Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


More Malware Targeting Users of Pirated Software for Mac



 By: Brian Prince
2009-01-26
Article Rating:starstarstarstarstar / 7


There are 2 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
A new variant of a Trojan is targeting users of pirated Adobe Photoshop CS4 software. The Trojan is related to malware uncovered last week that was packaged with pirated copies of iWork '09.

Users of pirated software have a new headache to worry about. For the second time in less than two weeks, malware targeting Mac computers has surfaced on the Web.

According to an advisory from Intego, OSX.Trojan.iServices.B is a variant of the iServices Trojan the company found last week targeting pirated copies of iWork '09. This time, the malware has its sights set on versions of Adobe Photoshop CS4 downloaded via BitTorrent trackers and other sites containing links to pirated software.

The actual Photoshop installer is clean, but the Trojan horse is found in a crack application that serializes the program, Integos advisory reads.

Resource Library:

As of 6 a.m. EST on Jan. 25, nearly 5,000 are believed to have downloaded the Trojan, according to the advisory.

After downloading this version of Photoshop, users will run the crack application to be able to use it, the advisory continues. The crack application extracts an executable from its data and installs a backdoor in /var/tmp/, which is not deleted when the computer is restarted.

The crack application then requests an administrator password and launches the backdoor with root privileges, the advisory continues. The program saves the root hash password in the file /var/root/.DivX. In addition, it listens on a random TCP port, answers requests such as GET / HTTP/1.0 by sending a 209-byte packet and makes repeated connections to two IP addresses.

Since the malicious software connects to a remote server over the Internet, the creator of this malware will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely, the advisory reads. The Trojan horse may also download additional components to an infected Mac.

Last week, the original version of the malware was found in pirated versions of Apples iWork '09. By 6 a.m. EST Jan. 22, the Trojan reportedly had infected some 20,000 users of the pirated iWork '09. A free tool to remove this Trojan is available on SecureMac.

Although Mac users have historically had a relatively easy time when it comes to malwarethe amount of viruses targeting the Mac is far lower than those targeting Microsoft Windowsthe incident does underscore the dangers of downloading pirated software.

"Intego recommends that users never download and install software from untrusted sources or questionable Web sites," the advisory states.






  Reader Comments: More Malware Targeting Users of Pirated Software for Mac
>>> Post your comment now!
A user comment on this article
I wonder if this will convince people not to steal software? Nah.
Posted At: 01-30-09
By: Anonymous
Mac Malware
To all Cyber Monsters: Have your fun with windows, but stay away from macs.
Posted At: 01-26-09
By: BitMonster
>>> Post your comment now!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


