New Variant of Mac Trojan Horse
A new report from Intego shows that the trojan discovered last week in pirated copies of Apple's iWork 09 has been revamped and repackaged into pirated copies of Adobe Photoshop CS4 for the Mac. The new trojan, dubbed OSX.Trojan.iServices.B, is found bundled with copies of Adobe Photoshop CS4 that are available for download from BitTorrent trackers and direct download warez sites.
This time the actual installer for Photoshop is clean, however the trojan is found as a software cracking application that promises to generate activation codes for the program. The cracking program is run on the promise that it will allow Photoshop to be used and asks for the user's administrator password, launching a backdoor with root privileges.
According to Intego, the trojan "copies the executable to /usr/bin/DivX
and creates a start-up item in /System/Library/StartupItems/DivX
. The program checks to see if it has been launched with root privileges and if so, saves the root hash password in the file /var/root/.DivX
." It then begins to listen on a random TCP port, answers requests such as GET / HTTP/1.0 by sending a 209-byte packet, and makes repeated connections to two IP addresses.
Since the trojan is reporting to a remote server on the Internet, the creator will be alerted as the trojan is installed on each infected Mac, allowing for the ability to perform various actions remotely. These actions can include almost anything from downloading additional software, to taking part in a DDoS (distributed denial of service) attack on certain web sites.
Intego is reporting that almost 5,000 people have downloaded the file via a major BitTorrent tracker. It is very likely that the trojan will continue to be modified and spread through pirated copies of software packages.
As always, we recommend not downloading software from untrustworthy or unofficial sources and to always acquire software legitimately.
See also:
- Copies of iWork 09 from BitTorrent may contain trojan, a heise online UK report
- A Mac OS X attack that leaves no trace, a heise online UK report
(crve)