iWork '09 Torrent Carrying OS X Trojan [Updated]
The Trojan, which Intego has classified as a "serious" risk and named OSX.Trojan.iServices.A, allows a malicious user to connect to an infected machine and perform various functions, as well as download additional software to the machine.
This software is installed as a startup item (in /System/Library/StartupItems/iWorkServices, a location reserved normally for Apple startup items), where it has read-write-execute permissions for root. The malicious software connects to a remote server over the Internet; this means that a malicious user will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac.
Intego reports that over 20,000 users had downloaded the package as of 6:00 AM Eastern time this morning, and an update to an entry posted on Intego's Mac Security Blog notes that the Trojan now appears to be actively downloading new code to infected machines and using them to carry out denial-of-service attacks on certain websites.Update: Despite significant publicity surrounding this incident today, the infected iWork package remains active in the torrent community. In light of this continued activity, we have moved this report from Page 2 to our front page and are providing instructions for deactivating and removing the Trojan from infected systems.
1) (open Terminal.app)
2) sudo su (enter password)
3) rm -r /System/Library/StartupItems/iWorkServices
4) rm /private/tmp/.iWorkServices
5) rm /usr/bin/iWorkServices
6) rm -r /Library/Receipts/iWorkServices.pkg
7) killall -9 iWorkServices
Update 2: MacScan has released a free utility to remove the Trojan from infected systems.
Top Rated Comments
(View all)
A virus exploits the weaknesses of an OS
A trojan exploits the weaknesses of the user of the OS
What virus?
I think he meant trojin. It seems easy to detect without a anti virus program. I just came back from tauw with the easy detection. Just follow this to see if ya got it or not. It's the same thing as I think was posted here. But just in case someones panicking here it is again.:Look for /System/Library/StartupItems/iWorkServices
To remove it.
1) (open Terminal.app)
2) sudo su (enter password)
3) rm -r /System/Library/StartupItems/iWorkServices
4) rm /private/tmp/.iWorkServices
5) rm /usr/bin/iWorkServices
6) rm -r /Library/Receipts/iWorkServices.pkg
7) killall -9 iWorkServices
Wonder how many machines are now infected with this trojan (as it spreads).
They type in their password. I guess that is what they get for being cheap. Has anyone found a removal tool for it yet? Or is it still spreading?
Users that have downloaded and installed a pirated version of iWork '09 can check for iWorkServices in /System/Library/StartupItems. iWorkServices is the malicious payload that's installed along with iWork.
[ Read All Comments ]
Apple today updated iBooks [App Store] to version 2.0.1, bringing a fix for an issue that resulted in some iBooks Textbooks not opening in the application.
Apple is not terribly specific about...
As the Mac becomes more popular, the arrival of A-List titles to the platform is beginning to become a more common occurrence. The latest top-shelf game to hit the Mac is Id Software's RAGE,...
One year ago today, News Corp. launched its iPad-only newspaper called The Daily. It was the first app to take advantage of the "In-App Subscription" feature that Apple launched the same...
As noted by 9to5Mac, Apple today began seeding Safari 5.1.4 to developers for testing, signaling the next round of improvements for Apple's browser software. Safari 5.1.4 is available in...
MCV reports (via The Next Web) that Apple has nabbed yet another gaming PR executive, this time hiring Microsoft's European chief of Xbox Live marketing Robin Burrowes to oversee App Store...
