Trojan Found in Pirated Copies of Adobe Photoshop CS4 for Mac

Mac users downloading copies via BitTorrent tracker sites get hit with another malware attack.

Just yesterday I reported on how Mac users, who have prided themselves for years that it was their PC cousins bearing the brunt of virus and malware attacks, were being infected by a Trojan horse contained in pirated copies of Apple’s iWork ‘09 downloaded from public BitTorrent tracker sites.

Now there a new variant of the iServices Trojan horse has been discovered by the same security firm Intego in pirated copies of Adobe Photoshop CS4

The actual Photoshop installer is clean, but the Trojan horse is found in a crack application that serializes the program.

After downloading this version of Photoshop, users will run the crack application to be able to use it. The crack application extracts an executable from its data, than installs a backdoor in /var/tmp/, a directory which is not deleted when the computer is restarted. (If the user runs the crack application again, the Trojan horse creates a new executable with a different name; these random names make it harder to ensure safe removal of the malware.)

The crack application then requests an administrator password, launching the backdoor with root privileges. This copies the executable to /usr/bin/DivX, then creates a startup item in /System/Library/StartupItems/DivX. The program checks to see if it has been launched with root privileges, then saves the root hash password in the file /var/root/.DivX. It listens on a random TCP port, and answers requests such as GET / HTTP/1.0 by sending a 209-byte packet, and makes repeated connections to two IP addresses.

Next, the crack application opens a disk image which is hidden in its resource folder, in a folder named .data, and proceeds to crack the Photoshop program, allowing it to be used.

Since the malicious software connects to a remote server over the Internet, the creator of this malware will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac.

Intego is issuing this alert to warn Mac users not to download Photoshop CS4 installers from sites offering pirated software. (As of 6 am EST, nearly 5,000 people have downloaded this installer, according to a major BitTorrent tracker site.) Since the Trojan horse, in this case, is found merely in the crack application that is bundled with Photoshop CS4, users should avoid downloading any cracking software from sites that distribute pirated software. The risk of infection is serious, due to the number of infected users, and these users may face extremely serious consequences if their Macs are accessible to malicious users. The first version of this Trojan horse was seen downloading new code to infected computers, which were then used in a DDoS (distributed denial of service) attack on certain web sites. Since this new variant uses the same technology, and contacts the same remote servers, it is likely that it will attempt to download new code and perform such actions.

jared@zeropaid.com

Related Posts

1. Trojan Found in Pirated Copies of Apple iWork ‘09
2. Adobe To Offer Ad-Supported, Web-Based Version Of Photoshop
3. P2P Trojan Makes PC Talk, Laugh at You, While Erasing Hard Drive
4. Pirated Copies of Vista About to Go ‘Black?’
5. Microsoft Reduces Approach to Pirated Copies of Vista