xr㶲(;; YڦxiJVlҌ3JEĘ"Hʗ䬗v8x %ٞq2DFh4{$sW7-gL.\snS?úO Y'w>{ &(ˑԫ1m3HnwݶN=gP'^C᳙(,Q H5K&OxgMlM1ečz5o0 fE1;&}9B ~5;6(CJep$ZwvH~Th⻶eMGaoN w*Nuol9 QCRTR/FXP~FDc?9CvN5{PB5;U'Ҵ?@Sա*"U{ahBz.91rzн[F&lwsDFL$٪؁E$Ӥbf=Qw^C]õ]\./RF͌e:guGgbGMҳG]L0H6=D?ĭQ IfqO-%z^yy< uȭzk׳߂Cݸ{1ܳL`D TmO |lMݟP>I unGGr(˺79hmyaijTӪrT5X;rދWcm9 2w7[޾޹RV5MQjU? n0uh;\CR EeS Pc,{/B oVq+ZVH+(.##-byOa`%pfQUri[򳹥}o__]wzmo_wڧ>ߘekfy3?b Jw3B~ V7ke{#kjꜴ{ ݹGtHM Wh:w N\kU[^`KėvO^MXCyC0-ߕRMRs~huOd[W;'$'MD[qN {[-t[ۗ9K }!zc-? ,_ f kķLJo$SNE ;@:9]sfZ[cW MXrƒ) t$uWϝ7>hr Ce)#p?݃IhJq䰉k>ذ 1"%hJ@{e $}ВEtBAͨO%ތEOtvϧԴPwP?: pѦޣ8ݘXI7B4A>+GݺzL߳=Wԇ5j`IE 6 &>v\P|2Zw9ܻ-L&w0`DVwCPbLTM}PAX\7 >)3PlmNl}h`1 5%aFi0xz[2(%E2G 4.gP)AH =k \99~ ޑvZ*&RP*m=!ԑt݁Z*=h3aGe-n^ $ d6g2+IMiG0V-&D7r"e.G 7Kᙖ6ZlkVe y=0ГޙLdd ٚM܏> BX͙;eL o¯u(َKhL©(9 Yҋs d50J%gYA3'|(@]4>+WUPÃ"`"+42[m̞w(V֌f;NrB@S*,H@fmdz?;Oq)2Sf$),4tOݡ~~uVkCT]^u 9R@{4 m 246@Ȱ\k_X5QW(:,)T saŰ,Bl6<E9̆ɨ_-iMf@v:=F5}n&VU OG,m+ZrirX,y|-lD0(2n( 鿛R&a+\ڨOaOwAsm0Ho[=<fM\?&BXt+@Zl&VUmTHbyq 0b={1rt\Xtf²읶ה])ϥ_(̧6y+D*> 0f&6X#˦>oُgWKHZSYClX.)Uij"yd\s˰e0:f}<~A+p& >FkwYвJzu6$\.(J9)` N 2&|h:|#H& ,w\d0!P\Q-W0.#_L_LU1(TOnQE^~~ VKŴ谢zԘ{}Qː 0gted->흧 IR-frheU-UjR9_VqTG"MϨpV6ʼnG =q?@*:2 XZ 0(E{耰⢉!h{+4khý235RZS*ݝ'(R~hoZyඨ,3YZD]bRYEGʚQzCԃ3~Sb_@URTʞwZu^ߜ]hDA`! Нv;#ؐCKAk1ʯ!q>:(TX7gmE{H^ac7U[@oF)-ғe4 "|GIV`]j[|8.SoJ@?(1sԳйtNsl }~rnAf D|8 F.K6,^ira;9Qo@Hms11 `;G=!?_l6a%|N:@"#f.s_wf=]~oLg4>ʀkG2gdQhVz\ 4v}cLB.MDo"iBq=C H\}PK(,~w9ـo |\V*Z솣d9#T`| @-!y?6o -"ԄtLaV*7xo~.RȓC$>DQkF\12a7ZPf㘘ٿX?hUeQbsE1 7k{_% ?/Ѝ ?s c(m'@ޏcﻛNvH ۦ>^E!2a^=}W^^ab>"g·~A`}f{^j\00JVCR:"hueK\4?pCmtj2e'A)p>{9ճ"b{l:km}8-odhq^8K%I{e[Jbw;j܃,= YE#B򜜷ȧ5vhR`AQ~H13^3ltܗu}͙C9kI.Dz=jWE.'27Le8ZۍW9 ²VXȬE`&|C7$T0r$ ,׀zB*Λi%D[( 1te}E/R)Q\(뉞hY}ҽnr lo}AF_(ί0Kѷo9Aߐ>O1Ofo4~ P=8Y,rh%縵vRt0?x>6 z?"i^;g Í76"TS8L,ӤN)fT،)~[ħ{, /䎑()td ekxFM{uS棏G 95'y V7N{m,b20}~k_㆟yP1n'lLcI"ɫ׺7}\8%'+x|42q/nP2QY;pGҠccmf<ݸw[f1vfo}|}& ~ ]=PI=w)~=Ғ(r_&ZDNp5Q {qI9.x}?,J`\Ty^Av6`#B"fFcME[ofO<|nF?v@b*?=zg[QżQ?ۧiEl%T _p;&})5X{OH,Ilvy5k1tMnA$z`N2ܪeHjT~ m2n69Ȍ_MEvC{"m8rR[< !