iTrojan
It turns out Macs can catch something. Apple’s most recent version of iWork, the counterpart of Microsoft Office, contains a Trojan. Well, almost.
The pirated version that you can download from places such as The Pirate Bay is the one that contains the Trojan. It includes an extra package when installing, and when the user gives the iWork installer administrator privileges, the Trojan package uses them to launch its own installer. After a successful install, the Trojan sends a message back to the mothership and awaits further orders.
Bundling viruses with pirated versions of popular software seems a logical choice; frankly, I’m surprised it doesn’t happen all the time. Many many many people pirate software, and if you can break the copy protection of the software it’s probably not too hard to insert a virus into the installer, and you’ll already have whatever permissions the installer has, if you work it right. So it makes sense.
It does put publishers in a bind though, because even though they don’t want their product pirated, they probably don’t want their (potential) customers’ computers contracting horrible diseases on account of their software becoming so popular. One of the few ways I see to prevent such occurrences is to solve the piracy problem. People usually pirate because buying the product is too costly, so if you can lower the cost you can prevent piracy to some degree. I know I’d be more inclined to purchase Adobe products if they weren’t so cripplingly pricey. Or if they came with gold bars inside.
Another approach could be for Apple to configure the firewall that comes with OSX to block Trojan-like activity. Perhaps they already do and users decide to turn off the firewall because it’s too complicated, or perhaps the Trojan accesses the internet under the name of iWorks and tricks them.
The sites hosting pirated files could also try filtering them for viruses, but this is too difficult to be practical. Not only that, but file-sharing sites don’t monitor content, so this would never happen either.
That leaves trying to prevent people from pirating in the first place, and that’s a noble but nigh-impossible goal if you ask me. Bootlegging has always been and it always will be. I’m sure many people who enable the process break the products for fun, not because of any deep-seated malicious intent. You can’t stop them, and it’s (apparently) easy for them, so it’s futile to try.
Piracy is a whole other issue entirely, both in ethics and prevention, so I won’t get into it here. But I do wonder whether anyone who was already morally on the fence about piracy would swing over to the side of corporations when hearing of the risks such as Trojans.
I do find it interesting that after the virus-ridden version was posted to file-sharing sites but before the publishing of this story, Apple announced that it removed the need for a serial number when installing iWork, and is allowing users to install the product on as many machines as they wish. This causes me to wonder whether Apple knew about the special virus edition of its software and wished to decrease the chance that people would be attracted to pirated versions in the first place. But I do believe that trying to lessen piracy is a good response to the leveraging of their software to attack their customers. Another way Apple could respond is by announcing the issue themselves, and by reiterating the security features built into OSX which can prevent such attacks when utilized properly.
I don’t see attacks via pirated software preventing people from downloading such pirated software, but it’s something to consider if you do decide to partake.
Comment by sojc701
January 22, 2009 @ 10:51 pm
One of the reasons I use Macs is safety. Steve Jobs always calls Mac OS X is the safest operating system on the planet.
When I use a Mac, I have so different attitude from that using a PC. I didn’t installed any antivirus program and turned on the firewall.
It is the common way to insert malware into the program and distribute it for free. Although it can be applied to the Mac, I’ve never imaged that it happens to Mac.
This event dehypnotized me.
Although this trojan effects only those who download and install iWork illegally,
it could lead to similar attempts later.
Like using MAC to protect the integrity of messages, I hope there is the server that software users connect and check the authenticity of programs.
I think it is benefit to both developers and users.
Comment by Evil Rocks
January 22, 2009 @ 10:57 pm
Sounds like a subject ripe for some research.
On another note, I was discussing this with my father the IT professional today and his take was “how long until companies start releasing pre-infected copies of their software on the pirate sites to drive people to legit copies?” which I thought hilarious, but a bit far out on the risk/reward curve for the big software producers.
Comment by erielt
January 23, 2009 @ 9:11 am
Addressing the issue of a trojan on a Mac, it’s definitely interesting to see OS X get infected. One of the selling points of the Mac is definitely the lack of viruses an malware. I think that this is a wake up call that users should heed–malware can be found on all platforms. Hopefully this incident causes people to act a little bit more carefully with installing software from unknown sources. Even though OS X gets its share of vulnerabilities (Quicktime, I’m looking at you), I think the general attitude of the Mac community is a lack of concern with security on their computers, especially with regard to viruses and other malware. The human interaction vector can never be completely fixed (Install this awesome screensaver!), but perhaps this can be a warning that makes Mac owners and maybe all other computer users a little more wary about running software from an untrusted source.
