WARNING: First Malicious Mac OS X Trojan Horse Spreading Via Pirated iWork '09

For those who are apparently not bright enough to download iWork '09 directly from Apple (the demo contains the full application packages), and instead opted for a download via BitTorrent, be warned: the first Mac OS X trojan horse to get past the proof-of-concept stage and conduct malicious activities on Macs is spreading via copies of iWork '09 on the BitTorrent network.

The trojan horse, named OSX.Trojan.iServices.A and identified by Intego, is able to install itself as a startup item running as root via the pirated iWork '09 installer, right after a user inputs their administrator password in the iWork '09 installer (thereby using the installer's authentication to inject itself in the protected StartupItems folder.)

The trojan horse sends information out to certain computers on the Internet once installed, letting a malicious user know the computer has been infected. The user can then direct the infected Mac to download additional software and run commands as root.

There's already evidence that upwards of 20,000 infected Macs have been used as a botnet in coordinated denial-of-service attacks.

If you were an idiot (hey, I'm honest here) and downloaded iWork '09 via BitTorrent: shame on you! I ought to laugh at your "just desserts" for stealing Apple software!

...but I hate the thought of fellow Mac users with trojan virus infected machines becoming part of a botnet (I mean really, that's *so* Windows), so I'll share the solution MacRumors has published to cure your infected Mac, you dirty stinkin' pirate:

1. (open Terminal.app)
2. sudo su (enter password)
3. rm -r /System/Library/StartupItems/iWorkServices
4. rm /private/tmp/.iWorkServices
5. rm /usr/bin/iWorkServices
6. rm -r /Library/Receipts/iWorkServices.pkg
7. killall -9 iWorkServices

Yet another reason why ninjas > pirates.

Mac Trojan Horse OSX.Trojan.iServices.A Found in Pirated Apple iWork 09 [Intego]