On TV.com: TOP 10 Shows CANCELED Too Soon
BNET Business Network:
BNET
TechRepublic
ZDNet

January 26th, 2009

Mac Trojan horse found in pirated Adobe Photoshop CS4

Posted by Andrew Nusca @ 8:11 am

Categories: Security

Tags: Adobe Systems Inc., Adobe PhotoShop, Apple Macintosh, Trojan Horse, OSX.Trojan.iServices.B Trojan Horse, Spyware, Adware & Malware, Spyware, Viruses And Worms, Security, Andrew Nusca

A new variant of the iServices Trojan horse has been discovered by Intego.

The new Trojan horse, OSX.Trojan.iServices.B, is found in pirated software distributed via BitTorrent trackers and other sites containing links to pirated software, just like the previous version.

OSX.Trojan.iServices.B Trojan horse is found bundled with copies of Adobe Photoshop CS4 for Mac. The Photoshop installer itself is clean, but the Trojan horse is found in a crack application that serializes the program.

OSX.Trojan.iServices.B

According to Intego:

After downloading this version of Photoshop, users will run the crack application to be able to use it. The crack application extracts an executable from its data, than installs a backdoor in /var/tmp/, a directory which is not deleted when the computer is restarted. (If the user runs the crack application again, the Trojan horse creates a new executable with a different name; these random names make it harder to ensure safe removal of the malware.)

The crack application then requests an administrator password, launching the backdoor with root privileges. This copies the executable to /usr/bin/DivX, then creates a startup item in /System/Library/StartupItems/DivX. The program checks to see if it has been launched with root privileges, then saves the root hash password in the file /var/root/.DivX. It listens on a random TCP port, and answers requests such as GET / HTTP/1.0 by sending a 209-byte packet, and makes repeated connections to two IP addresses.

Next, the crack application opens a disk image which is hidden in its resource folder, named .data, and proceeds to crack Photoshop.

OSX.Trojan.iServices.B

Since the malware connects to a remote server over the Internet, the creator will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely, the company says.

The Trojan horse may also download additional components to an infected Mac.

WHAT TO DO: If you’re a Mac user, do not download Photoshop CS4 installers from sites offering pirated software. According to Intego, nearly 5,000 people on one BitTorrent site have downloaded this installer since 6am EST.

In other words, don’t do crack.

The risk of infection is serious, Intego says: “Due to the number of infected users, these users may face extremely serious consequences if their Macs are accessible to malicious users. The first version of this Trojan horse was seen downloading new code to infected computers, which were then used in a DDoS (distributed denial of service) attack on certain web sites. Since this new variant uses the same technology, and contacts the same remote servers, it is likely that it will attempt to download new code and perform such actions.”

The company also noted that the iWork 09 torrent that they warned about on January 22 has been downloaded by at least 1,000 more people since the warning.

Andrew NuscaAndrew J. Nusca is an associate editor for ZDNet and SmartPlanet. See his full profile and disclosure of his industry affiliations.


Email Andrew NuscaFollow on Twitter

Subscribe to The ToyBox via Email alerts or RSS.

  • Talkback
  • Most Recent of 79 Talkback(s)
RE: Mac Trojan horse found in pirated Adobe Photoshop CS4
admin privileges makes no difference once you allow an exe these apps can communicate and get instructions via http the same as your browser .

