Two New Trojan Horses Target Macs
Two Variants Of Trojan Horse Viruses Target Mac Users
Two new Trojan horses are attacking thousands of Mac users who’ve downloaded pirated versions of iWork ’09 or Photoshop CS4.
According to an article published last week on Appleinsider, users who have downloaded and installed either iWork 09 or Photoshop CS4, may have opened their Mac’s to remote attacks from hackers.
Mac security software maker Intego discovered last week what it calls “OSX.Trojan.iServices.” in pirated copies of Apple’s iWork ’09.
This cracked version contains an additional program not found in retail versions of iWork, called “iWorkServices.pkg”. During installation, this troublesome program also installs itself as a startup item with read/write/execute abilities.
The rogue software connects to a remote server to notify its creator the Trojan has infected another machine. The hacker can then remotely connect to these machines and perform various malicious actions, including downloading additional programs to the machine.
Intego warns that any Mac user compromised by the Trojan faces “extremely serious consequences”
The security firm said 20,000 people had already downloaded the installer at the time of its alert, a number that continues to rise at a rate of 1000 per week.
In an update released Monday morning, Intego said Macs infected with the Trojan are now being pushed new code that downloads in the background, which is then being used to facilitate a DDoS (distributed denial of service) attack on certain websites.
Photoshop CS4 Trojan Targets Macs
Intego have also warned that a new variant of the same Trojan is contained in some pirated versions of Adobe Photoshop CS4.
The Trojan, named OSX.Trojan.iServices.B, is not part of the install, but is execute when the user opens the keygen to generate the crack serial code needed to validate the install.
This app extracts an executable from its data and installs a backdoor in /var/tmp/. If the user runs the crack app again, a new executable with a different random name is created, this makes it very difficult to safely remove the malware.
Once the administrator password is entered, a backdoor with root privileges is launched, copying the executable to /usr/bin/DivX and a startup item in /System/Library/StartupItems/DivX. It then makes repeated connections to two IP addresses, according to Intego.
A malicious user can then connect to the affected Macs and perform various actions and downloads remotely. Intego predicts this Trojan horse may also be used to execute similar DDoS attacks.
This installer has already been downloaded by 5,000 people who are now at risk, the firm says.
A security notice on Intego’s website reads:
“The risk of infection is serious, due to the number of infected users, and these users may face extremely serious consequences if their Macs are accessible to malicious users,”
Intego says its own VirusBarrier X4 and X5 products with virus definitions dated January 22, 2009, or later will protect against these two Trojan horses.
- Unavailable, please contact us for more information.