About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Industry Watch » The Technological » Hall of Monkeys

Mac Antivirus Vendors

The snake oil's thrown in free of charge.

Get It

Try It

So it's happened again. The Macintosh sky has fallen. And Maccies everywhere are in a panic. And precious few of them understand what's going on. And fewer still want to learn.

So is it any wonder the Mac antivirus vendors come out of the woodwork and try to push their products in this atmosphere of fear? Possibly not. But that doesn't make it any more conscionable.

And here's the big joke: their products can't protect you against things like this anyway.

Cottage Industry

Antivirus on Windows is a cottage industry. It wouldn't survive if Windows wasn't a pathetic mess. The original 'antivirus' effort - stopping bad code leeching onto good code - has been superseded and expanded by generic anti-spyware efforts. And with all the products available in all the wide world not a one of them - together or combined with all the others - can claim to get at and root out all malfeasants. It can't be done.

But as long as Windows users insist on being stupid they'll continue to clean up.

On the Mac - on any generic Unix system - it's a bit of a different story. Unix is a sturdy system. Unix is prepared to be used online. It's a 'real' operating system unlike Windows. It's not going to be hacked, there are not going to be viruses, worms, and spyware epidemics.


As most understand by now some of the first alerts for the iWorkServices trojan appeared at The Pirate Bay where the torrent appeared on 8 January. Site visitor 'akiacat' posted complete instructions for its removal on 19 January. These instructions were thereafter picked up by MacRumors and others - including the antivirus vendors.

I can confirm that this contains a iWorkServices trojan. LittleSnitch also confirms this. It does not seem to be too complex. Just do the following to delete the crappy trojan:

1) (open Terminal.app)
2) sudo su (enter password)
3) rm -r /System/Library/StartupItems/iWorkServices
4) rm /private/tmp/.iWorkServices
5) rm /usr/bin/iWorkServices
6) rm -r /Library/Receipts/iWorkServices.pkg
7) killall -9 iWorkServices

This should disable any running processes of the trojan and delete the startup script and executable. First time I see this on a Mac. Seems that it's now time to switch to Linux. ;)

There's certainly nothing wrong with antivirus vendors helping to spread the word and cautioning people about the trojan. But their products do not help - only brains do. Trojans in Apple installer packages can't be tested for 'signatures'. 'Opener' got past antivirus signature lists by changing its name to 'o-p-e-n-e-r'.

'So much for antivirus technologies', the author of Opener remarked to this site.

One last time: 'akiacat' is wrong - you do not have to switch to Linux. Not for this. And as for antivirus or anti-spyware or anything of the sort on Apple's OS:

You. Don't. Need. It.

And what did Security Fix blogger Brian Krebs say? Not many realise he's a Mac fan and runs a MacBook Pro. And just the other day in the context of all these Mac antivirus vendors sprouting back up he posted the following.

If my employer hadn't already paid for a Symantec antivirus software license on my Mac I can tell you I certainly would not have paid for it on my own.
 - Brian Krebs

Nick Raba

Nick Raba's the curator of SecureMac. He's had the site for ten years. Not much on the site is up to date but it's still alive and kicking.

Should you wander over you'll see some startling headlines destined to scare the shit out of you. Things like 'root shell in 4 steps with setuid apps' and 'sudo buffer overflow exploit' and you'll be scared alright!

Then you'll click through on the links and you'll discover the one article covers a vulnerability from back in the year 2000 and the other a vulnerability even further back in time. Certainly if these are the best Nick Raba and SecureMac can come up with - and they're at the top of the headline list - then the Mac with OS X is fairly secure!

But hold on - for all the while some sites just reprint akiacat's instructions and others such as this one publish even easier (and free) methods of removing the trojan Nick takes it one step further.

  • Copy out akiacat's instructions.
  • Create a super-slick wrapper app to run those instructions.
  • Put in a link to one's own Mac antivirus products that nobody needs.

And that's what Nick Raba did. He created the 'iWorkServices Trojan Removal Tool'. And published it everywhere on the web. And then those bastard hackers ruined it all by coming out with a new trojan!

Well heck there wasn't that much code to add. But Nick Raba didn't even have time for that. He released his 500 KB app with the same name, the same graphics - except now it went after both trojans!

What's Nick going to do when the next trojan hits? Refactor his app again? What are users going to do? Wait for Nick Raba to rerelease his 'iWorkServices Trojan Removal Tool' again?

