Breaking: Over 20k Mac Users Unknowingly Infected By a Trojan (All Mac Users Read This!)

If you own a Mac, you'll definitely want to read this.

Over 20k people were infected by a copy of the iWork 09 trial that included a trojan in it. The trojan starts at the startup of your Mac and connects to a remote server, which gives whoever created the trojan full access to your computer, completely in the background. Some people are already noticing the trojan working to run some code for the guy. The 20k only comes from a torrent version of iWork 09, though some sites outside of Apple are hosting the trial version with the trojan in it, too.

The software is installed in /System/Library/StartupItems/iWorkServices and simply deleting it will not fully remove it. You'll need to reformat and reinstall from a backup or download Intego VirusBarrier and remove it that way. Unfortunately, the trial version of VirusBarrier won't let you install the update that removes the trojan.

I guess if we all had virus software already running nobody would have to deal with this? Maybe it'll be time for a virus scanner when over 20k Mac users have to hear that they have a trojan on their system by reading a blog on the internet.

http://www.intego.com/news/ism0901.asp (some info taken from other sources)

By the way, mods, I hope that this post doesn't get deleted or locked. I only posted it so people can check if they have the trojan or not, which is pretty serious when 20k+ people downloaded it and have no idea that they have it.

 

good thing i didnt install the trial version of iWork

 

They got it because they are stupid. This only effects the people that downloaded it. If you are going to pirate something do it the right way
StrongerThanAll I think you miss understood, this was a ILLEGAL version from a pirate site. Downloading from the Apple site is safe.
MICHAELSD01 you should edit your post so people know that it was a illegal copy not from the Apple site.

 

The closest thing to a fix without up-to-date virus scanning software or reformatting would be to open up Terminal and follow these steps:

1) Open terminal
2) type sudo su
3) Enter your password
3) type rm -r /System/Library/StartupItems/iWorkServices
4) type rm /private/tmp/.iWorkServices
5) type rm /usr/bin/iWorkServices
6) type rm -r /Library/Receipts/iWorkServices.pkg
7) type killall -9 iWorkServices

The rm command removes the trojan and the killall command stops any processes it might have running. Keep in mind that a trojan can modify any files or software on your computer, so this might not remove anything done to your machine. If this is a machine that stores anything confidential, reformatting is highly recommended. If you don't want to reformat, a virus scanner is also highly recommended. Follow those steps if you assume you have it before the trojan does anything.

 

I said that it was only from some sources outside of Apple. I've read that some users that downloaded the trial from legit sites other than Apple have gotten the trojan, too, so it's best to follow those steps I just posted if you got the trial at anywhere other than www.apple.com.

 

where can you buy virus scanners for macs?

 

The site I had in my post is probably the best virus scanner you'll find now for the Mac. It's also the only one that protects anything this trojan.

 

There no saying most virus scanner would of even picked it up, since it was a new virus it probably would of gotten buy most scanners.

 

I think technically, the file itself wasnt illegal.

If its piratebay, or any other random torrent site that the masses use, it would probably be the trial thats on apples site, along with a cdkey.

The trial, theres nothing illegal about that, though cdkey obviously is.

But yea, I guess thats something to look for now. But it looks like the only way atm to get the tojan on people computers, is for them to actually install something. Guess thats bad for the "unwashed pirates" out there. Also if you have a decent firewall, you should notice something thats accessing the internet and not let it access it.

 

Me too, and that pirating would cause this anyway. Good thing I only stick to bluray movies only. =D

But thanks for the warning.

 

I find that very hard to believe, and all of the sources I've read about this do not implicate any legal downloads from apple.com.

 

You can say that again:

http://www.macworld.com/article/138380/iworktrojan.html

http://news.cnet.com/8301-1009_3-10148359-83.html

http://www.computerworld.com/action...ArticleBasic&articleId=9126609&intsrc=hm_list

http://voices.washingtonpost.com/se...iwork_software_infects.html?wprss=securityfix

I'd like to see a credible proof from a reliable source MICHAELSD01.

 

He did say "other than Apple".

Edit to add; This weekend I'll have to see about making a clean box, and installing this. I'm curious now.

 

I read in the comments of one of the articles I read (I've read a lot of articles on this) that one of the download sites that had the iWork 09 trial up to download used to have the version downloaded from a torrent with the trojan (I guess they assumed that they couldn't do that with the download from Apple?). I'm not going to go looking for it, but as I've already said, the version with a trojan was never on Apple's servers. Maybe it's time for Apple to get some kind of virus scanning for installer before it installs anything. It's too easy to open up the package contents of a program and add a virus that installs with the program. Any viruses or trojans would go unknown to at least 90% of the people that own a Mac and I bet that all of that 90% would have some kind of virus if this gets more widespread and becomes common. If Windows is any indication, Mac is getting popular enough that'll you'll have to be careful with everything (not just files from torrents or pirated applications) that you download on a Mac, too.

