New Mac Trojan appears in pirated versions of Photoshop CS4 – 5,000 infected so far - Macenstein

New Mac Trojan appears in pirated versions of Photoshop CS4 – 5,000 infected so far

I’ve said it before and I’ll say it again, “Just Say No to Torrents, kids!”

Uh oh… another week, another Mac Trojan horse discovered. This time around, it’s folks who are downloading cracked copies of Adobe Photoshop CS4 from BitTorrent sites that are in danger. According to Mac Security Software maker Intego (who discovered last week’s iWork 09 virus) the Photoshop trojan is a new variation on the OSX.Trojan.iServices virus found last week.

Exploit: OSX.Trojan.iServices.B Trojan Horse
Discovered: January 25, 2009
Risk: Serious
Description: Intego has discovered a new variant of the iServices Trojan horse that the company discovered on January 22, 2009. This new Trojan horse, OSX.Trojan.iServices.B, like the previous version, is found in pirated software distributed via BitTorrent trackers and other sites containing links to pirated software.

OSX.Trojan.iServices.B Trojan horse is found bundled with copies of Adobe Photoshop CS4 for Mac. The actual Photoshop installer is clean, but the Trojan horse is found in a crack application that serializes the program.

After downloading this version of Photoshop, users will run the crack application to be able to use it. The crack application extracts an executable from its data, than installs a backdoor in /var/tmp/, a directory which is not deleted when the computer is restarted. (If the user runs the crack application again, the Trojan horse creates a new executable with a different name; these random names make it harder to ensure safe removal of the malware.)

The crack application then requests an administrator password, launching the backdoor with root privileges. This copies the executable to /usr/bin/DivX, then creates a startup item in /System/Library/StartupItems/DivX. The program checks to see if it has been launched with root privileges, then saves the root hash password in the file /var/root/.DivX. It listens on a random TCP port, and answers requests such as GET / HTTP/1.0 by sending a 209-byte packet, and makes repeated connections to two IP addresses. Next, the crack application opens a disk image which is hidden in its resource folder, in a folder named .data, and proceeds to crack the Photoshop program, allowing it to be
used.

Since the malicious software connects to a remote server over the Internet, the creator of
this malware will be alerted that this Trojan horse is installed on different Macs, and
will have the ability to connect to them and perform various actions remotely. The
Trojan horse may also download additional components to an infected Mac.

(Anyone else filled with a sick sense of “Apple Pride” that more people are pirating the $79 iWork 09 (20,000 infections) than the $700 Adobe Photoshop CS4? (5000))

If you feel you might be at risk of infection, Intego suggests you run their VirusBarrier program, or if you are feeling lucky, you can wait and hope SecureMac saves you by releasing a free Trojan removal tool, like they did last time. Just don’t do any electronic banking for awhile.

Comments
24 Responses to “New Mac Trojan appears in pirated versions of Photoshop CS4 – 5,000 infected so far”
  1. Ian says:

    I’m not that glad to see a Trojan for the Mac such as the OSX.Trojan.iServices.B Trojan Horse, but I am glad to see it installed with the over priced Photoshop CS4.

    I don’t download torrents, never have, never will and I’ve been around computers for 14 years.

  2. Kuzya says:

    Little snitch will solve all this problems!!! πŸ™‚
    really good application.!
    plus…. first time I see that crack requires admin password.

  3. Doc says:

    Seems to me a little weird that Intego found both of these. Let me see, want to sell a product that is fear based, no one is afraid so lets create a few viruses and release them in cracked versions of various software packages. now ppl are runing to buy our product.

    Sound far fetched? With the economy in the tank, I don’t put anything past these companies.

  4. Brian says:

    No virus protection software is going to protect you AFTER you have been infected. You have no idea what the Trojan has installed on your system, no matter how much you scour your machine later. And while Little Snitch may warn you about the outbound connections the Trojan is attempting, fact is, you’re still infected. (A creative malware creator would trap for the presence of an outbound firewall like Little Snitch and disable it.)

    The only REAL solution to the problem is to reformat and either reinstall from scratch or restore from a clean backup.

    And… don’t be an idiot and download pirated software.

  5. Doc says:

    If anything I think these malware programs will do more to prevent pirating then increase sales of anti-virus software.

  6. kirkgray says:

    MacMall has Photoshop CS4 for $700. Where are you buying it for $300?

  7. Sam says:

    With all these trojans going around, I’m starting to feel some apprehension toward pirating all of my software. Soon I may have to start spending money and buy it! My God, what are the interwebitubes coming to? At least we Mac users can still feel safe pirating music and movies.

  8. Mike Meyer says:

    Don’t blame torrents for the evil done by pirated software. There were trojans in pirated software long before there were p2p technologies, and they were spread by any number of media – including being passed around on floppies and CD via sneakernet. You wouldn’t warn people never to accept software on floppies and CD because pirated software on them had trojans, would you?

    Torrents let authors who don’t want to pay for a fat pipe distribute software from their sites. I’ve discovered a number of interesting musicians by downloading torrents viatheir sites. And the open source community is adopting torrents as a distribution media – much of the software that they give away these days has a torrent as well as the disk image or archive available for download (and unlike commercial software, often has checksums for what you download so you can check that the bits haven’t been tampered with).

    The problem isn’t torrents – it’s pirated software. Avoid that in all mediums, and what remains on those mediums will probably be safe to use.

