OSX/iWorkS-A another reason to have a Mac security product

Filed Under: Apple, Malware, SophosLabs

Yesterday, SophosLabs was made aware of a new Mac OS X Trojan affecting a dubious copy of iWork '09 (an update to Apple's popular rival to Microsoft Office).

In the news and blogosphere there were several write-ups and descriptions (Threat Researcher, Intego, ProtectMAC and our own Graham Cluley), SophosLabs has now written detection for this new Trojan which we identify as OSX/iWorkS-A (aka OSX.iWorkServices.A, OSX.Iwork and OSX.Trojan.IServices.A).

The Trojanised copy of iWork '09 was made available on the infamous PirateBay torrent site as a ZIP file. When unpacked you would get a proper Mac .pkg file.

As you can see the ZIP was ~450Mb and there were over 500 torrent sites up last night offering it for download. Looking into the .pkg file (actually a folder) shows that there is a suspiciously new file.

iWorkServices.pkg is the install package for OSX/iWorkS-A. When installed OSX/iWorkS-A will create several files and a process.

Sophos Anti-Virus for Mac will detect and delete the files created under StartupItems and bin. The process called iWorkService can be killed manually.

sudo killall -9 iWorkServices

Network administrators who monitor network traffic should look for traffic to:

*freehostia.com:1024
69.92*:59201

as traffic is indicative of an infection of OSX/iWorkS-A.

The comments posted to the PirateBay blog are quite explicit about the dangers involved in downloading this torrent. Though it appears that the author of this Trojan (or perhaps an accomplice) was posting to say that the file wasn't a Trojan. Either that or they were quite dim.

Graham asked late last year "Do you really need anti-virus on your Apple Mac?". This Trojan once again proves the answer to be yes.

,

You might like