More Malware Targeting Users of Pirated Software for Mac

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved,

A new variant of a Trojan is targeting users of pirated Adobe Photoshop CS4 software. The Trojan is related to malware uncovered last week that was packaged with pirated copies of iWork ’09.

Users of pirated software have a new headache to worry about. For the second time in less than two weeks, malware targeting Mac computers has surfaced on the Web.

According to an advisory from Intego, OSX.Trojan.iServices.B is a variant of the iServices Trojan the company found last week targeting pirated copies of iWork ’09. This time, the malware has its sights set on versions of Adobe Photoshop CS4 downloaded via BitTorrent trackers and other sites containing links to pirated software.

“The actual Photoshop installer is clean, but the Trojan horse is found in a crack application that serialises the program,” Intego’s advisory reads.

As of 6 a.m. on the 25th January, nearly 5,000 are believed to have downloaded the Trojan, according to the advisory.

After downloading this version of Photoshop, users will run the crack application to be able to use it, the advisory continues. The crack application extracts an executable from its data and installs a backdoor in /var/tmp/, which is not deleted when the computer is restarted.

The crack application then requests an administrator password and launches the backdoor with root privileges, the advisory continues. The program saves the root hash password in the file /var/root/.DivX. In addition, it listens on a random TCP port, answers requests such as GET / HTTP/1.0 by sending a 209-byte packet and makes repeated connections to two IP addresses.

“Since the malicious software connects to a remote server over the Internet, the creator of this malware will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely,” the advisory reads. “The Trojan horse may also download additional components to an infected Mac.”

Last week, the original version of the malware was found in pirated versions of Apple’s iWork ’09. By the 22nd January, the Trojan reportedly had infected some 20,000 users of the pirated iWork ’09. A free tool to remove this Trojan is available on SecureMac.

Although Mac users have historically had a relatively easy time when it comes to malware—the amount of viruses targeting the Mac is far lower than those targeting Microsoft Windows—the incident does underscore the dangers of downloading pirated software.

“Intego recommends that users never download and install software from untrusted sources or questionable Web sites,” the advisory states.