Pirate to pwned with Apple's iWork '09

File sharers picking up pirated copies of the newly released iWork '09 apps suite may be biting into a poisoned Apple. Various Mac-security sites and sharing sites such as BitTorrent are reporting that some versions of the file are carrying a Trojan that can phone home and install additional malware.

PC users are encouraged to console their Mac brethren about what sounds, frankly, like a rather familiar scenario. The Trojan, which Intego is calling OSX.Trojan.iService.A rides along with the pirated versions of iWork as a package called iWorkServices.pkg. It installs as a startup item during the usual installation process and gets in contact with a remote server. What happens next can vary, but considering that the Trojan gives itself read/write/execute permissions, it's capable of doing anything from grabbing more malware to turning into a botnet-style zombie under the command of a remote server.

A Mac botnet? There's an exciting prospect; as a security professional of our acquaintance points out, with Mac's superior multitasking, such a bot could percolate along in the background with relatively little effect on the machine's overall performance. That could, ironically, make detection much harder, since users wouldn't notice that anything was sluggish or otherwise wrong.

Tens of thousands of people are believed to have downloaded the karmically enhanced version of iWork '09. Readers who suspect they've caught a dose of the compu-clap should check /System/Library/StartupItems for iWorkServices. If it's present, a reformat and clean reinstall is recommended, with apps reinstalled from master disks rather than backups.