Pirated iWork Software Infects Macs With Trojan Horse
A company that makes security software for Mac computers is warning that copies of Apple's iWork productivity software that are available for download from peer-to-peer (P2P) file-sharing networks may be infected with a Trojan horse program. The malicious software appears to be designed to enlist infected systems in a bot army that is targeting Web sites with so much junk traffic they can no longer accommodate legitimate visitors.
In an alert issued today, Intego said some pirated versions of the $79 iWork software suite circulating on BitTorrent trackers are infected with what it calls OSX.Trojan.iServices.A. Intego said the Trojan is bundled so that it runs when the user installs the pirated iWork software.
iServices.A then opens up a "backdoor" on the victim's computer, effectively alerting the virus writer that a new system is infected and potentially allowing the attacker to upload new software to or perform other actions on the infected Mac.
An Intego spokesperson said it appears from looking at the figures from a high-profile torrent tracker site, as of 6 a.m. ET today, the installer program for the infected software suite had been downloaded at least 20,000 times.
A Mac software developer from Melbourne, Australia by the name of Pete Yandell said he infected his machine after installing this program. In a posting on his "Not a Hat" blog, Yandell said the Trojan installed a simple script that forced his computer to start flooding a Web site with junk traffic, ostensibly using his machine as part of an army of infected systems launching a "distributed denial of service" (DDoS) attack aimed at knocking the targeted site offline.
"My copy of the iWork 09 trial installer contained a trojan," Yandell wrote. "This copy was passed to me through multiple hands. If I'd done the smart thing, and got my copy straight from Apple, I wouldn't have had this problem."
Yandell could not be immediately reached for comment.
Nearly two years ago, I wrote a blog post called "When Macs Attack," which profiled a collection of hacked Mac systems that was being used to launch DDoS attacks. That malware also was directed by malicious scripts. Interestingly, plenty of readers called "baloney" on that post, ridiculing the notion that someone would create a bot army that was specific to Mac systems.
"What can Mac users do to protect themselves from such nasties," is the question I'm getting a lot more from readers. Sure, Mac users can purchase and install software like Intego's, or other anti-virus software for the Mac. It may or may not stop attacks like this.
As we have seen before, Apple itself has been a tad inconsistent in its advice to Mac users on this front, first running ads saying Mac users don't have to worry about malware, then saying anti-virus is a good and necessary thing for Mac users, then pulling those recommendations.
If my employer hadn't already paid for a Symantec anti-virus software license on my Mac, I can tell you I certainly would not have paid for it on my own.
Leaving aside (hopefully) the question of whether Mac users need anti-virus, I've tried to impress upon readers the importance of avoiding risky behaviors online that could jeopardize the security of their systems. The reality is that installing programs downloaded from P2P networks is about the most insecure practice a computer user can engage in, regardless of the operating system in use.
This is why I think it's important to call out this Trojan. Yes, it infects Macs, and that's something we don't see very often. But it's also a teachable moment to remind readers that no security software is going to protect the user who is intent on installing software that may be tainted with malware, as long as that user is willing to ignore any advice (or alerts) to the contrary.
Update, 11:16 p.m. ET: Yandell wrote in to say the site his Mac was programmed to attack was dollarcardmarketing.com. Yandell said he expects the attackers in control of the Mac botnet have moved on to other targets.
While the attackers may indeed be targeting other sites, dollarcardmarketing.com remains under a fairly consistent DDoS attack as of this writing, said John Valente, dollarcardmarketing.com's co-owner.
"Our site was attacked with the DDOS about a month ago and it stumped me and my host as my traffic and bandwidth were skyrocketed to over 600Gb of transfer," Valente wrote in an e-mail to Security Fix. "My host was nice enough to try and manage it, [even thought it[ temporarily crippled us a couple times. But ultimately, he had to ask us to either shut it down or find another host because he couldn't handle the resources it was consuming."
Valente said he doesn't know who's attacking his site or why, but he found another host, a company that initially tried to tell him the ongoing DDoS attack violated its terms of service.
"After some reluctance, [the new hosting company] turned my site back on and found someone within their staff with DDOS experience to fight it," Valente said. "They've been fighting it ever since and, as you've noticed, are winning. However, we are still under such attack and it was quite malicious and effective."
January 22, 2009; 3:40 PM ET
Categories: From the Bunker , Latest Warnings , Piracy , Safety Tips , Web Fraud 2.0
Save & Share: Previous: Obama Administration Outlines Cyber Security Strategy
Next: When Cyber Criminals Eat Their Own
Posted by: medfordal | January 22, 2009 5:10 PM | Report abuse
Posted by: notahat | January 22, 2009 5:30 PM | Report abuse
Posted by: BTKrebs | January 22, 2009 5:53 PM | Report abuse
Posted by: Graham-Cluley | January 22, 2009 6:05 PM | Report abuse
Posted by: Graham-Cluley | January 22, 2009 6:10 PM | Report abuse
Posted by: firstname.lastname@example.org | January 23, 2009 1:48 AM | Report abuse
Posted by: Graham-Cluley | January 23, 2009 6:10 AM | Report abuse
Posted by: futbolclif | January 23, 2009 9:33 AM | Report abuse
Posted by: alexandriaobserver | January 23, 2009 10:38 AM | Report abuse
Posted by: spidey103 | January 23, 2009 10:53 AM | Report abuse
Posted by: AndrewfromNH | January 23, 2009 1:18 PM | Report abuse
Posted by: timscanlon | January 23, 2009 5:26 PM | Report abuse
Posted by: carlkreider | January 23, 2009 6:13 PM | Report abuse
Posted by: kkrimmer | January 23, 2009 8:22 PM | Report abuse
Posted by: egalitaire | January 23, 2009 11:34 PM | Report abuse
The comments to this entry are closed.