The Year in Mac Security 2009 An Annual Report from Intego
January 2010 by Intego Security Alert
The year in malware began in January 2009, shortly after Apple announced new software at the Macworld Expo in San Francisco. The company’s iWork ‘09 suite of productivity software was updated in January, and no sooner had it been released than malware writers took advantage of it. The iServices Trojan Horse1 was provided as an additional installation package inside an installer for iWork found on BitTorrent trackers and other sites containing links to pirated software.
This was all the more interesting as the iWork disk image was more than 450 MB; hardly something that one would download casually. Yet it was effective; in just a short time, Intego found that more than 20,000 people had downloaded the infected disk image. The iServices Trojan opened a backdoor on infected Macs, and it connected to remote servers to download new code. It was actively used as part of a botnet that was involved in distributed denial of service attacks and more.
Shortly thereafter, given the success of the first version of the iServices Trojan, the same cybercriminals planted the next version of their malware with copies of Adobe Photoshop CS4 for Mac found on BitTorrent trackers2. The actual Photoshop installer was clean, but the Trojan horse was found in a crack application used to serialize the software. Functioning in a similar manner as the first version, the iServices.B Trojan horse allowed remote users to perform actions on infected Macs.
The RSPlug Trojan horse, which Intego first discovered in October 2007, was as virulent as ever. Variants to the RSPlug were found throughout the year, often masquerading as a video codec, including one in February3, two in June4 5, and two in July6 7. One of the new variants, in March8 2009, was written especially to taunt Intego. In December 2008, one variant had already done this, containing code which said “begin 666 intego.” This tells the system to create a file with read and write permissions (the 666 is a shortcut for Unix permissions, not anything to do with the “number of the beast”), and to create a file, containing malicious code, named “intego”. The new version contained the following code: niagasekirtsogetni 666 nigeb
To see the integrality: