We all know that software piracy is bad--it hurts the people who write software for a living--but it can also be dangerous. Case in point: the recent OSX.Iservice Trojan horse discovered today (January 22nd). Apparently, someone has uploaded Apple’s popular iWork 09 suite and added a Trojan horse to the installer.
Some background: When software developers create an installer for the Mac, it's often several mini-installers, or packages, that are run in a particular sequence. Each package (.pkg file) contains specific code and a script makes sure that the code is placed in the right part of the hard drive so your computer can use the software. In this case, the main installation script was changed so not only did it run the "right" software packages, but it also installs another package, sensibly named "iWorkServices.pkg," which unloads malicious code that connects to a remote system--meaning that system could then send commands to the infected machine to scan for sensitive information, track where the user goes on the Internet, record what the user types...you get the idea.
While Symantec Security Response rates OSX.Iservice a low-level threat, it is still significant because with the current economic crisis, more and more people might be tempted to pirate software instead of paying for it. What's particularly vexing is that unless users have some kind of security software, they would never know that their Mac was compromised because the iWork components themselves would work normally.
Our recommendation is obvious--be careful where you download software (and please, don't pirate software). If you want to try out iWork, visit http://www.apple.com/iwork/, that way you’ll know it’s legit. Also, be sure to scan your drive regularly for threats using quality security software. You may also want to think about leveraging a firewall to check for unauthorized connections into and out of your Mac. If you do have security software, keep it up to date and stay informed about current threats.
We have more information about this threat here. Also, Andy Cianciotto with the Symantec Security Response Blog has written an article about this threat here-- a very good read, with screenshots and some more technical notes.
We have also made sure that a definition for this threat in the Norton AntiVirus for Mac, Norton Internet Security for Mac and Symantec AntiVirus for Mac definitions files, so make sure to run LiveUpdate!