iWork '09 Torrent Carrying OS X Trojan [Updated]

by

A security alert posted this morning by antivirus vendor Intego reveals that the company has discovered a new Trojan horse that is being carried by pirated copies of iWork '09 circulating on a number of torrent sites.

The Trojan, which Intego has classified as a "serious" risk and named OSX.Trojan.iServices.A, allows a malicious user to connect to an infected machine and perform various functions, as well as download additional software to the machine.

This software is installed as a startup item (in /System/Library/StartupItems/iWorkServices, a location reserved normally for Apple startup items), where it has read-write-execute permissions for root. The malicious software connects to a remote server over the Internet; this means that a malicious user will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac.

Intego reports that over 20,000 users had downloaded the package as of 6:00 AM Eastern time this morning, and an update to an entry posted on Intego's Mac Security Blog notes that the Trojan now appears to be actively downloading new code to infected machines and using them to carry out denial-of-service attacks on certain websites.

Update: Despite significant publicity surrounding this incident today, the infected iWork package remains active in the torrent community. In light of this continued activity, we have moved this report from Page 2 to our front page and are providing instructions for deactivating and removing the Trojan from infected systems.

1) (open Terminal.app)
2) sudo su (enter password)
3) rm -r /System/Library/StartupItems/iWorkServices
4) rm /private/tmp/.iWorkServices
5) rm /usr/bin/iWorkServices
6) rm -r /Library/Receipts/iWorkServices.pkg
7) killall -9 iWorkServices

OSX.Trojan.iServices.A appears to be the first significant OS X Trojan to advance beyond the proof-of-concept or pranking stage to engage in truly malicious behavior.

Update 2: MacScan has released a free utility to remove the Trojan from infected systems.

Top Rated Comments

ksgant Avatar
ksgant
162 months ago
As I'm sure others have said, let me echo it here:

A virus exploits the weaknesses of an OS
A trojan exploits the weaknesses of the user of the OS
Score: 1 Votes (Like | Disagree)
megas88 Avatar
megas88
162 months ago
What virus?
I think he meant trojin. It seems easy to detect without a anti virus program. I just came back from tauw with the easy detection. Just follow this to see if ya got it or not. It's the same thing as I think was posted here. But just in case someones panicking here it is again.:

Look for /System/Library/StartupItems/iWorkServices

To remove it.
1) (open Terminal.app)
2) sudo su (enter password)
3) rm -r /System/Library/StartupItems/iWorkServices
4) rm /private/tmp/.iWorkServices
5) rm /usr/bin/iWorkServices
6) rm -r /Library/Receipts/iWorkServices.pkg
7) killall -9 iWorkServices
Score: 1 Votes (Like | Disagree)
dejo Avatar
dejo
162 months ago
Wasn't going to, but the announcement of a real virus ...
What virus?
Score: 1 Votes (Like | Disagree)
Read All Comments

Top Stories

16 inch macbook pro m2 render

When Can We Expect the Redesigned MacBook Pros Now?

Wednesday June 16, 2021 7:11 am PDT by
With no sign of redesigned MacBook Pro models at this year's WWDC, when can customers expect the much-anticipated new models to launch? A number of reports, including investor notes from Morgan Stanley and Wedbush analysts, claimed that new MacBook Pro models would be coming during this year's WWDC. This did not happen, much to the disappointment of MacBook Pro fans, who have been...
Read Full Article231 comments
YouTube Picture in Picture Feature

YouTube Says iOS Picture-in-Picture Coming to All US Users

Friday June 18, 2021 9:41 am PDT by
After a long wait, YouTube for iOS is officially gaining picture-in-picture support, allowing all users, non-premium and premium subscribers, to close the YouTube app and continue watching their video in a small pop-up window. In a statement to MacRumors, YouTube says that picture-in-picture is currently rolling out to all premium subscribers on iOS and that a larger rollout to all US iOS...
Read Full Article169 comments
2021 back t0 school

Apple Launches 2021 Back to School Promotion: Free AirPods With Eligible Mac or iPad Purchase

