Reports of Mac Trojan in pirated Adobe Photoshop CS4

Image (1) finder-patch.gif for post 11985

It’s news which should dispel once and for all the notion that it’s only script kiddies and proof-of-concept coders that are developing malware for Mac OS X.

it is being reported that a new variant of the Apple Mac iWorkS Trojan horse (also known as iServices or iWorkServices) has been distributed via a pirated version of Adobe Photoshop CS4 on peer-to-peer file-sharing networks.

The Trojan, detected by Sophos as OSX/iWorkS-B is found in a bundled crack program that allows users to circumvent the program’s serial number copy-protection.

If infected, Macintosh users are at risk of having a remote hacker take control of their computer – potentially for the purposes of sending spam, launching distributed denial-of-service attacks or stealing identities.

Pirated version of Adobe Photoshop comes complete with a Trojan

Just days ago, an earlier version of the iWorkS Trojan horse was seen being distributed in a cracked version of the iWork ’09 software suite.

So, at the moment, the only way we have seen these Trojans being distributed is via pirated versions of commercial copyrighted software. If you aren’t illegally downloading pirated software from BitTorrent sites then you are unlikely to encounter this malware at the moment.

It’s worth remembering, however, that there’s nothing stop the hackers finding other ways to spread their malware – such as planting it on websites or spamming out links to malicious downloads via email.

Mac malware is nothing like as commonly encountered as malicious code on Windows PCs, but that’s no excuse not for Apple users not to properly defend themselves and take sensible precautions to ensure that they are not putting their computers, data and identities in danger.

So, I have a polite suggestion for anyone, whether using a Mac OS X or a Windows computer, who is illegally downloading copyrighted software from the net. Maybe you should stop, hmm?

You can find out more about OSX/iWorkS-B in a blog entry by Paul Baccas of SophosLabs.