PDA

View Full Version : New Mac Trojan appears in pirated versions of Photoshop CS4


MacBytes
Jan 26, 2009, 08:24 AM
http://www.macbytes.com/images/bytessig.gif (http://www.macbytes.com)

Category: News and Press Releases
Link: New Mac Trojan appears in pirated versions of Photoshop CS4 (http://www.macbytes.com/link.php?sid=20090126092405)
Description:: Uh oh… another week, another Mac Trojan horse discovered. This time around, it folks who are downloading cracked copies of Adobe Photoshop CS4 from BitTorrent sites that are in danger. According to Mac Security Software maker Intego (who discovered last week’s iWork 09 virus) the Photoshop trojan is a new variation on the OSX.Trojan.iServices virus found last week.

Posted on MacBytes.com (http://www.macbytes.com)
Approved by Mudbug

yellow
Jan 26, 2009, 08:26 AM
Again..

I have very little sympathy for folks that fall victim to this.

GoCubsGo
Jan 26, 2009, 08:27 AM
This is all bittersweet. For people who pay for their applications it is obviously sweet to see the torrent downloaders get it ... but of course then there's this whole thing about a trojan being there making me wonder if eventually we'll see this crap wind up on things that we download that are fully legit.

xUKHCx
Jan 26, 2009, 08:28 AM
I guess this will be appearing in all the popular torrented programs until whatever hole(?*) is fixed.

*Is this something that apple can fix?

yellow
Jan 26, 2009, 08:31 AM
I would like to note that Intego got tagged a few years back for "discovering" malware "in the wild" that was actually a proof-of-concept that they themselves created, distributed, and subsequently "discovered".

So, I take all info from them with a very large grain of salt.

GoCubsGo
Jan 26, 2009, 08:33 AM
I guess this will be appearing in all the popular torrented programs until whatever hole(?*) is fixed.

*Is this something that apple can fix?
The question should be, is this something Apple would want to fix? Leave a hole and teach people a lesson or fix the hole? My hope is for the latter because the hole puts the honest folk at just as much risk.
I would like to note that Intego got tagged a few years back for "discovering" malware "in the wild" that was actually a proof-of-concept that they themselves created, distributed, (and subsequently "discovered").

So, I take all info from them with a very large grain of salt.

Great memory! I do recall that now that you mention it.

yellow
Jan 26, 2009, 08:35 AM
The question should be, is this something Apple would want to fix? Leave a hole and teach people a lesson or fix the hole? My hope is for the latter because the hole puts the honest folk at just as much risk.

As much as we like to have a sense of justice, if there's a an actual security hole, Apple will have to plug it. Who knows how long it will be before it actually shows up in a "legit" app?

rdowns
Jan 26, 2009, 08:36 AM
I have no sympathies for people who steal (yes, it's stealing) software and other IP. I do think Apple should close any of these holes to protect legitimate users. If they can be exploited for torrents, they can be exploited elsewhere.

yellow
Jan 26, 2009, 08:40 AM
Reading the article, it doesn't seem like a security hole. It seems more like it's preying on user ignorance. It asks for username/password and goes from there.

H$R
Jan 26, 2009, 08:48 AM
As much as we like to have a sense of justice, if there's a an actual security hole, Apple will have to plug it. Who knows how long it will be before it actually shows up in a "legit" app?

It's a trojan, not a virus. There doesn't really have to be a security hole. The hole is the human who downloads the thing on purpose.
Your Internet is the security hole, I don't think you want that "patched" aka closed.

yellow
Jan 26, 2009, 08:49 AM
It's a trojan, not a virus. there doesn't really have to be a security hole. The hole is the human who downloads the thing on purpose.

Yes, already noted that. :)

WestonHarvey1
Jan 26, 2009, 08:51 AM
I guess this will be appearing in all the popular torrented programs until whatever hole(?*) is fixed.

*Is this something that apple can fix?

