Security Breach and Fix for those Pirating iWork '09
The antivirus vendor Intego reveals that they've discovered a new Trojan horse that is being carried by pirated copies of iWork '09 circulating on a number of sites.
Intego has classified the Trojan as a "serious" risk and named it OSX.Trojan.iServices.A. The Trojan allows a malicious user to connect to an infected machine and perform any number of functions and download additional software to the machine.
"This software is installed as a startup item (in /System/Library/StartupItems/iWorkServices, a location reserved normally for Apple startup items), where it has read-write-execute permissions for root. The malicious software connects to a remote server over the Internet; this means that a malicious user will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac."
Intego reports that tens of thousands of people are still pirating the iWork '09 package on some sites despite the knowledge of the Trojan.
However there are now instructions on how to deactivate the Trojan. They are:
" 1) (open Terminal.app)
2) sudo su (enter password)
3) rm -r /System/Library/StartupItems/iWorkServices
4) rm /private/tmp/.iWorkServices
5) rm /usr/bin/iWorkServices
6) rm -r /Library/Receipts/iWorkServices.pkg
7) killall -9 iWorkServices"
has also released a free utility to remove the Trojan.
This Trojan looks like it is the first real OS X Trojan to advance beyond the proof-of-concept or pranking stages and really cause some trouble…guess Apple can't say OSX is bug free anymore.
Source: iWork '09 Torrent Carrying OS X Trojan [Updated] - Mac Rumors