`˺M``A3gg^,VfI\`d+JĆZ)hZӞi_u/ /:q#2Λi`yf=P5>@gP?ej]|t^jRr*bUF-gZ~ƶFg&dqo#+c86*UeKn<%D{o#KeTBc͏@]{0jppg9<(oMEtC[ WX7`Ă$6y0%XUJ6 A=QG{Mu3)K'`&\JT#&wAxH'$$Ix{[QR۲[ደG!BR{S5<&RVִ Ae0I&۞F$H|IF+8oHH fi.0,c#2ԢCARMe0f 'bO2YE1yrPy DJ45^q GI\| YG8=7c\i~1xx*RU-*Z {%hy倄T"x9+ྗMJSܑUURK2`2\N-o 裸N&Nzs+N]O:m/CA: U /K tI0O<D'c|GfW/LL%MvSMٖO+/ŧE7If&NpJYʑJWI*#%WsOwllT%AXz N6jW8<U~ZxX֔{cuqBtI_FhYc D-c"]pkL+052oi4G SϢ8N\liޟɎ'w[~:~0:;vT|I׼~aUV  ܙң/ӺJWms_:yRO; IEoaoW'05֕|yH(h9n׋zŗb\0fjD3UqНGLB`١Ka⠾oƖlbнe:9c.U"o"~tfFB *'jtu{۾6\x]n2q” 6Y7TR_f=D &zl K~}JLϤN ^O޴?K\k';OؖX Y  I@8$1< ZmGnAab ANs/Os2$,En.%RݱmLz&]ş-oWm.j3wW5pEx_M Wo͓3wa¾6osB(35;6۬7ofvj}m4kk3&A-[o&6௶eulauN8^/{ t#[~{ԽKfTgZ֝f6dfph֒_fHI$8&w$QqD3's3&%Xz$"R,K`1I|`u1Mp\|@Q^/m+ѱGոe^ ˦m/'It'r5X,hILÑBu}sTa-;fDh䧺lȯxϰq{Q]#@q"o(kʁV=P,[Y+ Z3&ME*ނ0HQ&B{@JVH4isR}CQ58sMllN!Vy <7L6#7j=!vߦv̈́|W@O[jkw1g{8YՉHǝ mݹ]|5&<6ڢR[ Xie7{ dh-MaZ ! ~rQD#'9'U"cm J~RR,Cy^iwqݗǮV5U*5YQa(#R%ϻra#;XieZ{r#u[ϋqϝ =/bZN{#̀Gp= )eq->v"AfkgQklwma>:>([}1߽ZۭktX tPhW5XC@/0޻K{IV^YC5XtEDڭJ]kJ^@yj 4Zu,uJ'X^snz.z˳yY&ge~".M/0̊۾%U$d[jtowAQg)fHtGw,@8(@$5,/HkW"гr-x+nO5 SLP{">_ňR>fD+9mgbOcBdgS_+@JLB(fYiv' o.'_o/>VHUGod@2<|W"W|-]ͲD4X 1}H } Ort7\9P[K86w_ 6f^zGZQ!IGC>xIi4"&s'؏p+S'"΀!,E||0XV$ʽOg-<-RWld""@Ո_f9l~V =GwB&8 x_wM0菄}Jsrb1}Ə 'lI<R+6tA #.k)?{χ\oX|J7o9fkH s)؇c*5훟/{JM)`Y$u2Dt083+%2&P9 dU 79|?_{=&n%[ք ᑰ 5" 蛋7(mDRPiFctkX,k8j98mu;WLQXj*{3w Os(@yTH"0XJ)T&}fAm?pkGSJn67p>9/Ɯ,a4`\Kma`t.t?OgGA~2?t:&Z&5KޝQ>ɖàzEQp#ߛSg0Y4غ9P;eI5#'uԦF h7Q똫1C=W܄qP ">^sФo%u?CBP~ (By794h3Od})4>חurN+2N~\f ?2?C<>v_d_d^dsA EF/?/2"?QF/3 ?eAYF?P~Q{1 ?s w1~]O7CtAt3U\W_\gO_>f'(UѿO@Orߛ o2ڿ\'I73y S›3Kqʠ/ޯxfOvHy>j~h|Z/OUq4 5%pN!3J81| H-MԳpN08_kj L=C9}54]MWnƜ؉Ʈ; P7maIfT.jZQo\)Uʹ俓k$2^z@ ᐚDdU*.ZX,.g /(@#غM{%}C7<8fȳRLq u+k % P1=:pǬ* ۼx`T ގe@7 J,5{SŨЫD@3ǝ_ pot1R  {{[2gډe:Gq8ˍ,}dy4;s,iށz~4@;4Xr(9Pųl1@Щ>zdp!gB-ҋKt!^¹PeD˺U B` jϗ5[n%c$Q#鴥"9Z/ipzx " n+m_[3@Z/`5ݤq&f\ !𰙄i׌̯anLiU?j틷$YLAv3Fdu#aq1ld@(we6Lm (~%.,wbs/. S@8>cc6Hm\wrlCkBu7L2B _Kݤ Id .d⟐|e'0O&=-3=^$u60=9i\_D{LxWƇ ?Y>KGJLƎ$z 0qgy 0t[ēC{)B9.O X3Wd]dA_d|bOh6MxXUm&$rq;at>]&J~ł霰)#,|H𵝦n犱Lt6q>+'s.|ۃcxPƂ!نIf;W1^{#R49P%)^Ղ[#rF331F#qyU p+0)`t`"l "@"drtPŗ) Mm'#84B>ԼlQ޺%76x}҄ O1Su ѫv.9|x@NlMlj_ԕU`g#~"3V[œA6p8s`ܐ}olI CO2?Fu:h/Asl+ 6[ +"ۂ KmӴ>u¥"UXJMX,8. k4⿶ Q W.9Bu6٠^|:ym뎮E{Ofuݍfmx:" 7]!Kb 1C>`]R>ŔK.)tOꋰANt3NE7k,^zXٻbnpS`hwq#b }u+e!.1:.XݫlׁR#nȅ+`jk7E]EtA<;=k=v{ksb&igNbk:*φŀpVs6W=?5zlvf~wx:Y:}#s!oYX&7ęV /O CׅѰ0 L{,lyEG%RRNfK#fE1[Rj2 19.O)xI1%h3l䣈mAb?k[#),wL xje2FvdzU\Z-^cdX$֬LE")ԛa:(z0 s͹!׆! a+c~,Km) 3 {ς ixz XXC`*3F"eS1C7@n0\|EH d[\O^مu3\j/YH~> fr*r*]xD4;NbŠ_yfO/0,#ŠN|]t1^e_:m^t?Jz`gg^vXvQJe!V0oǝF6̈́ В^&ŮvbecImŞ.