There's nothing for Apple to fix here. Unlike a virus or worm which exploits some security flaw to install and spread without your knowledge or permission, a trojan is just an ordinary application. If you opened up XCode and wrote a program that deletes your iTunes library and then emails a copy of itself to everyone in Address Book, that would be your prerogative - there's nothing to stop your application because it isn't doing anything it shouldn't be able to do (deleting files from the file system is legit, so is accessing the Address Book database).

Trojans come down to the human element. There is no way for the OS to know someone is trying to trick you with a piece of software, and no way for it to know what it is doing is considered harmful.

The only "fix" would be for Apple to convert the Mac platform into a "walled garden" like the iPhone, with Apple becoming the gatekeeper for all Mac apps. It wouldn't really be a "personal computer" anymore in the traditional sense.

xUKHCx
Jan 26, 2009, 08:52 AM
Reading the article, it doesn't seem like a security hole. It seems more like it's preying on user ignorance. It asks for username/password and goes from there.

That is how the first one worked as well, it is pretty much just a renamed version of the iWork variant.

The thing is there were reports of it downloading new code once the machine is infected, which is what I semi-referring to with the mention of a possible hole. This should be picked up by the firewall at least imo.

So yes it is user ignornance/trickery but also there are somethings that apple could do to help prevent it, such as making a more open installer so the user can see what files are being installed (yeah I know it is possible and an average user would just assume it is a correct file anyway but it would be nice).

WestonHarvey1
Jan 26, 2009, 09:04 AM
The thing is there were reports of it downloading new code once the machine is infected, which is what I semi-referring to with the mention of a possible hole. This should be picked up by the firewall at least imo.


If it is downloading files off the web, using the same method a browser uses, it would inherit the same firewall rules the web browser is subjected to. You could make it more restrictive, triggering a confirmation dialog any time an application went to grab a file over the network, but that would get really annoying. There's a usability balance here that's easy to disturb.

H$R
Jan 26, 2009, 09:06 AM
That is how the first one worked as well, it is pretty much just a renamed version of the iWork variant.


The thing is there were reports of it downloading new code once the machine is infected, which is what I semi-referring to with the mention of a possible hole. This should be picked up by the firewall at least imo.


Sure, they could close the IP's from where it's downloading. But in the future there will be more and more exploits and more and more IP's.
It's not Apples job to prevent you from doing stupid things.

Now there's the moment where a Virus/Malware scanner gets into game. It has to active watch what you (your PC) is doing and stop it when it's evil.

Or buy Little Snitch, it will monitor for you which applications/services want to connect to the net.


So yes it is user ignornance/trickery but also there are somethings that apple could do to help prevent it, such as making a more open installer so the user can see what files are being installed (yeah I know it is possible and an average user would just assume it is a correct file anyway but it would be nice).

I like it the simple way as it is. But you're right, you good have like two options, the easy and the advanced like some Windows programmes have. But then again, wouldn't the writer of the software declare what he writes there? So he just would hide it from you eyes.
An other option would be a log file, of every file that has been copied over during the installation.
But would you want to go through that long list every time you install something? And would you check every element, every time?

HyperZboy
Jan 26, 2009, 09:42 AM
Again..

I have very little sympathy for folks that fall victim to this.

I totally agree, except that this and the previous trojan are the first 2 I've seen widely around since the Mac OS 9 DAYS and THAT'S SCARY to ME!

I fear this kinda nullifies the Mac's inherent no viruses advantage so I'm hoping this doesn't get out of control and proliferate.

I could easily see Microsoft taking advantage of this or the PC dominated media slamming Apple for this and ruining all the good press that Macs have gotten in the last few years. :(

yellow
Jan 26, 2009, 09:47 AM
Well, it's all just that.. Press and PR spin. Apple has been happily capitalizing on this untruth for a while. It's almost like FUD. While they tout a "secure" environment, trojans like this are difficult to defend against.

This trojan preys on user ignorance and tricks people into installing malware by happily supplying an admin username and password. There's no magic to protect against this. And what can Intego (et al.) do to "protect" us?

alphaod
Jan 26, 2009, 09:59 AM
This is is why I use usenet; of course I paid for CS4 and iWork.