What's amazing is Raba couldn't do more given the time allotted. The 'DNSChanger' mentioned in the above sheet (along with thousands of other trojan horses) is something he's been working on for some time. The 'iWorkServices Trojan Removal Tool' is simply Raba's earlier 'DNSChanger Removal Tool' all too hastily retooled.

Here's the telltale data from 'DNSChanger Removal Tool'.

0000000000003d1c http://macscan.securemac.com/
0000000000003d40 Scanning for DNSChanger...
0000000000003d5c Scanning /Library/Internet Plug-Ins/...
0000000000003d84 Verifying scan results...
0000000000003da0 Scan complete.
0000000000003db0 /Library/Internet Plug-Ins/plugins.settings
0000000000003ddc DNSChanger Detected.
0000000000003df4 Trojan Detected
0000000000003e04 DNSChanger trojan was detected.  Would you like to remove it?
                 After removal, please restart your computer to clear bad DNS entries.
0000000000003e90 Cancel
0000000000003e98 DNSChanger Trojan Removed.
0000000000003eb4 Unable to remove DNSChanger Trojan.
0000000000003ed8 Removal Cancelled.
0000000000003eec /Library/Internet Plug-Ins/AdobeFlash
0000000000003f14 Scan Complete.  DNSChanger was not detected.
0000000000003f44 http://store.eSellerate.net/s.asp?s=SUCKER&Cmd=BUY&SKURefnum=NOFUCKINGWAY&pt=LOSER
0000000000003fa0 MacScan Store

Here's the corresponding data from 'iWorkServices Trojan Removal Tool' after the update for the second trojan. A little bit fancier and a little bit more to do. But nobody's breaking out in a sweat here.

0000000000005736 http://macscan.securemac.com/
0000000000005758 Scanning for iServices trojan...
0000000000005779 Scanning /usr/bin/...
000000000000578f Verifying scan results...
00000000000057a9 Scan complete.
00000000000057b8 /usr/bin/iWorkServices
00000000000057cf /private/tmp/.iWorkServices
00000000000057ec /System/Library/StartupItems/iWorkServices
0000000000005818 /Library/Receipts/iWorkServices.pkg
000000000000583c /usr/bin/DivX
000000000000584a /private/tmp/.DivX
0000000000005860 /System/Library/StartupItems/DivX
0000000000005884 Scan Complete.  iServices trojan was not detected.
00000000000058b7 iServices Trojan Detected.
00000000000058d2 Cancel
00000000000058dc iServices Trojan component was detected in /usr/bin/.
                 Would you like to remove it?
0000000000005930 Trojan Detected
0000000000005940 iServices Trojan Removed.
000000000000595c Unable to remove iServices Trojan.
000000000000597f Removal Cancelled.
0000000000005994 iServices trojan component was detected in /usr/bin/.
                 Would you like to remove it?
00000000000059e8 iServices Trojan component was detected in /private/tmp.
                 Would you like to remove it?
0000000000005a40 iServices trojan component was detected in /private/tmp.
                 Would you like to remove it?
0000000000005a98 iServices Trojan component was detected /System/Library/StartupItems/.
                 Would you like to remove it?
0000000000005b00 iServices Trojan component was detected in /Library/Receipts/.
                 Would you like to remove it?
0000000000005b60 Scan Complete.  iServices Trojan was not detected.
0000000000005b93 /var/tmp
0000000000005b9c iServices trojan component was detected in /var/tmp/.
                 Would you like to remove it?
0000000000005bf0 iServices trojan component was detected /System/Library/StartupItems/.
                 Would you like to remove it?
0000000000005c55 /var/root/.iWorkServices
0000000000005c70 iServices Trojan component was detected in /var/root/.
                 Would you like to remove it?
0000000000005cc5 /var/root/.DivX
0000000000005cd8 iServices trojan component was detected in /var/root/.
                 Would you like to remove it?
0000000000005d30 Scan Complete.  iServices was detected on system.
0000000000005d64 http://store.eSellerate.net/s.asp?s=SUCKER&Cmd=BUY&SKURefnum=NOFUCKINGWAY&pt=LOSER
0000000000005dbd MacScan Store

So it does appear despite all that Nick Raba is going to keep coming out with new (or at least enhanced) 'removal tools' every time a trojan hits. What he could do - if he's really smart - is collect all these and announce a new Mac antivirus kit.

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.