I think I got a bug from a torrent
July 1, 2009 6:04 AM Subscribe
I've tried illegally downloading an application, and I'm pretty sure it is intent on messing up my computer and/or stealing my infos. Here's the catch- I'm runny the latest version of Leopard OS_X.
In an effort to get a pretty expensive application that I've wanted for a long time, I downloaded a torrent containing said application. After the cracking program opened and didn't do anything, I became immediately suspiscious. So, long story short, I opened up good old terminal (which I'm somewhat familiar with) and my command line prompt addressed me as a user I don't recognize. This kind of scared the crap out of me, as it seems like something a trojan-esque virus might do. Since the incident I haven't used any passwords or done anything that requires authentication, and I don't plan on doing so until I've got this figured out.
I'm not sure this would be such a predicament for me if I weren't running Leopard, since there are plenty of anti-virus tools for Windows. But
I've been googling about virus scanners for leopard, or virus removal for leopard and can't really find anything.
So, hive mind OS_X experts- How can I diagnose whether I really do have a problem on my shameful hands, and if so, how can I fix it? Are there any good generic diagnosis / removal tools I should look into purchasing (legally, of course!) ?
Is it possible that the cracking program I used did something to my root user so that it could perform its crack, and that it was not malicious at all?
Also, should I be concerned that the damage has already been done? perhaps my hard drive has already been scanned for information which has been sent to whomever wants it?
I've created a follow up email here: ithinkihaveabadbug@gmail.com which I will be glad to follow up on. please hope me with whatever suggestions you may have!
In an effort to get a pretty expensive application that I've wanted for a long time, I downloaded a torrent containing said application. After the cracking program opened and didn't do anything, I became immediately suspiscious. So, long story short, I opened up good old terminal (which I'm somewhat familiar with) and my command line prompt addressed me as a user I don't recognize. This kind of scared the crap out of me, as it seems like something a trojan-esque virus might do. Since the incident I haven't used any passwords or done anything that requires authentication, and I don't plan on doing so until I've got this figured out.
I'm not sure this would be such a predicament for me if I weren't running Leopard, since there are plenty of anti-virus tools for Windows. But
I've been googling about virus scanners for leopard, or virus removal for leopard and can't really find anything.
So, hive mind OS_X experts- How can I diagnose whether I really do have a problem on my shameful hands, and if so, how can I fix it? Are there any good generic diagnosis / removal tools I should look into purchasing (legally, of course!) ?
Is it possible that the cracking program I used did something to my root user so that it could perform its crack, and that it was not malicious at all?
Also, should I be concerned that the damage has already been done? perhaps my hard drive has already been scanned for information which has been sent to whomever wants it?
I've created a follow up email here: ithinkihaveabadbug@gmail.com which I will be glad to follow up on. please hope me with whatever suggestions you may have!
You have to assume the worst; that not only did someone gain access to your machine (and by implication your data), but also they still have access.
Nothing short of backing up your home directory, reformatting your drive and reinstalling OS X from the original distribution CDs will remove this security fault. No matter what scanner you use or whatever else you do, the potential fault will remain.
posted by Mutant at 7:05 AM on July 1, 2009
Nothing short of backing up your home directory, reformatting your drive and reinstalling OS X from the original distribution CDs will remove this security fault. No matter what scanner you use or whatever else you do, the potential fault will remain.
posted by Mutant at 7:05 AM on July 1, 2009
Since Trojans are known to exist I'd google the application name and trojan to see if there is any info out there on which one you may have. There are only a few, most notably iWork 09 and Photoshop CS4. Intego recommends that users never download and install software from untrusted sources or questionable websites. It says its own VirusBarrier X4 and X5 products with virus definitions dated January 22, 2009, or later will protect against these two Trojan horses.
From AppleInsider
iwork: "OSX.Trojan.iServices.A" in pirated copies of Apple's iWork '09 making the rounds on BitTorrent file sharing networks. An additional package not found in retail copies of the iWork installer called "iWorkServices.pkg" is installed as a startup item with read/write/execute abilities with the pirated versions.