WestonHarvey1
Jan 26, 2009, 10:02 AM
I fear this kinda nullifies the Mac's inherent no viruses advantage so I'm hoping this doesn't get out of control and proliferate.

I could easily see Microsoft taking advantage of this or the PC dominated media slamming Apple for this and ruining all the good press that Macs have gotten in the last few years. :(

There's no real chance of trojans like this proliferating, since they rely entirely on human users to spread it. What brought Windows down was the multitude of ways software could self-install without your permission or knowledge.

This is a self-limiting problem. We're not going to see botnets of millions of Macs out there, without some serious Windows-quality security holes being introduced into OS X.

alphaod
Jan 26, 2009, 10:04 AM
My hope is for the latter because the hole puts the honest folk at just as much risk.

Why would honest folks be stealing.


I could easily see Microsoft taking advantage of this

Not every company is an asshat like Apple.

AlexisV
Jan 26, 2009, 10:19 AM
I think people are missing the point here. It doesn't matter whether people 'deserve' it - that is irrelevant.

What we're looking at here is the crack that comes with this pirated PS version. You run the crack and you get the trojan.

The file could just as easily be a mirror for something legit. Something like Cyberduck for example.

The point is, even a self installed program which then downloads further code is worrying.

Consultant
Jan 26, 2009, 11:25 AM
I would like to note that Intego got tagged a few years back for "discovering" malware "in the wild" that was actually a proof-of-concept that they themselves created, distributed, and subsequently "discovered".

So, I take all info from them with a very large grain of salt.

Yeah, three possibilities.

Would they be downloading every single torrent, installing each one individually and testing them? Probably not.

If they don't download every torrent, then it will only be discovered when a large number of people are affected, and this is not the case.

Making a trojan, and "discovering" it to sell their own software.

Kilamite
Jan 26, 2009, 11:41 AM
I just hope this doesn't appear in slightly more "legit" torrents, such as no DVD cracks for games that demand the DVD is in the drive.

Is there any way of discovering the trojan before you install anything? Just in case this made its way into legit stuff.

Apple Ink
Jan 26, 2009, 11:49 AM
Well while reading something somewhere.. (MacWorld maybe) I had an epiphany... how come both the recent trojans, extremely similar in structure, in the top two most popular Mac pirated softwares be spotted by the same company in succession within a weeks time which then also goes on to release heals almost instantly after the reports....
I smell something fishy..... oh... thats the pirates..

EmperorDarius
Jan 26, 2009, 11:55 AM
If they don't download every torrent, then it will only be discovered when a large number of people are affected, and this is not the case.


According to the article:

iWork 09 (20,000 infections) than the $700 Adobe Photoshop CS4? (5000))

They seem pretty many. Another possibility would be that Intego products send information to Intego about everything suspicious, therefore that could make the discovery of new threats a lot easier. Quite a lot of AV programs do this under Windows.

If this is not something made by Intego itself, I hope that this doesn't transform in some massive Mac-Attack. Probably not.

:apple:

Consultant
Jan 26, 2009, 01:07 PM
According to the article:

iWork 09 (20,000 infections) than the $700 Adobe Photoshop CS4? (5000))

They seem pretty many.

That's very few compared to millions of mac users.

TheSpaz
Jan 26, 2009, 01:18 PM
Hopefully stuff like this will stop users from stealing software and PAY for legit versions. If that happens, perhaps the economy will pick up a little.

edgew8
Jan 26, 2009, 01:24 PM
Looks like Mac users are going to have to start using that famous windows program Common Sense 2009 mac edition. Apple cannot patch the "ignorant user" hole. As Macs gain popularity and market share expect to see more of this kind of stuff and the only defense against it is staying informed.

On a side note watch out for bogus drivers for stuff as well. I was looking for a Lexmark printer driver for my moms G4. Lexmark didn't have any drivers that supported tiger but I found a site that claimed to have it. It was a package installer and asked for my name and password...needless to say I pushed cancel and deleted it quick fast.