With the issue that Evil Rocks brought up about companies leaking infected pirate copies, I don’t believe such a scenario will ever arise (at least not with any sane company). The problem is that you don’t want a customer to have malware type issues with your software, even if they don’t acquire it legitimately. Customers may start associating your software with the nasty effects of the pirated copy. In addition, some people may get a pirated copy inadvertently (through a friend, installed by some unscrupulous computer shop, etc), and those customers shouldn’t have to deal with malware from a companies software just because you don’t want people to pirate. Although I’m not trying to address the issue of piracy here, I do think that malware-bundled leaked copies are not the answer. Imagine the lawsuits if a customer’s files were destroyed by what they thought was a legitimate copy a company’s software. That would cause some definite damage both financially and to the company’s reputation. I don’t think the (supposed) losses due to piracy could justify such actions.
Comment by cxlt
January 23, 2009 @ 12:52 pm
The only reason the trojan works is because installers conveniently have to force you to authorize root privileges, so it was able to sneak into the system within a previously trusted context.
The truth is that this isn’t a rare instance; often times you’ll find that the keygens for pirated software you download [for Windows; no one writes keygens that run on OS X, even when the software in question is OS X, which is amusing] contain trojans even though they work perfectly. In fact, I’m fairly certain that Avira has taken to searching for the word ‘keygen’ in filenames and automatically marking them as suspected trojans.
As for the scenario wherein companies begin intentionally releasing pre-infected copies of their software, this is highly unlikely. First, were they to be caught doing so, they would face the same legal consequences anyone else would be for distributing malware with malicious intent. Next, the pirating community is very robust at this point. Not only would users likely catch on and report on the tracker quickly about the malware, there are well-established warez groups in the pirate world and well-established ways of verifying that torrents are authentically from those groups in question. Untrusted sources would likely not get many downloads.
As for the point about verifying software, it’s moot in this case because of course verifying software with any official source would weed out cracked software, and so the people in question wouldn’t dare do so to begin with.
And regarding the point about Mac users not caring about security: I think the primary difference is that Mac users on the whole are slightly more savvy. The same things that will cause you problems in Windows will likely do the same in OS X. Users are still among the weakest links in security at large, and it’s hard to effectively protect themselves.
And the final irony in all of this is that iWork 09 simply requires a serial number on which Apple seems to do very little server-side verification. A simple text file with a legitimate key in it would have sufficed, along with the free trial download from Apple.
…please buy the software you use.
Comment by cxlt
January 23, 2009 @ 12:55 pm
…”protect themselves” should read “protect them from themselves”
Comment by vincez
January 23, 2009 @ 9:36 pm
And regarding the point about Mac users not caring about security: I think the primary difference is that Mac users on the whole are slightly more savvy.
I’m not so sure about this. This article brings to the forefront the differences in security between OS X and Windows. Clearly many more Windows systems are infected by malware, viruses, trojans, etc., but I’m not convinced it’s because Mac users are more savvy or because of the level of security of the systems. If nobody writes code to over-run the buffers in your software, there is nothing to worry about. This is what I think the difference may very well be. As we have all recently learned, successfully developing viruses is not trivial. If an attacker is going to invest the man-hours in developing a virus, of course they are going to develop for the platform that affects the most people. Although you would never know it as a Computer Science student at the UW (it seems like EVERYONE uses a Mac in this department), OS X is a tiny tiny dent in the total installed base of operating systems. This gives little incentive to the attacker, as there is very little return on investment. I think this is why there is very little malware that makes it onto Macs – nobody expends the time and energy to develop it.
As for software developers releasing infected software on peer-to-peer networks, it seems unlikely, but I wouldn’t rule out something to the same affect. I will never forget the flood of mp3s that were released on file-sharing sites that would play the first ten seconds of a song and then turn into a blaring screech, often times able to physically hurt a listener’s ears. This actually worked on several people I know, convincing them to stop downloading pirated software. I would not put it past companies to start doing something to a similar affect with their software suites.
Comment by stasis
January 23, 2009 @ 9:51 pm
Jobs may argue that Mac OSX is the safest operating system on the planet, but I don’t think it is wise to agree. Are there as many public infections for the Mac, of course not, but whether or not this has to do with the OS’s security or other factors is anyone’s guess. I’ll start changing my mind when Mac has 80% of the market share and still has a low number of exploitable vulnerabilities.
