There is a Trojan in pirated copies of Apple's iWork '09

For those who thought they were getting a free version of iWork, some got a lot more than they bargained for.  Intego today released an alert saying that Mac Trojan Horse OSX.Trojan.iServices.A was found in in pirated copy of Apple iWork '09 that had been downloaded (and probably installed) over 20,000 times as of this morning.

While this Trojan isn't particularly dangerous in terms of spreading (you have to install it and put in your password credentials - it doesn't spread through emails or network) it can take a toll on your Mac once installed.   If you already have it, an anonymous hacker can pretty easily get full control of your machine.  As of now the infected machines seem to be actively downloading new code to infected machines and using them to carry out denial-of-service attacks on certain websites.

The trojan is just an enhanced version of the original iWork installer with an extra little installation package which installs iWorkServices.pkg into your /System/Library/StartupItems/.

Intego states:

When installing iWork 09, the iWorkServices package is installed. The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer’s request of an administrator password (in older versions of Mac OS X, 10.5.1 or earlier, there will be no password request). This software is installed as a startup item (in /System/Library/StartupItems/iWorkServices, a location reserved normally for Apple startup items), where it has read-write-execute permissions for root. The malicious software connects to a remote server over the Internet; this means that a malicious user will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac.

Intego is issuing this alert to warn Mac users not to download iWork 09 installers from sites offering pirated software. (As of 6 am EST, at least 20,000 people have downloaded this installer.) The risk of infection is serious, and users may face extremely serious consequences if their Macs are accessible to malicious users.

While obviously, you can avoid this trojan by not downloading illegal torrents - iWork in this case.  If you already have gotten the Trojan, you'll either need to pick up some Mac antivirus software or follow these steps (provided by MacRumors):

1) (open Terminal.app)
2) sudo su (enter password)
3) rm -r /System/Library/StartupItems/iWorkServices
4) rm /private/tmp/.iWorkServices
5) rm /usr/bin/iWorkServices
6) rm -r /Library/Receipts/iWorkServices.pkg
7) killall -9 iWorkServices

And next time, take advantage of Apple's free 30 day trial of iWork!