New Mac Trojan Spread By Pirated Adobe Software


Apple is once again the target of a Mac-only Trojan variant launched on the Mac OS X via pirated versions of Adobe Photoshop CS4.

Mac security company Intego issued a security advisory Monday, warning Mac users of the Trojan variant, which is estimated to have infected at least 5,000 Macs as of Jan. 25.

The Trojan is a variation of the iServices Trojan malware, discovered last week, which stormed across users' Macs via pirated versions of Apple's productivity suite iWorks '09. As of Jan. 22, at least 20,000 users were believed infected by the malware, known as OSX.Trojan.iServices.A, according to the security advisory.

Similar to the previous version of the malware, the new Mac Trojan variant is spread through file-sharing sites such as BitTorrent trackers and other sites that contain links to pirated software.

The new Mac Trojan variant OSX.Trojan.iSerices.B, detected last Thursday, is found in the crack application bundled with copies of Adobe Photoshop CS4 for Mac.
While the actual Adobe Photoshop installer is bug-free, the Trojan embeds itself into a crack application that serializes the program, Intego said. After downloading the pirated Photoshop, the crack application extracts an executable from its data, then installs a backdoor in a file directory, which is not deleted when the computer reboots. If the user runs the crack application again, the Trojan creates another executable with a different name, making the malware more difficult to trace and safely remove.

The crack application requests an administrative password, and then launches the backdoor with root privileges. Next, the crack application then opens a disk image hidden in its resource folder called .data, and proceeds to crack the Photoshop program, allowing it to be used as a vehicle to spread the malware.

The malware connects to a remote server via the Web, which alerts the attackers when the virus is installed. Once downloaded, the information-stealing Trojan enables hackers to remotely control users' computers in order to steal sensitive or financial information or access users' accounts for identity theft purposes, security experts say.

"It's there to steal data and it's there gathering information for a long time," said David Perry, director of global education for security company Trend Micro. "It's part of a bigger business plan."

Perry said that the Mac Trojan isn't a virus per se, meaning that it cannot be transmitted user to user, but rather is installed through bootleg copies of the Photoshop application. Mac software tends to be more expensive than PC software, which could potentially be a factor in the rise of a bootleg industry for Mac applications, Perry said.

"What (users) find out is that switching to a Mac is way more expensive," said Perry. "We have a bunch of artists and creative people running Macs. A great many of them want to pirate that software."

Intego warned in its advisory that users should avoid downloading cracking software available from sites that distribute pirated software, while also recommending that users never download software from unsolicited links or questionable Web sites.

"The risk of infection is serious, due to the number of infected users, and these users may face extremely serious consequences if their Macs are accessible to malicious users," Intego said in its advisory.

Meanwhile, Perry said that the rapid succession of both the iWorks and Photoshop Mac Trojans are indicative of a trend of malware targeting Macs in months to come.
"These things tend to travel in packs," he said.

This article has been updated.