Kilamite
Jan 26, 2009, 01:26 PM
Hopefully stuff like this will stop users from stealing software and PAY for legit versions. If that happens, perhaps the economy will pick up a little.

What, people spend even more money on things they can't afford?

austinsevo
Jan 26, 2009, 01:40 PM
i sense alot of anger in this thread.

Eddyisgreat
Jan 26, 2009, 02:05 PM
Can we please stop with all the fud. Its really starting to annoy me. This is not a virus, it is an app that is installed BY THE USER which hides in the background and does malicious things. It is not:

A) A hole
B) Obtainable by any other means than running the trojan program and entering amdministrative credentials.
C) Considering B, it is not a virus.

UNIX doesn't allow the running of certian things without SU (super user/root/admin) permission. NT doesn't either, but to its credit, individuals will look more ruthlessly for holes and exploits in NT because of its market share.

Besides- Apple never said it was virus free and could never be infected by a virus. Apple stated (in their various commercials) that a virus that was built for NT cannot run on a seperate platform I.E. Unix I.E. MAC OS X. Its a great selling point that people don't realise and it will CONTINUE to be a great selling point until true exploits come through that were built specifically for OS X.

Yamcha
Jan 26, 2009, 02:49 PM
I've downloaded the whole Creative Suite CS4 Series, Im not seeing any difference.. doesn't feel like i have a trojan.

MadGoat
Jan 26, 2009, 03:01 PM
Legit cracks don't ask for root passwords, If I have one that asks for one, I close it, and I move on to the next crack. So far I have not had one that's asked me for a password, the only time I came accross a trojan was going to a mispelled youtube site accidentaly.

Serge88
Jan 26, 2009, 05:06 PM
I downloaded Photoshop CS4 for Mac from bittorrent. All I got was a trial version of photoshop and text file with a serial number. I was also able to dl a keygen to generate a serial number but it only runs on windows.

The Photoshop looks exactly (same size) like the one I also downloaded from Adobe. I didn't try it and don't need CS4, I wonder if it's all b..s.. from Intego.

Are they trying to scare people and sell them their software ?

Serge

Watabou
Jan 26, 2009, 05:14 PM
I've downloaded the whole Creative Suite CS4 Series, Im not seeing any difference.. doesn't feel like i have a trojan.

Legit cracks don't ask for root passwords, If I have one that asks for one, I close it, and I move on to the next crack. So far I have not had one that's asked me for a password, the only time I came accross a trojan was going to a mispelled youtube site accidentaly.

I downloaded Photoshop CS4 for Mac from bittorrent. All I got was a trial version of photoshop and text file with a serial number. I was also able to dl a keygen to generate a serial number but it only runs on windows.

The Photoshop looks exactly (same size) like the one I also downloaded from Adobe. I didn't try it and don't need CS4, I wonder if it's all b..s.. from Intego.

Are they trying to scare people and sell them their software ?

Serge

Why don't you pay for stuff you use illegally again?:confused:

Anyways, like everyone else said earlier, Apple cannot patch user ignorance. Just pay where its due and people won't run around screaming that they got a trojan.

Trip.Tucker
Jan 26, 2009, 05:27 PM
The question should be, is this something Apple would want to fix? Leave a hole and teach people a lesson or fix the hole? My hope is for the latter because the hole puts the honest folk at just as much risk.


I think people are not understanding what the trojan is or how it is delivered. This is not a hole in existing software or services or the OS. Firstly, the software that people are downloading has been modified to include an additional program (the trojan) that is installed on the host system along with the bulk program that was downloaded. On this point, if you are buying from legitimate vendors then there is an element of trust associated with that vendor to provide the package on DVD or other media in it's original form. So long as you buy or download if the program is free from a trusted source or the original vendor, there won't be any issues.

Second, any program downloaded from the internet that requests admin level access to the host OS, has the potential to mess up the host system, whether intentionally or via a flaw in the coding.

There is already a level of protection in place whenever you are requested to enter an admin password to complete a software installation. You have the opportunity at that point to review what is being installed and if not certain, abort the install.

