Apple Trojan Strikes Again - this time in Adobe CS4
Last week we reported that up 20,000 users had downloaded a rogue installer of Apple’s iWork ‘09 suite containing a Trojan horse. The Trojan named OSX.Trojan.iServices.A has unrestrained root access, which it immediately uses to connect to a remote server over the Internet. A secondary download installs malware that makes victims part of a botnet army that is said to be attacking undisclosed websites.
Today, reports are coming in that certain copies of Adobe’s Photoshop CS4 contain the offspring of the iWork ‘09 Trojan. The new Trojan horse aptly named OSX.Trojan.iServices.B is found in pirated software distributed via BitTorrent and other sites containing links to pirated software.
OSX.Trojan.iServices.B Trojan is found bundled with copies of Adobe Photoshop CS4 for Mac. The actual Photoshop installer is clean, but the malware is found in a crack application that serializes the program. The crack application installs a back door with a randomized name in the /var/tmp/ directory. It then asks for an administrator password to operate the back door with root privileges opening up your computer to hackers for remote operation.
Update: If you were one of the unfortunate users to get infected with the iWork ‘09 trojan or the Photoshop CS4 trojan, SecureMac.com, Inc. has developed an “iServices Trojan Removal Tool” that successfully checks for an deletes both infected trojan versions (OSX.Trojan.iServices.A and OSX.Trojan.iServices.B). To download the malware-remover visit MacUpdate at the end of the article and purchase or use your AntiVirus software to prevent data theft and many other problems.
Intego has classified this is a serious security alert and has included detailed instructions on their site for diagnosis and removal of the Trojan. The best solution is to arm yourself with good AntiVirus software that updates daily. Panda Security make a good product and Symantec has been a highly rated consumer reasearch product this year well. Check them out here for serious savings…
The link to Intego’s security alert can be found here.