macs With Trojan Horse

A company that makes security software for Mac computers is warning that copies of Apple's iWork productivity software that are available for download from peer-to-peer (P2P) file-sharing networks may be infected with a Trojan horse program. The malicious software appears to be designed to enlist infected systems in a bot army that is targeting Web sites with so much junk traffic they can no longer accommodate legitimate visitors.

In an alert issued today, Intego said some pirated versions of the $79 iWork software suite circulating on BitTorrent trackers are infected with what it calls OSX.Trojan.iServices.A. Intego said the Trojan is bundled so that it runs when the user installs the pirated iWork software.

iServices.A then opens up a "backdoor" on the victim's computer, effectively alerting the virus writer that a new system is infected and potentially allowing the attacker to upload new software to or perform other actions on the infected Mac.

An Intego spokesperson said it appears from looking at the figures from a high-profile torrent tracker site, as of 6 a.m. ET today, the installer program for the infected software suite had been downloaded at least 20,000 times.

A Mac software developer from Melbourne, Australia by the name of Pete Yandell said he infected his machine after installing this program. In a posting on his "Not a Hat" blog, Yandell said the Trojan installed a simple script that forced his computer to start flooding a Web site with junk traffic, ostensibly using his machine as part of an army of infected systems launching a "distributed denial of service" (DDoS) attack aimed at knocking the targeted site offline.

"My copy of the iWork 09 trial installer contained a trojan," Yandell wrote. "This copy was passed to me through multiple hands. If I'd done the smart thing, and got my copy straight from Apple, I wouldn't have had this problem."

Yandell could not be immediately reached for comment.

Nearly two years ago, I wrote a blog post called "When Macs Attack," which profiled a collection of hacked Mac systems that was being used to launch DDoS attacks. That malware also was directed by malicious scripts. Interestingly, plenty of readers called "baloney" on that post, ridiculing the notion that someone would create a bot army that was specific to Mac systems.

"What can Mac users do to protect themselves from such nasties," is the question I'm getting a lot more from readers. Sure, Mac users can purchase and install software like Intego's, or other anti-virus software for the Mac. It may or may not stop attacks like this.

As we have seen before, Apple itself has been a tad inconsistent in its advice to Mac users on this front, first running ads saying Mac users don't have to worry about malware, then saying anti-virus is a good and necessary thing for Mac users, then pulling those recommendations.

If my employer hadn't already paid for a Symantec anti-virus software license on my Mac, I can tell you I certainly would not have paid for it on my own.

Leaving aside (hopefully) the question of whether Mac users need anti-virus, I've tried to impress upon readers the importance of avoiding risky behaviors online that could jeopardize the security of their systems. The reality is that installing programs downloaded from P2P networks is about the most insecure practice a computer user can engage in, regardless of the operating system in use.

This is why I think it's important to call out this Trojan. Yes, it infects Macs, and that's something we don't see very often. But it's also a teachable moment to remind readers that no security software is going to protect the user who is intent on installing software that may be tainted with malware, as long as that user is willing to ignore any advice (or alerts) to the contrary.

Update, 11:16 p.m. ET: Yandell wrote in to say the site his Mac was programmed to attack was Yandell said he expects the attackers in control of the Mac botnet have moved on to other targets.

While the attackers may indeed be targeting other sites, remains under a fairly consistent DDoS attack as of this writing, said John Valente,'s co-owner.

"Our site was attacked with the DDOS about a month ago and it stumped me and my host as my traffic and bandwidth were skyrocketed to over 600Gb of transfer," Valente wrote in an e-mail to Security Fix. "My host was nice enough to try and manage it, [even thought it[ temporarily crippled us a couple times. But ultimately, he had to ask us to either shut it down or find another host because he couldn't handle the resources it was consuming."

Valente said he doesn't know who's attacking his site or why, but he found another host, a company that initially tried to tell him the ongoing DDoS attack violated its terms of service.

"After some reluctance, [the new hosting company] turned my site back on and found someone within their staff with DDOS experience to fight it," Valente said. "They've been fighting it ever since and, as you've noticed, are winning. However, we are still under such attack and it was quite malicious and effective."

By Brian Krebs  |  January 22, 2009; 3:40 PM ET
Categories:  From the Bunker , Latest Warnings , Piracy , Safety Tips , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Obama Administration Outlines Cyber Security Strategy
Next: When Cyber Criminals Eat Their Own


It is very important to recognize the difference between malicious software (malware) and a virus. This post confuses the two and the issue of security. Anti-virus services or programs will not identify malware nor will it remove malware. Removal of malware rom Macs is far more complicated than running the malware identifiers/removers for PCs. Perhaps someone else knows if there is a malware ID/Removal applet for the Mac.

Posted by: medfordal | January 22, 2009 5:10 PM | Report abuse

I wasn't available for comment because I'm in Australia and you tried to contact me at at 3:00 AM my time.