There is a point, a line, where you must consider what level of security/integrity has to be applied and maintained without restricting functionality. If you want a 100% secure system, turn off your computer and bury it in 15 feet of concrete.

Serge88
Jan 26, 2009, 05:33 PM
Why don't you pay for stuff you use illegally again?:confused:



I never, never, NEVER pay for free software and Photoshop CS4 trial IS free and I never, never use illegal software...

Ok I admit on my PC I had an illegal copy of Office 2000 but never on my iMac.

Serge

Winni
Jan 26, 2009, 05:36 PM
I have no sympathies for people who steal (yes, it's stealing) software and other IP.

steal: take another person's property without permission or legal right and without intending to return it.

Just for the sake of argument: How do you steal an immaterial good? What are you actually taking away buy COPYING an immaterial good?

Disclaimer: I have a worked for a software company from 1998 to 2001 which developed and sold software development tools. That company first became unable to pay the salaries and I had to live off my credit card for a couple of months, and eventually it had to file for bankruptcy. The point is: You could download pirated copies of our software back then and you can still download them today. So I know first-hand how it feels to see illegal copies of your work on eDonkey while you have to find yourself a new job.

I want to get paid for my work, so I also pay others for theirs.

Back to the real topic here:

It doesn't matter whether this trojan gets only distributed via pirated software or not. It is only a question of time until entirely legit software will be contaminated. This has happened before - even at Microsoft.

It's the second time this week that we could read about Mac trojans (in pirated software). Also in the Windows world, pirated software is one of the main vehicles for the transportation of malware.

In the next step, these things will be distributed via eMail attachments, which is another popular vehicle. And how many people can resist the temptation to "open that funny Powerpoint attachment"? And how many of them will actually think about what they're doing when that "Powerpoint attachment" asks them to enter their username and password? In my experience as a corporate system administrator, it goes close to zero - people type in their passwords out of reflex with little to no brain activity.

The OS X platform now obviously has become popular enough for targeting, and those two successfully deployed trojans are just the beginning. The safe times where we could sneer at the Windows world are over.

Tallest Skil
Jan 26, 2009, 05:39 PM
What are you actually taking away buy COPYING an immaterial good?

Money, from the person who created the software.

"But I wouldn't have bought it anyway!" That's the idea. Either save up for it or don't get it.

A DMC-12 is as much someone's lifeblood as a software suite, but you don't see me running around stealing DeLoreans, do you?

Acuity Mac Guru
Jan 26, 2009, 05:54 PM
As someone who has paid for every copy of software that I own, including iLife 09 (which needs to hurry up and get here) and Adobe Creative Suite CS4, I have NO sympathy.

Looks like the recurring theme is downloading pirated software, it serves them right !!

Apple Ink
Jan 26, 2009, 09:18 PM
That's very few compared to millions of mac users.

This makes me even more suspicious about this Intego company!

Totti
Jan 27, 2009, 12:35 AM
No idea if i've ran this crack or not - any easy way for a mac noob to tell? Any specific file or directory i can look for?

Apple Ink
Jan 27, 2009, 01:08 AM
No idea if i've ran this crack or not - any easy way for a mac noob to tell? Any specific file or directory i can look for?

You know you're asking for a nuke bomb admitting to piracy.... and thats bad enough!
At any cost... its something like System/Library/Startupitems/DivX
Isnt it?

benlangdon
Jan 27, 2009, 01:25 AM
what i do not get is why people are even dowloading a torrent of iwork.

its available for download on the apple web site (which is clean) and then just look around for a serial code, i mean unless the person bought the program and then torrented (which i highly doubt) you are going to have to use a serial code anyway.

but just on a side note,
how could you tell the difference between an app being installed and asking for admin and password and a Trojan that you think is an app and asks for admin and password. i mean i really do not get this.

irene1975y
Jan 27, 2009, 04:13 AM
get the original software and don't torrent.