Thursday June 17, 2021 4:56 am PDT by
Apple today launched its seasonal back-to-school sale for the upcoming school year in the United States and Canada, offering students free AirPods alongside purchases of select Macs and iPad models. Similar to last year's promotion, this year's offer includes free AirPods alongside the purchase of a MacBook Air, MacBook Pro, the new 24-inch iMac, the Mac Pro, Mac mini, and the new M1-powered ...
Read Full Article92 comments
applecare lower prices

Apple Lowers Prices of AppleCare+ Plans for M1 MacBook Air and MacBook Pro

Thursday June 17, 2021 7:33 am PDT by
Apple today lowered the prices of AppleCare+ plans for MacBook Air and 13-inch MacBook Pro models equipped with the M1 chip. Coverage offered by the plans, as well as accidental damage fees, appear to remain unchanged. In the United States, AppleCare+ for the MacBook Air now costs $199, down from $249. The new price applies to both M1 and Intel-based MacBook Air models, although Apple no...
Read Full Article148 comments
maxresdefault

Video: 20 Annoyances Apple Fixed in iOS 15 and macOS Monterey

Friday June 18, 2021 11:36 am PDT by
With iOS 15 and macOS Monterey, Apple is adding several quality of life improvements, which are designed to address some of the complaints that people have had with these operating systems for years now. Subscribe to the MacRumors YouTube channel for more videos. In our latest YouTube video, we're highlighting some of our favorite "fix" features that address long-running problems in iOS and...
Read Full Article125 comments
Top Stories 63 Feature

Top Stories: Beats Studio Buds Announced, Apple Watch Series 7 Rumors, and More

Saturday June 19, 2021 6:00 am PDT by
The Apple news cycle started to move beyond WWDC this week, but that doesn't mean there still wasn't a lot to talk about, led by the official debut of the much-leaked Beats Studio Buds that might give us a hint of what to expect for the second-generation AirPods Pro. With no hardware announcements at WWDC, we also took a look at when we might finally see the long-rumored redesigned MacBook...
Read Full Article9 comments
m1 v intel thumb

Intel Processor Market Share May Fall to New Low Next Year Due to Apple Silicon

Friday June 18, 2021 2:06 am PDT by
Intel may see its market share fall to a new low next year, in large part thanks to Apple's decision to move away from using Intel processors in its Mac computers and instead use Apple silicon. Apple announced last year that it would embark on a two-year-long journey to transition all of its Mac computers, both desktops, and laptops, to use its own in-house processors. Apple is expected to...
Read Full Article161 comments
space gray magic accessories trio

Apple Stops Selling Magic Accessories in Space Gray

Friday June 18, 2021 9:16 am PDT by
Apple this week stopped selling its Magic Keyboard with Numeric Keypad, Magic Mouse 2, and Magic Trackpad 2 accessories for the Mac in a Space Gray color, around three months after discontinuing the iMac Pro, which also came in Space Gray. Last month, Apple listed the Space Gray accessories as available while supplies last, and the company has now removed the product pages from its website...
Read Full Article120 comments
maxresdefault

Apple CEO Tim Cook: Sideloading Apps Would 'Destroy the Security' of the iPhone

Wednesday June 16, 2021 10:49 am PDT by
Apple CEO Tim Cook this morning participated in a virtual interview at the VivaTech conference, which is described as Europe's biggest startup and tech event. Cook was interviewed by Guillaume Lacroix, CEO and founder of Brut, a media company that creates short-form video content. Much of the discussion centered on privacy, as it often does in interviews that Cook participates in. He...
Read Full Article332 comments
3nm apple silicon feature

Apple Supplier TSMC Readies 3nm Chip Production for Second Half of 2022

Friday June 18, 2021 6:59 am PDT by
Apple supplier TSMC is preparing to produce 3nm chips in the second half of 2022, and in the coming months, the supplier will begin production of 4nm chips, according to a new report from DigiTimes. Apple had previously booked the initial capacity of TSMC's 4nm chip production for future Macs and more recently ordered TSMC to begin production of the A15 chip for the upcoming iPhone 13,...
Read Full Article140 comments