I've posted a follow-up to this on my blog:

- Pete Yandell

Posted by: notahat | January 22, 2009 5:30 PM | Report abuse

Pete- Thanks for stopping by and leaving a comment. Sorry about the early a.m. email. Hope it didn't wake you somehow. :)

Posted by: BTKrebs | January 22, 2009 5:53 PM | Report abuse

There will be some who'll say "Oh well, only a fool would get infected by this Trojan because they were downloading a pirated version via P2P"

And they'd have a point. You'd be pretty daft to download any commercial copyrighted software from BitTorrent, especially when Apple makes a 30-day trial version available for free download. It's not just breaking the law, it's putting your computer at risk.

But they're missing the bigger point. And that's that hackers are increasingly looking with greedy eyes at the Apple user community. A community which is in the main acting much more recklessly when it comes defending itself against malware than their Windows cousins.

Yes, the amount of malware for Mac is tiny compared to Windows. But it's growing, and it's being written for the purposes of creating botnets and making money.

Mac users would be foolhardy not to take threats like this seriously.

Graham Cluley, Sophos

Posted by: Graham-Cluley | January 22, 2009 6:05 PM | Report abuse

To: medfordal

Viruses are just one kind of malware (malicious software). Other kinds of malware include Trojans and worms (the latter of which I would argue are just a type of virus).

To be honest, the definitions don't really matter to the average man in the street, and only the real geeks in our labs tend to get excited about debating them.

The important thing to realise is that anti-virus software these days can detect and remove viruses, Trojans, worms, spyware and other kinds of malware.

There are a number of vendors out there who produce anti-virus software (the generic term) for Apple Macs. Modesty forbids me from mentioning my own firm's product, or posting a link :), but I'm sure you can find it and others only a short Google away.

Graham Cluley, Sophos

Posted by: Graham-Cluley | January 22, 2009 6:10 PM | Report abuse


That's not such a nice review of your product that comes up when you Google Sophos. seems to give an identical number of 'user rating' stars to both Superantispyware and Lavasoft Adaware [both free editions] also with paid additions.

Both also have MAC editions [but I don't know if they are free] but even if they aren't it sure beats trying to fix your machine AFTERWARDS.

I use to swear by Lavasoft Adaware, until one day while looking on their free log in technical support site, someone asked if 'anyone' knew how Adaware compared to Superantispyware. I had never heard of Superantispyware before that, but was tired of Adaware 'hanging up' in the middle of scans after you ran a couple of them, though I liked a couple of other features in the Plus & Pro Editions.

Superantispyware is pretty simple to use, has decent features and never hangs up on me. It also seems faster and finds 'unspecified' trojans that somehow seem to get by my BitDefender Total Internet Security package, which is a very nice package. I can't recall if I had installed Superantispyware when I was running Kaspersky or not, but then again, I'm not the Chief Justice of the Supreme Court either. LOL

Posted by: | January 23, 2009 1:48 AM | Report abuse

To Brucerealtor:

Seeing as's page appears to link to the wrong url (a page which doesn't exist on our website) it may not be a surprise if the reviews aren't great! For what it's worth, we recommend that people download software directly from our site rather than third parties.

Sophos is a product for business users, not consumers. Whichever product you use, check out the tests by the independent testing labs which specialise in malware research.

Best wishes
Graham Cluley, Sophos

Posted by: Graham-Cluley | January 23, 2009 6:10 AM | Report abuse

Smug Mac users - 0, Everybody else - 1.

Posted by: futbolclif | January 23, 2009 9:33 AM | Report abuse

Little Snitch is an essential tool for the Mac, in my opinion. It blocks outgoing network connections (such as the DDOS mentioned here) and notifies the user that it's going on. I don't work for little snitch, but I am a huge fan as it can catch unauthorized network access like this, and deny it.

Posted by: alexandriaobserver | January 23, 2009 10:38 AM | Report abuse

This can't be true. Macs can't be infected with a virus. They're too cool.

Posted by: spidey103 | January 23, 2009 10:53 AM | Report abuse

I'm a happy Sophos user, in a Mac environment. I agree with the previous poster about how essential is the use of Little Snitch to block outgoing communications should anything sneak onto my system.

Thanks for the head's up!

Posted by: AndrewfromNH | January 23, 2009 1:18 PM | Report abuse

It's not like tracking down the bots masters should be a big frakking mystery given that it's unix under the hood.

This isn't a virus either, it's a distributed backdoor, apperently not even one that's rootkitted, meaning it's trash written by fools.

Posted by: timscanlon | January 23, 2009 5:26 PM | Report abuse

Regardless of what anti-virus vendors tell you, their products are only useful after the fact. Just like any other virus, a computer virus must exist and be analyzed before an "inoculation" can be created. Therefor, someone WILL get infected. It may be you. The only safety is in informed, safe computer use.

I am not sure what the outbound port blockers are (like Little Snitch) but I'll bet I could disable it if I had penetrated the box.

Posted by: carlkreider | January 23, 2009 6:13 PM | Report abuse

ANYONE installing and running software from a P2P source is an IDIOT! Go to the vendor if you want a trial.

Little Snitch is a system utility that blocks software from connecting to the Internet. The only one that seems to get around it is that bloody Adobe Reader update!!! People got so upset that Adobe FINALLY allows you to turn it off.

Posted by: kkrimmer | January 23, 2009 8:22 PM | Report abuse

an inside Jobs?

Posted by: egalitaire | January 23, 2009 11:34 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company