BT isn't safe for the records...all the IP address are logged

Jethryn Freyman
Jan 27, 2009, 04:33 AM
get the original software and don't torrent.

BT isn't safe for the records...all the IP address are logged

As I said in the trojan-in-iwork-torrent thread:

It's ironic how most of the Mac users are getting on their extremely high horse and telling off torrent users, while the hackers are writing and improving their trojans.

ihabime
Jan 27, 2009, 04:49 AM
As I said in the trojan-in-iwork-torrent thread:

It's ironic how most of the Mac users are getting on their extremely high horse and telling off torrent users, while the hackers are writing and improving their trojans.

Alanis, is that you?

Jethryn Freyman
Jan 27, 2009, 05:58 AM
Alanis, is that you?

No - I'll just assume thats a compliment :cool:

reclusivemonkey
Jan 27, 2009, 06:38 AM
I wonder if Little Snitch (http://www.obdev.at/products/littlesnitch/index.html) would identify this? Can't test myself as obviously I don't download cracked software.

NATO
Jan 27, 2009, 06:51 AM
how could you tell the difference between an app being installed and asking for admin and password and a Trojan that you think is an app and asks for admin and password. i mean i really do not get this.

This is something I'm curious about as well. With the well publicised iWork trojan, it's a trojan installer which tacks on to the real iWork installer. Now, I have my Mac set up so I'm a normal user, so when I install software, I'm asked for my Admin username/password. Because I'm entering my admin user/pass for a legit software install, how do I know there isn't anything tacked on, like a trojan package? There doesn't seem to be a way of guarding against this, except to only download software from legitimate sources.

I personally didn't download the iWork torrent, but theoretically had I done so, I don't see how I could have noticed anything untoward because the installer and the 'trojan' installer are seemingly tacked together so an admin username/password grants the installation rights to both legit and trojan packages...

Any thoughts on how to inspect an installer for anything untoward before installing it?

ihabime
Jan 27, 2009, 08:04 AM
Any thoughts on how to inspect an installer for anything untoward before installing it?

You could look inside the installer package to see if there are any odd files, but that won't help much unless the the trojan maker uses something glaringly obvious.

The only real protection is being sure of your sources and hoping that the user community outs anyone that isn't trustworthy. It happens all the time on windows, you want a PDF viewer? sure but you get weatherbug and this browser search bar too. It even happens on OSX, remember Inquistor?

It is hard to stop trojans since they rely on social engineering, but there are a few easy ways Apple could improve the situation.

1) Little Snitch like out going connection notification and blocking to the firewall.
2) A single Pref pane that lets you see and disable which programs run on startup. Right now there are at least 7 directories where a startup program can be hidden.

For the first you can obviously install little snitch now and for the second you can check the following directories after each install :

/System/Library/LaunchAgents/
/System/Library/LaunchDaemons/
/System/Library/StartupItems/
/Library/LaunchAgents/
/Library/LaunchDaemons/
/Library/StartupItems/
~/Library/LaunchAgents/

Places of interest, the plug-in directories of various programs in various Library folders could be used to latch a trojan onto an otherwise legitimate program like Safari or Mail.

BornToMac
Jan 27, 2009, 08:48 AM
I think the ethical question of piracy is one that you have to ask yourself. Obviously, if you play with fire, there is a chance that you are going to get burned. The real issue that makes me nervous is that we have seen two trojans released in popular Mac programs this month. Yes, I know that these are not viruses, and yes I know that these have to be installed by the user, but the fact remains that there are a lot of people switching to Macs for a variety of reasons (trendy, fed up w/ pc, etc.) With the growing number of Mac owners, and Mac Developers for that matter, I fear this is only the beginning. More and more people are learning to write apps for Mac and through use of the iphone sdk, the iphone. With the growing number of users, it is only a matter of time before a widespread piece of malware is released that effects a large part of the mac community. Think how many PC users have iPhones. It seems to me that that would be a popular target for future attacks. I hope that in true mac community fashion, we come together to discourage, and limit the spread of future outbreaks.:apple:

NATO
Jan 27, 2009, 08:51 AM
Great advice ihabime, thank you :)

ppc750fx
Jan 27, 2009, 03:06 PM
With the growing number of users, it is only a matter of time before a widespread piece of malware is released that effects a large part of the mac community.

