Beware: iWork '09 torrent is a Trojan

Stephen Withers
Friday, 23 January 2009 01:40

Opinion and Analysis

Intego says that more than 20,000 copies of the Trojan had been downloaded by 6am US EST on January 22.

In traditional fashion, this Trojan has been given different names by different vendors. Intego calls it iServices.A, at Symantec it's OSX.Iwork, and F-Secure has given it the label OSX/iWorkServ.A.

It is detected by Intego's January 22 definitions, and by Symantec's January 22 rapid release from revision 025 (take care, because it won't make the weekly release until January 28). As of this writing, it seems that Sophos is still investigating the issue.

The trouble with Trojans is that users actively choose to install them. And installing legitimate software requires the same sort of access as a malware installer wants. For example, the antivirus product I use has components in exactly the same folder that iWorkServices lives in.

So there isn't really anything an operating system can do about it. But a Trojan can be detected before it runs by an antivirus program that automatically scans files as they are opened.

A more advanced firewall program such as Little Snitch may also provide protection by warning that a new piece of software is trying to establish an Internet connection.

The real answer is to rely on trusted sources of software. While there has been the odd example of legitimate products being distributed with malware (eg, in 2006 a small number of iPods shipped with a Windows virus on them),  downloading from warez sites and torrents has always been considered a risky business.