According to Intego, the rogue software connects to a remote server to notify its creator that the trojan has been installed on different Macs, and he or she can "connect to them and perform various actions remotely", including downloading additional components to the machine.
CS4: a new variant of the same Trojan horse called "OSX.Trojan.iServices.B", which can be found in pirated versions of Adobe Photoshop CS4. This installer has already been downloaded by 5,000 people who are now at risk, the firm says.
This installer compromises the system not by installing an additional package, but through a crack application that serializes the program for use without a purchased retail key. This app extracts an executable from its data and installs a backdoor in /var/tmp/. If the user runs the crack app again, a new executable with a different random name is created, making it difficult to safely remove the malware.
Once the administrator password is entered, a backdoor with root privileges is launched, copying the executable to /usr/bin/DivX and a startup item in /System/Library/StartupItems/DivX. It then makes repeated connections to two IP addresses, according to Intego.
A malicious user can then connect to the affected Macs and perform various actions and downloads remotely. Intego predicts this Trojan horse may also be used to execute similar DDoS attacks.
posted by Gungho at 7:10 AM on July 1, 2009 [1 favorite]
From AppleInsider
iwork: "OSX.Trojan.iServices.A" in pirated copies of Apple's iWork '09 making the rounds on BitTorrent file sharing networks. An additional package not found in retail copies of the iWork installer called "iWorkServices.pkg" is installed as a startup item with read/write/execute abilities with the pirated versions.
According to Intego, the rogue software connects to a remote server to notify its creator that the trojan has been installed on different Macs, and he or she can "connect to them and perform various actions remotely", including downloading additional components to the machine.
CS4: a new variant of the same Trojan horse called "OSX.Trojan.iServices.B", which can be found in pirated versions of Adobe Photoshop CS4. This installer has already been downloaded by 5,000 people who are now at risk, the firm says.
This installer compromises the system not by installing an additional package, but through a crack application that serializes the program for use without a purchased retail key. This app extracts an executable from its data and installs a backdoor in /var/tmp/. If the user runs the crack app again, a new executable with a different random name is created, making it difficult to safely remove the malware.
Once the administrator password is entered, a backdoor with root privileges is launched, copying the executable to /usr/bin/DivX and a startup item in /System/Library/StartupItems/DivX. It then makes repeated connections to two IP addresses, according to Intego.
A malicious user can then connect to the affected Macs and perform various actions and downloads remotely. Intego predicts this Trojan horse may also be used to execute similar DDoS attacks.
posted by Gungho at 7:10 AM on July 1, 2009 [1 favorite]
What Mutant said. It could be the items Gungho mentions are all that's there and you can fix it. But it could be a new variant or something completely different. If only 5,000 people are at risk of the CS4 trojan, it isn't like the antivirus makers will put a lot of energy in squashing it compared to the bazilions in potential revenue from the trojans in the Windows version.
If your system have been compromised that is the only way to make sure you get it back. If you have Time Machine enabled, perhaps you could just go back to a point before you installed the app. I doubt it whatever trojans out there are capable of going into Time Machine backups and adding themselves and "changing the past".
Good luck.
posted by birdherder at 8:10 AM on July 1, 2009
If your system have been compromised that is the only way to make sure you get it back. If you have Time Machine enabled, perhaps you could just go back to a point before you installed the app. I doubt it whatever trojans out there are capable of going into Time Machine backups and adding themselves and "changing the past".
Good luck.
posted by birdherder at 8:10 AM on July 1, 2009
I would guess Little Snitch would be able to block the outgoing connection the CS4 trojan tries to establish? You might want to get a copy.
posted by Thoughtcrime at 2:05 PM on July 1, 2009
posted by Thoughtcrime at 2:05 PM on July 1, 2009
« Older What is this song that sounds like the Kinks but... | How to find accountants and/or financial advisors... Newer »
This thread is closed to new comments.
Also most of the major players in antivirus software (McAfee, Norton, Trend Micro) have Mac products and while a lot of snake oil is thrown around in that arena (due to the low demand for AV on a mac) there are legitimate exploits that have been used before and those programs will likely detect any of the current known ones and remove them.
posted by genial at 6:14 AM on July 1, 2009