By Chris Foresman | Published: January 22, 2009 – 10:23AM CT
Apple's iWork '09 suite, introduced at the 2009 Macworld Expo earlier this month, already has pirated versions swirling around the less savory parts of the 'net. But if you're too cheap to pony up $79, you may end up infected with a trojan.
Security firm Intego identified the trojan in question late yesterday. Dubbed "OSX.Trojan.iServices.A," the trojan is hidden as an extra package—iWorkServices.pkg—in an otherwise fully-functional iWork '09 installer. Once you authenticate with your password to install the software, the trojan installs as a startup item in /System/Library/StartupItems/iWorkServices, an area normally reserved for Apple-only files, giving it read, write, and execute permissions as root. It then connects to a remote server, essentially creating a wide open back door for malicious attackers to do just about anything they want.
Of course, the simple solution is to not download pirated copies of iWork '09 (or any software for that matter), though Intego notes that at least 20,000 copies of the trojan-infected installer had been downloaded by 6am ET this morning. Predictably, Intego's own VirusBarrier and the latest definitions file will of course protect you from infection if you still fail to heed warnings against downloading software from untrusted sources. It's also possible to remove the trojan yourself with some Terminal-fu, but there's no guarantee that damage hasn't already been done; the trojan could install keyloggers or other hacks via its remote connection.
Seriously, though, is $79 so much that you would risk getting a trojan?
Identifying and Removing the iWork09 Trojanhttp://isc.sans.org/diary.html?storyid=5743&rss