Fresh Trojan for MacOS
A new iWork '09 package for Macs, introduced at MacWorld 2009, literally appeared on torrents the same day. Naturally, it was a pirated version, but the most interesting thing is different. The popular software package for MacOS came with the “appendage” in the form of OSX.Trojan.iServices.A Trojan. According to experts from Intego , about 20,000 computers are infected.
The trojan is registered in autorun and gets full rights, so it can easily install additional malicious code and modify installed applications.
The good news is that the Trojan itself does not spread, you can install it only with a pirated copy of iWork '09. So beware!
')
UPD : There was a news story in which a comrade states that he got infected by downloading the trial version from torrent trackers instead of the official site. There are also some details on the symptoms.
UPD 2 : Detection and control methods (thanks to ilmarinen )
1. Before installing iWork '09, check if there is an iWorkServices.pkg package there (this is actually the appendage with the trojan).
2. If installed, but not sure if a trojan is present:
1. (open Terminal.app)
2. sudo su (enter password)
3. ls -la / System / Library / StartupItems / iWorkServices
If it says "No such file or directory". Trojan is not.
3. If you have already received a Trojan:
1. (open Terminal.app)
2. sudo su (enter password)
3. rm -r / System / Library / StartupItems / iWorkServices
4. rm /private/tmp/.iWorkServices
5. rm / usr / bin / iWorkServices
6. rm -r /Library/Receipts/iWorkServices.pkg
7. killall -9 iWorkServices
The trojan is registered in autorun and gets full rights, so it can easily install additional malicious code and modify installed applications.
The good news is that the Trojan itself does not spread, you can install it only with a pirated copy of iWork '09. So beware!
')
UPD : There was a news story in which a comrade states that he got infected by downloading the trial version from torrent trackers instead of the official site. There are also some details on the symptoms.
UPD 2 : Detection and control methods (thanks to ilmarinen )
1. Before installing iWork '09, check if there is an iWorkServices.pkg package there (this is actually the appendage with the trojan).
2. If installed, but not sure if a trojan is present:
1. (open Terminal.app)
2. sudo su (enter password)
3. ls -la / System / Library / StartupItems / iWorkServices
If it says "No such file or directory". Trojan is not.
3. If you have already received a Trojan:
1. (open Terminal.app)
2. sudo su (enter password)
3. rm -r / System / Library / StartupItems / iWorkServices
4. rm /private/tmp/.iWorkServices
5. rm / usr / bin / iWorkServices
6. rm -r /Library/Receipts/iWorkServices.pkg
7. killall -9 iWorkServices
Source: https://habr.com/ru/post/49947/
All Articles