  9. Dominic says:

    RE: #8

    Yes, we know. Torrents don’t own boxes, pirates with trojans own boxes. I don’t think the good doctor was advocating the abandonment of the BitTorrent protocol; the word “torrent” is largely synonymous with “pirated software” for many readers.

  10. Leuton says:

    Next thing you know these peske trojans may be slipped in the next batch of iPods and iPhones infecting Macs everywhere. Same thing happened to Windows PCs a few years ago. This is just the beginning friends, I am afraid..

  11. CyberTeddy says:

    now the bubble is cracked… dream destroyed…. and now the people ‘ll install anti-virus, anti-spyware, anti-this, anti-that and anti-whatever to protect the mac. like the windows machines. and than they’ll waste scanning 2 hrs a day to scan and ask themself why the computer is so f****** slow (even not to have a virus/trojan on board).

  12. Lance says:

    This is the end.

    We shall sell our computers and buy synthesizers.

  13. David says:

    I think we have to face the fact that the day where Mac users boast that they “don’t need anti-virus software” is at an end. It was always a matter of time. Macs are an untested ground; virgin territory waiting to be explored for virus writers. And it will get worse, as Windows looses more and more market share to other OSes like Linux and OS X, more people will design viruses on those OSes to make a name for themselves. (And possibly, companies will put more viruses out so that they get their product sold).

    It’s just best to stop griping and go get a good anti-virus app. There are some great free ones in Windows and there will be for Mac… eventually.

  14. iShervin says:

    this is stupid!
    in a way that people shouldn’t use torrent is good! but it’s stupid that others can make Trojan and these kinda crap things for mac! 10.6 will need a better security then…

  15. ratGT says:

    ARE YOU BEING SERIOUS!?!?!?
    I’ve been reading all this BULLCRAP this past month from various sites and couldn’t resist writing (AT LAST!). How the heck can you compare these couple of so-called ‘Trojan/ Virus’ on Mac OS X with the Windows versions (a collection close to 200000) ?!?!? In Windows ANYTHING can be installed in the background without you even noticing or being asked about ANYTHING, while on Mac OS X, in order to for the Trojan/Virus to reach serious system-resources, it’ll have to ask for a Administrative password (for root privileges).

    Now, if you are STUPID ENOUGH to enter the Admin password for a ‘cracking-utility’, then you REALLY deserve the scorching of your entire Hard Disk!…

    In my almost 25 years of PC computing, I FINALLY GAINED BACK my computing life after I bought my first Mac and I’m NEVER going back to the dark-age of the Microsoft software for ANY Mac OS X Trojan or Virus…

  16. gaz says:

    Sorry but you can not stop a trojan installing on any platform. OS X just needs clamAV installed by default and set to scan files on download. the problem with OS X is the lack of AV software on most users macs not security

  17. Richard says:

    Makes you almost want to go back to windows pirated software, at least I have a HUGE range of antivirus programs at my disposal

    still, as previous post stated, seems sus, OSX is so secure, all of a sudden 2 new trojans in the space of a week found by the same ‘anti’virus company

  18. mac and apple sucks says:

    I think it’s great that so many people think that since they have Mac they cant get a virus, and i told them that they would get a virus or a trojan and when they do they will get screwed over. Go Trojan keep getting those asshole mac and apple lovers!!!!!!

  19. imajoebob says:

    First, and foremost (I’m going to shout) THIS IS NOT A VIRUS!! This is a Trojan Horse. It hides in another file and loads onto a SINGLE computer. It does not replicate, nor does it install itself on other computers. That replicating and spreading is why they are called viruses. This doesn’t qualify. It’s a trap that is sprung on naïve (and in this case dishonest) users. It even requires the participation of the user.

    But 5,000 infected pirate copies? And that doesn’t include the non-infected copies. No wonder Adobe has to charge 700 bucks a copy. There could be 3 or 4 pirates for every legit copy out there! Thank your friend with the stolen copy after you shelled out the big bucks for yours.

  20. mc says:

    Did you even read ?

    if a user can connect to your computer then it can be used to infect other computers. So yes it is a trojan/virus. And i am sure they mean connect and use computer as a zombie box.

    So people as i been saying for long time buy legit software and stop the crap. No OS is that safe period. You must use a anti-virus today.
    Vista / Windows 7 ask the same permissions before going further so get you can off that horse.

  21. attie says:

    Oh look, it’s another trojan for mac. Remember two years ago, when some trojan for mac surfaced, and hell failed to freeze over? It will fail to this time too.

  22. Trevor Ramage says:

    Does anyone know the name of the torrent??

  23. Diego says:

    It’s a shame that so many people is misinformed, ratGT is the only one saying something informed, there will never be viruses on Macs or Linux, all because of how UNIX works, as he said, you have to be stupid enough to give the virus root privileges.

    But I’ll have to correct myself then, there is stupid people, so there will be trojans on macs, but there will never be one on MY mac and I will never use an anti-whatever again πŸ™‚

  24. G5 says:

    Hi there

    I double clicked the crack file, but when it asked me the password, I knew that it’s not what I’m seeking πŸ™‚ and I quited immediately. (I gave no password)
    could I be infected ??
    can this file hurt even without getting my password ?
    any idea ??
    anyway here’s the file name on terrents sites :
    “Adobe Photoshop CS4 11.0 Extended (Mac OS X) Includes Crack+serial (Works 100%).zip”

Leave A Comment

ADVERTISE ON MACENSTEIN

Click here to inquire about making a fortune by advertising your game, gadget, or site on Macenstein.