Symantec uncovers Trojan concealed in pirate copies of Apple's iWork '09

Disguised as a copy of the trial version of iWork '09, from Apple, the phony iWork '09 installer has the filename iWork09.zip - so users can easily be duped into thinking this is the legitimate version from Apple.

In contrast, the legitimate trial version of iWork '09, available from Apple is named iWork09Trial.dmg. The Trojanized package contains parts of the iWork '09 trial version, but also includes a malicious installer named iWorkServices.pkg.

The OSX.iWork threat can unleash malicious code onto the users Mac which then connects them to a remote system hosted elsewhere. This means the pirates can then send commands to the infected machine to scan for sensitive or valuable information, track where the user goes on the internet and record what the user types - leaving the unwitting recipient vulnerable to identity theft and at risk of financial loss.

Symantec explains how the threat has occured on its Security Response blog: 'When software developers create an installer for the Mac, it's often several mini-installers, or packages, that are run in a particular sequence. Each package (.pkg file) contains specific code and a script makes sure that the code is placed in the right part of the hard drive so your computer can use the software. In this case, the main installation script was changed so not only did it run the 'right' software packages, but it also installs another package, sensibly named "iWorkServices.pkg," which unloads the malicious code that connects the users to a remote system- leaving them open to attack.'

Symantec Security Response rates OSX.iWork as a low-level threat, but states that it is still significant because with the current economic crisis, increasing numbers of people might be tempted to use pirate software instead of paying for it.

According to Symantec what's particularly vexing is that unless users have some kind of security software, they would never know their Mac was compromised because the iWork components themselves would work normally. Symantec recommends that users:
• Be careful where they download software (and do not use pirate software).
• If they want to try out the software type in the following URL (http://www.apple.com/iwork/) which will direct them to Apple's homepage, so they know it's legit.
• Scan drives regularly for threats using quality security software. Users might also want to think about installing a firewall to check for unauthorised connections into and out of their Mac.
• Ensure security software is kept up to date and stay informed about current threats.