I concur with CXLT’s statement that the users tend to be the weakest link in security. The behavior that will get you into trouble on a PC will get you the same place on a Mac. If you go to a site and it tells you to rm -rf your home directory, did you just get infected? How about if it asks you if you want to download a special program from a suspicious site? I’m not arguing that the two are the same, but I just want to highlight the similarities.
This is in no way the first Trojan to target Macs, either. This article describes one from a while ago that infected Mac users who went to certain porn sites. I would like to point out that, in order to be infected, the user had to type in the Administrator password on the machine and accept the install. This is not the case with the iWork Trojan, but the ideas are similar.
This iTrojan article is also interesting because of its relation to piracy. This is especially true in light of events at the beginning of the month, where a keygen Trojan on Piratebay shut down the user’s access to pirating sites and alerted the user that “downloading is wrong.” Is this part of some larger shift where pirated content is no longer viewed as being safe? Perhaps this will start solving the piracy problem on it’s own, where the cost of buying software is less than that of repairing your machine after you download infected pirated versions.
Comment by Matt
January 23, 2009 @ 10:43 pm
I have to agree with with Vincez — in Apple’s case, the best defense is to not have anyone want to hit you. OS X simply doesn’t have the market share (or enterprise software) to lucratively exploit. That’s not to say that there isn’t research done to developing exploits into OS X. Also, there have been some known vulnerabilities with Safari in the past (http://en.wikipedia.org/wiki/Safari_(web_browser)#PWN_2_OWN_Browser_Exploit)
Safari was also one of the last major browsers to be fortified against Kaminsky’s DNS cache poisoning exploit published this summer.
Basically, what I’m trying to say is that malware does exist for Apple, so the iWork malware is not a totally unprecedented thing. However, most OS X exploits are not publicly known, which gives many users a false sense of security when running that operating system
Comment by sunetrad
January 23, 2009 @ 10:52 pm
Reading this article reminded me of the particular MAC vs PC ad where Vista’s security flaws were made fun of and it was proudly proclaimed that Mac users had nothing to worry about in terms of malware, viruses or anything that would compromise their system’s security. Although the ad was very witty, it seems that Apple has been a little inconsistent in its stand on the security of its operating system, especially when it issued a technical note saying that anti virus utilities were good and recommended for Mac users.
However,apart from this Apple specific issue,people need to realize the importance of avoiding risky online behaviors. Installing programs from P2P networks is one of the most insecure practice a user can engage in, irrespective of the operating system in use. What one can learn from this is that no security software is going to protect a user who wants to install malware infected software as long as he/she is willing to ignore any warnings or alerts.
I thought about what we had learned in class which is “Security of a system is only as strong as its weakest link.” The Apple OS was secure in most aspects however it met a formidable attacker who took advantage of the weakest link and exploited it.
Comment by Father_Of_1000000
January 24, 2009 @ 3:48 am
One of the most effective way to avoid viruses is to trust and help out your fellow p2p comrades. Most of the torrent sites have the option to let users leave comments. If people actually spend time reading the comments left by other downloaders, then most of the time, if the software has a virus somebody will yell out:
“TROJAN!!!!!! VIRUS!!!!!!! DO NOT DOWNLOAD!!!!!!!!!!!!!!!!!!”
If that’s not obvious enough, isohunt (probably one of the best torrent sites out there, next to mininova) has a rating system that allows users to give the torrent a + or a -. Soon enough, bad torrents will be obvious since viruses like to dwell in popular downloads.
But there is no guarantee, just how paranoid you want to be.
PS: Finding alternatives:
1) If you don’t support over priced software and can live with it, don’t buy them!
2) If you don’t care about legality and don’t support pricey software, pirate!
3) If you are paranoid and don’t support pricey software, download open source crapware (sometimes crapware is actually better)!
Comment by Evil Rocks
January 24, 2009 @ 11:10 am
I grew up reading Gibson and Sterling and all those distopian nerds and in my view of the world software companies are by-and-large evil and willing to f**k your s**t up just for a cheap laugh.
Comment by Danny
January 26, 2009 @ 11:35 am
PS: Finding alternatives:
1) If you don’t support over priced software and can live with it, don’t buy them!
2) If you don’t care about legality and don’t support pricey software, pirate!
3) If you are paranoid and don’t support pricey software, download open source crapware (sometimes crapware is actually better)!
Speaking of open source crapware, I finally got annoyed enough at MS Word to switch to Open Office. I’ve found it at least AS USABLE as MS Office, but they both seem to have their quirks. The ability to save into .doc, .pdf, and many other formats combined with the price (free) makes Open Office a competitive option. Not having to worry about obtaining a pirated copy with anything “extra” is nice as well.