Contactez-nous Suivez-nous sur Twitter En francais English Language

De la Théorie à la pratique

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



The Year in Mac Security 2009 An Annual Report from Intego

January 2010 by Intego Security Alert

The year in malware began in January 2009, shortly after Apple announced new software at the Macworld Expo in San Francisco. The company’s iWork ‘09 suite of productivity software was updated in January, and no sooner had it been released than malware writers took advantage of it. The iServices Trojan Horse1 was provided as an additional installation package inside an installer for iWork found on BitTorrent trackers and other sites containing links to pirated software.

This was all the more interesting as the iWork disk image was more than 450 MB; hardly something that one would download casually. Yet it was effective; in just a short time, Intego found that more than 20,000 people had downloaded the infected disk image. The iServices Trojan opened a backdoor on infected Macs, and it connected to remote servers to download new code. It was actively used as part of a botnet that was involved in distributed denial of service attacks and more.

Shortly thereafter, given the success of the first version of the iServices Trojan, the same cybercriminals planted the next version of their malware with copies of Adobe Photoshop CS4 for Mac found on BitTorrent trackers2. The actual Photoshop installer was clean, but the Trojan horse was found in a crack application used to serialize the software. Functioning in a similar manner as the first version, the iServices.B Trojan horse allowed remote users to perform actions on infected Macs.

The RSPlug Trojan horse, which Intego first discovered in October 2007, was as virulent as ever. Variants to the RSPlug were found throughout the year, often masquerading as a video codec, including one in February3, two in June4 5, and two in July6 7. One of the new variants, in March8 2009, was written especially to taunt Intego. In December 2008, one variant had already done this, containing code which said “begin 666 intego.” This tells the system to create a file with read and write permissions (the 666 is a shortcut for Unix permissions, not anything to do with the “number of the beast”), and to create a file, containing malicious code, named “intego”. The new version contained the following code: niagasekirtsogetni 666 nigeb

To see the integrality:

PDF - 957.5 kb

See previous articles


See next articles