<shrugs>

And? Most, if not all, malware that will hit OS X will be trojan-esque in nature. There just aren't that many reliable attack vectors for self-installing/self-propagating malware. If it's user-installed malware, there's not much that we (the community) or Apple can do about it. Screw it. If people don't want to learn the basics of computer security, I see no reason to spend time and money cleaning up after them.

You can't guard against stupidity. It's simply not possible. When you do, you'll end up with stuff like UAC -- stuff that pisses off intelligent users and provides little to no protection for the dumb/lazy ones.

On another note: software piracy is not theft. "But it's taking money --" No. You can stop your internal dialogue. You're wrong. It's not theft. Look up the definition of theft sometime. Unless piracy is physically taking monetary instruments from the developers of the software, it's not the same as stealing money. Unless piracy involves physically stealing the disks on which software resides, it's not the same as stealing software.

To help people remember this, here's a handy graphic:

http://s.buzzfeed.com/static/imagebuzz/2008/8/27/12/27311d2d7c84e8f3e3f5036ed08d198b.jpg

ihabime
Jan 27, 2009, 04:52 PM
On another note: software piracy is not theft. "But it's taking money --" No. You can stop your internal dialogue. You're wrong. It's not theft. Look up the definition of theft sometime. Unless piracy is physically taking monetary instruments from the developers of the software, it's not the same as stealing money. Unless piracy involves physically stealing the disks on which software resides, it's not the same as stealing software.


Spoken like someone who hasn't produced more than a pizza in their whole life.

It's intellectual theft. It deprives the creator of the right control how their work is used and their livelihood. It's the same reason that the FSF and GNU insist on software licensing that controls how their work can be redistributed, because they don't want big bad MS or Apple to box up their code and not share it back to the community.

So put your little pirate hat on and pretend all you want that it's OK because you're just copying it, but it does have an economic effect, it does take money away from people who actually do the work.

Tallest Skil
Jan 27, 2009, 04:55 PM
<shrugs>

And? Most, if not all, malware that will hit OS X will be trojan-esque in nature. There just aren't that many reliable attack vectors for self-installing/self-propagating malware. If it's user-installed malware, there's not much that we (the community) or Apple can do about it. Screw it. If people don't want to learn the basics of computer security, I see no reason to spend time and money cleaning up after them.

You can't guard against stupidity. It's simply not possible. When you do, you'll end up with stuff like UAC -- stuff that pisses off intelligent users and provides little to no protection for the dumb/lazy ones.

On another note: software piracy is not theft. "But it's taking money --" No. You can stop your internal dialogue. You're wrong. It's not theft. Look up the definition of theft sometime. Unless piracy is physically taking monetary instruments from the developers of the software, it's not the same as stealing money. Unless piracy involves physically stealing the disks on which software resides, it's not the same as stealing software.

To help people remember this, here's a handy graphic:

http://s.buzzfeed.com/static/imagebuzz/2008/8/27/12/27311d2d7c84e8f3e3f5036ed08d198b.jpg

Now THIS is an argument: Taking my response to this post in another thread, poorly covering up the points I brought up that you couldn't refute, and then posting it in another thread!

That's how it's done.

...

You're still wrong, though. Sorry. (Kind of awkward, wasn't it?)

ihabime
Jan 27, 2009, 04:59 PM
Now THIS is an argument: Taking my response to this post in another thread, poorly covering up the points I brought up that you couldn't refute, and then posting it in another thread!

That's how it's done.

...

You're still wrong, though. Sorry. (Kind of awkward, wasn't it?)

What do you expect, he's a pirate, no need for original thoughts when you can copy & paste.

