At the MacWorld 2009 conference, Apple had introduced a new business productivity suite - iWork 09. And now Symantec security researchers have found out that the malware existing in the pirated copies of iWork 09 uploaded on the torrent sites triggers a botnet on Mac Systems. 

 

We had pointed out that a Trojan existed in the pirated copies of iWork 09 suite that were downloaded through Torrent programs. About 20,000 users had downloaded the pirated iWork 09 suite using torrent clients by the time Intego reported about the malware.

 

After the torrent-ed copy of iWork 09 is installed, two new services OSX.Iservice and OSX.Iservice.B also get installed as start up item and gain root level privileges. These two services use different method to obtain a Mac user's password and then take control of the machine.

 

Mario Ballano Barcena and Alfredo Pesoli, Symantec researchers, posted their findings at Virus Bulletin (requires subscription) the botnet has some sophisticated capabilities that suggest the work of an experienced programmer who may have rented out his creation to someone else who actually used it for denial-of-service attacks, a common pattern seen in botnets formed from Windows PCs.

 

For some Denial of Service attacks, many have cited that the Mac OS X botnet residing in Mac systems are responsible for it. A PHP script running as root launches attacks against an unknown website as noted in this blogpost. A copy of this bot was also detected in the pirated Adobe Photoshop CS4 torrent, which too was reported by Intego in January 2009.

 

It's surprising that one platform that always competed with Microsoft Windows is becoming the scapegoat for malicious code based activities. However, these Trojan-based attacks might just be the beginning of the end - of security on Mac.