Ninja’s don’t often get trojans, but pirates of Mac software just might… According to an article on MacRumors, there is a pirated copy of iWork 09 floating around torrent-land that has a trojan in it. Apparently it creates /usr/bin/iWorkServices and then puts it in /System/Library/StartupItems. Now, in order to place the files in such a way it’s going to obviously need the user to enter a root password. But then, a regular installer would ask a user to do this too.
The trojan has been named OSX.Trojan.iServices.A. Supposedly over 20,000 users have downloaded the infected files from the torrents, but at this time, I am unable to find one to try and infect myself and see what the binary itself can do. Also, if 20,000 downloads occurred it’s not clear to me yet how many of those were bots and how many were actual humans attempting to install the software. If you happen to have gotten infected, remove all instances of the iWorkServices files and reboot and you should be OK. More on the payload when I figure it out. Moral of this story: just buy iWork… Oh and please run anti-virus – it’s a good thing, even if you don’t believe in it…
By the way, if anyone has a copy I’d love to do a little forensics on the package to see who made it, so send me the /Library/Receipts/iWorkServices.pkg file…