Mac users hit by Trojan-infected iWork copies

24 January 2009

Intego, a company that manufactures security software for Apple's Mac computers, on Wednesday said it had identified previously unknown Trojan software that affects computers running Mac OS X. The Trojan was found with some unauthorised copies of Apple's new iWork 09 productivity suite on sites that traffic in illegally copied software.

The malicious software appears to be designed to enlist infected systems in a bot army that is targeting Web sites with so much junk traffic they can no longer accommodate legitimate visitors.

In an alert issued today, Intego said some pirated versions of the $79 iWork software suite circulating on BitTorrent trackers are infected with malware called SX.Trojan.iServices.A.

It said the Trojan is bundled so that it begins to run as soon as the user installs the pirated iWork software. It opens up a "backdoor" on the victim's computer, alerting the virus writer that a new system is infected and allowing the attacker to upload new software to or perform other actions on the infected Mac.

While the iWork '09 programme is completely functional, the installer contains Trojan, which is launched when the software is installed. The Trojan installer is downloaded as soon as the user requests an administrator password and begins installation of iWork. Older versions of Mac OS X, such as 10.5.1 and earlier, don't require a password, and hence have not been affected.

While the exact number of infected users is not yet known, Intego estimates that affected Mac users exceed 20,000. Malware specific to the Mac is still a relative rarity, but not entirely uncommon, security experts say. Last year, coinciding with the first day of the MacWorld Conference & Expo, a rogue application known as MacSweeper, which spread only on Mac computers, solicited users to download and pay for a bogus cleanup programme.