Mac security firm Intego has found a new variant of the trojan that was installed with pirated iWork '09 last week. This time, the trojan comes hidden in a serial cracker for Photoshop CS4.
By Chris Foresman | Last updated January 26, 2009 11:22
It seems malware writers really know how to stick it to pirates. After Intego identified a trojan hidden in a pirated version of iWork '09, this week, the company has already identified a new variant, OSX.Trojan.iServices.B, hidden in pirated versions of Adobe Photoshop CS4 for Mac.
According to Intego, the new variant comes attached to an "Adobe CS4 Crack" app included with an otherwise legitimate installer. When you run the serial cracker, it first installs a backdoor in /var/tmp/ using a random name, making it hard to identify and remove. Then it asks for an admin name and password, which is then used to install a startup item in /System/Library/StartupItems/DivX with root privileges. Once it launches, it saves a hash of your machine's root password and ostensibly transmits the password when requested by the malware writer. Intego also says that the trojan makes repeated connections to two IP addresses.
The first version of the trojan downloaded code that was then used to run denial of service attacks. Besides being a pain for the server admins that had to deal with the DDoS, your IP could end up on a blacklist which could lead to all sorts of connectivity issues. Intego notes that this latest variant is capable of being used in the exact same way.
Though Photoshop is generally regarded as "too expensive" to pay for, we'd like to go on record as recommending you steer clear of pirated software in general. (Duh, right?) Besides the fact that it's illegal and leaves everyone stuck with annoying things like software activation, these recent trojans are a good reason to just stay away from it. Don't say we didn't warn you.