 

Check if the iWorkServices trojan starts up after you install the infected version of iLife or after you start your system for the first time afterwards. I'm kind of curious.

 

Oh boy, this would be a dream to PC fanboys. Please don't tell them!

 

The topic of this thread is EXTREMELY misleading and should be changed.

Downloading the trial of iWork 09 directly from Apple is fine. When you start downloading it from other sources (either reputable or not) you run the risk of bad things happening because you never know where those "reputable" sources got their file from.

Obviously downloading things from torrents involves risk, however the topic of this thread really doesn't point the finger where it really should be pointed.

 

*yawn*.

this is just the first time people noticed because iwork was torrented in such large numbers (over 20k!)

im sure this has been going on for a while for the fools that torrent software.

and im also sure that almost every windows game and other must have apps shared to no end on those sites has similar nonsense embedded. even the "reputable scene" ones. there is just too much money to be made for them not to do it. and they risk nothing. what, their reputation? hah!

anyway, this is boring. if you download malicious software, it does malicious things to your computer. no amount of built in protection can save you from unlocking the door and opening it yourself.

 

Agreed. . .

And not to be the bearer of bad news but there is no way that 20,000 people are "infected" with this, and if they are, there is no way anyone would know even a remotely accurate number. ANYONE ELSE NOTICE WHERE THIS "NEWS" IS COMING FROM? Hmm. . . is it, maybe. . . A COMPUTER SECURITY COMPANY!?!?, that makes money by selling useless software? And does it by blowing things out of proportion to draw traffic to their site? Please. . .

If you have been using a Mac for more than 1 or 2 years, you will have already realized this isn't really much to speak of.

As mentioned, if you download a Malicious app, and allow it to do bad things to your computer, there isn't much an Anti-Virus program is going to do about it beyond what OS X tries to protect you from.

And as you can clearly see, even if someone is foolish enough to have this on their system, the fact that it was reported and very overexagerated is a good sign for future protection against a real threat.

Just weight until we have to start being afraid of computers themselves, that is win the real fun will begin.

ALL MAC USERS! Go about your normal business, after you have realized this will effect you in no way.

 

well....like ppl always say...mac dont get virus coz the market share....now we are growing up so fast....what has to come has to come.....time to save up money for A/V....or...ubuntu???

 

Nope because who ever made the torrent isn't a dumb and you will never be able to find them.

 

loler. Two funny posts in a row. Too true

 

This is news? This happens on Windows ALL the time. It's just some script-kiddy who embeds a virus into an install package. It's been done since the start of Windows 95. When millions of Windows users were infected by the Internet Explorer XML bug, no news networks covered it. All it got was a Microsoft Security Advisory and fixed.

 

If you didn't notice this is the Apple section. This isn't a every day occurrence like it is on windows. So yes people are reacting different.

 

it is breaking news, but I do not use iwork 09 anyway, so my machine is fine, but still, it is breaking to heard about a virus on a mac

 

Securemac.com has released a free removal tool specifically for the iWork '09 trojan: http://www.securemac.com/

 

Just dont d/l the pirated version of iwork 09 and your fine. =D

 

This thread is so full of misinformation it's terrible.

First, this is a trojan, not a virus. Meaning two things: 1. It can only be installed with the express permission of the user, and 2: It cannot be spread to other Macs unless they also give it express permission to install. Viruses can spread secretly, but trojans can't.

Also, this was only on pirated full editions of iWork 09 that were deliberately tampered with. The trial downloads from Apple and other reputable sites (like ones you download stuff from all the time) are fine. The 20,000 number comes from the number of downloads, not the actual number of infected users (it's impossible to know the actual number).

Moral of the story: don't pirate software, and don't give root permission (i.e. your password) to any application without knowing for sure that it's legit. Otherwise, prepare to suffer the consequences. Also, let me say again, THIS TROJAN CANNOT SPREAD FROM ONE MAC TO ANOTHER FREELY.

Also, I've noticed a lot of people throwing around the terminal commands to get rid of the problem (though it still doesn't fix other apps affected by the trojan) on here and on other forums/blogs. If you don't know what you're doing in the terminal, NEVER FOLLOW THESE COMMANDS. Especially when the commands start with "sudo -su." This opens up root access on your computer and allows any application (including trojans and viruses) complete access to your system. Only follow these commands if you know what you're doing and what the commands mean.

 

Did anyone actually find out if anybody ever sent commands so the trojan would do anything or was just there to people off? Some people had this on their system for weeks, so someone would notice by now.

 

wahay about time! *snickers*