Pirate iWork 09 with Trojan

Symantec, along with anti-virus software producer Intego announced a Mac OS X Leopard Trojan embedded in illegal copies of iWork 09. The illegal copies are circulating on BitTorrent and similar services that carry pirated software.

Someone (presumably) opposed to piracy hacked the iWorks 09 installer, installed the Trojan, (technically it's a root kit) then uploaded it; it began spreading almost immediately as thousands of pirated, illegal copies were downloaded. The Trojan, OSX.Iservic, is rated by Symantec as a low-level threat, it is still a threat to be taken seriously.

The illegal iWorks installer is uses the filename iWork09.zip and is approximately 450MB in size. The legitimate installer bears the filename iWork09.zip and is approximately 450MB in size, and is freely, legally available as a thirty day demo directly from Apple at http://www.apple.com/iwork/.

After the Trojan installs itself it runs a script at root level with the goal of creating a back door, including opening a port on the infected Mac for connections. It then attempts to connect to the following remote hosts:

69.92.177.146:59201

qwfojzlk.freehostia.com:1024

This is actually very much not good. It means that the Trojan has access to the most basic level of the infected Mac, and that the writer could conceivably use the back door for additional exploits. You can read about the details here and here, in layperson's language. Symantec, and other anti-virus companies have released updates. There are also some tools for removal if you downloaded a bootleg copy. The only safe place to download iWorks 09 is directly from Apple.

This episode should be seen as a double warning; piracy is just a bad idea, at every level, and no, the Mac is not invulnerable. It's now an increasingly interesting target for malicious exploits.

Edited to add: There's already a copy-cat Trojan in an illegal copy of Photoshop.