Its still best i think for apps to install in adm... (Read the rest)
Posted by: bklooste Posted on: 02/02/09 You are currently: a Guest | | Terms of Use
lol  croberts | 01/26/09
RE: Mac Trojan horse found in pirated Adobe Photoshop CS4  ealgar | 01/26/09
Re:  dvm | 01/26/09
That Don't Give You The Righ  windozefreak | 01/27/09
not just Macs...  pico_D | 01/27/09
student liscense  rizball | 01/30/09
Please print the rest of the story  NonZealot | 01/26/09
Keep it up, NZ...  MGP2 | 01/26/09
Re: devil emoticon  andrew.nuscaZDNet Moderator | 01/26/09
Well, mac OS does warn the user at least  flhu | 01/28/09
Also need some more information on a specific point  NonZealot | 01/26/09
Clarification.  andrew.nuscaZDNet Moderator | 01/26/09
So the answer to his question is: No.  ye | 01/26/09
That is correct.  andrew.nuscaZDNet Moderator | 01/26/09
But this isn't an OS/software problem  pico_D | 01/27/09
Duh  Kid Icarus-21097050858087920245213802267493 | 01/26/09
Yet here is an example of it doing just that.  ye | 01/26/09
Care to re-read what I posted?  Kid Icarus-21097050858087920245213802267493 | 01/26/09
No. I read what you wrote the first time around. Which is why...  ye | 01/26/09
He would, but...  Spiritusindomit@... | 01/27/09
Did I Hear Correctly?  windozefreak | 01/27/09
Apple could and...  arminw | 01/27/09
Hmmm.. That would not go over well...  Wolfie2K3 | 01/28/09
Still amateurish, unsophisticated attempts  honeymonster | 01/26/09
LOL...IE is secure?  MyMac | 01/26/09
LOL...Safari is secure?  NonZealot | 01/26/09
No  honeymonster | 01/26/09
Linux does have it  NonZealot | 01/26/09
Beg to differ  honeymonster | 01/26/09
AppArmor by default  NonZealot | 01/26/09
Agreed  shellcodes_coder | 01/27/09
Viruses and Trojans are...  arminw | 01/27/09
O...Rly...?  Wolfie2K3 | 01/28/09
You're right that viruses and trojans are different  alaniane@... | 01/28/09
If you hand a thief your key....  MyMac | 01/26/09
The double-edged sword of admission  MGP2 | 01/26/09
Who says?  Kid Icarus-21097050858087920245213802267493 | 01/26/09
Please explain the security feature in OS X  NonZealot | 01/26/09
NZ, I am no apologist  Kid Icarus-21097050858087920245213802267493 | 01/26/09
OS isn't to blame for this one, the zealots are  NonZealot | 01/26/09
Again you try to twist what I say  Kid Icarus-21097050858087920245213802267493 | 01/27/09
And again....  Kikarok | 01/27/09
Reading is obviously not your strong suit  Kid Icarus-21097050858087920245213802267493 | 01/27/09
Apparently, not your's either  Kikarok | 01/28/09
At least with simple instructions...  arminw | 01/27/09
Time to see the eye doctor...  MGP2 | 01/27/09
Both statements are 100% true  NonZealot | 01/26/09
Yet another exploit..  MGP2 | 01/26/09
And yet another exploit  MGP2 | 01/26/09
How about not using pirated software?  Been_Done_Before | 01/26/09
I sense desperation from the usual Windows tools  Kid Icarus-21097050858087920245213802267493 | 01/26/09
No one is telling you to switch to Windows  NonZealot | 01/26/09
Huh?  Kid Icarus-21097050858087920245213802267493 | 01/27/09
And what would we be desperate about?  MGP2 | 01/26/09
You guys are unbelievable  Kid Icarus-21097050858087920245213802267493 | 01/27/09
Stop Crying and take it like a man  windozefreak | 01/27/09
Hmmm, I'm a Windows user to  Kid Icarus-21097050858087920245213802267493 | 01/27/09
Straw men galore  RealNonZealot | 01/27/09
Being Using Windows Since Its Inception  windozefreak | 01/27/09
Funny  YaBaby | 01/27/09
OSX is BSD, POSIX, UNIX-Like basically Linux  Aussie_Troll | 01/27/09
You are missing a lot of information.  t3h | 01/27/09
RE: Mac Trojan horse found in pirated Adobe Photoshop CS4  PseudoTechie27 | 01/27/09
RE: Mac Trojan horse found in pirated Adobe Photoshop CS4  vamman@... | 01/27/09
RE: Mac Trojan horse found in pirated Adobe Photoshop CS4  vox_sonive | 01/27/09
RE: Mac Trojan horse found in pirated Adobe Photoshop CS4  phatkat | 01/27/09
Stop being a THIEVIN' LOSER!!!!  GSavage777 | 01/27/09
people who pirate software deserve what they get  tech_walker | 01/27/09
Don't do crack? Don't do mac.  Spiritusindomit@... | 01/27/09
RE: Mac Trojan horse found in pirated Adobe Photoshop CS4  t3h | 01/27/09
Mac OS X research warns of stealthier attacks  MGP2 | 01/27/09
You missed this:  t3h | 01/27/09
Never mind then...  MGP2 | 01/27/09
So OS X is vulnerable to the same things Windows is?  NonZealot | 01/27/09
Yes, kind of  Kid Icarus-21097050858087920245213802267493 | 01/27/09
Any OS is as secure as its weakest link...  pico_D | 01/28/09
RE: Mac Trojan horse found in pirated Adobe Photoshop CS4  Michael Fournier | 01/30/09
RE: Mac Trojan horse found in pirated Adobe Photoshop CS4  bklooste | 02/02/09
RE: Mac Trojan horse found in pirated Adobe Photoshop CS4  bklooste | 02/02/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here