WonkaVision
Jan 28, 2009, 03:05 PM
What's the moral difference between using Bittorrent to download Final Cut Pro (w/ an illegal serial) to stand-in for a legal copy of FCP lost after a hard drive crash (without documentation) and using Migration Assistant to transfer your apps?

kastenbrust
Jan 28, 2009, 03:18 PM
It wouldn't be hard for Intego to make this trojan, pack it with Photoshop CS4, and upload it as a torrent, then scream about the issue. I wonder if Intego noticed the trjoan before the torrent was originally posted, that would be pretty incriminating.

Europa13
Feb 1, 2009, 11:48 PM
So if you install Intego virus barrier (with current/updated virus signitures) on a computer already infected with this trojan, would it detect it (and attempt to remove)? Or would it just prevent future infection?

Thanks

UltraNEO*
Feb 2, 2009, 02:04 AM
Again..

I have very little sympathy for folks that fall victim to this.

Yes, I'd totally agree!

New Mac Trojan appears in pirated versions of Photoshop CS4 - 5,000 infected so far!



Pity the figures ain't higher!!...

Why don't those people go out and buy the official copy? Cheap skates. Hope it trashes those people's data!! It'll serve them right for stealing Applications.

EmperorDarius
Feb 2, 2009, 02:28 AM
So if you install Intego virus barrier (with current/updated virus signitures) on a computer already infected with this trojan, would it detect it (and attempt to remove)? Or would it just prevent future infection?

Thanks

Yeah it would remove it. Also, Intego is not the only one that detects the Trojan, Norton Antivirus and *the free* iAntivirus does too.

NATO
Feb 2, 2009, 02:00 PM
Pity the figures ain't higher!!...

Why don't those people go out and buy the official copy? Cheap skates. Hope it trashes those people's data!! It'll serve them right for stealing Applications.

I'm curious as to whether the likes of Adobe actually turn a blind eye to casual piracy of their products in order to further people's awareness and their skill in using them. For example, students who couldn't even start to afford the princely sum demanded for the likes of Photoshop etc (I know they do a student version but even it's pretty high priced) might pirate it and get used to using it, therefore creating a potential sale for Adobe later in life when they CAN afford it, especially if their job or hobby requires it.

What I'm essentially getting at is that while Adobe would be against a business or school/university pirating their software, they might not be totally against personal users pirating it as it might increase the demand for businesses/schools/unis to buy it given the demand from their users.

NATO
Feb 2, 2009, 02:03 PM
Yeah it would remove it. Also, Intego is not the only one that detects the Trojan, Norton Antivirus and *the free* iAntivirus does too.

I think you've missed the point that was being made here. What kastenbrust was saying is that it's possible that Intego could theoretically have been behind the trojan in the first place in order to be able to publicly announce a trojan has been discovered, and hence increase the demand for their security software.

It's possible, those who have the most to gain from trojans/viruses etc on the Mac OS X platform are the Anti-virus companies who want to sell us 'protection'.

Edit - Just noticed that EmperorDarius must have meant to quote Europa13 above instead of kastenbrust

thejadedmonkey
Feb 2, 2009, 02:30 PM
<snip>Spoken like someone who hasn't produced more than a pizza in their whole life.

As someone who HAS produced more then a pizza (but never a pizza) in his whole lot, I disagree. If someone were to rip my web design off, I would call it copy write infringement, but not theft. There's a difference there, but I define theft as taking something... and copying something inherently reproduces it, without removing the original, ergo I could never call using any form of P2P theft, but rather copy write infringement.

Back on topic, however. How do I know if I'm infected? I have not downloaded CS4 off of bit torrent, iWork came from Apple.com, but in the future my concern is that a trojan gets packaged with something I legitimately download, I would have no way of knowing I was infected. That's what worries me, and that's what I feel Apple should try to fix somehow (ie making it so that you have to double-authenticate to change start-up items outside of the user start up folder)

EmperorDarius
Feb 2, 2009, 03:19 PM
I think you've missed the point that was being made here. What kastenbrust was saying is that it's possible that Intego could theoretically have been behind the trojan in the first place in order to be able to publicly announce a trojan has been discovered, and hence increase the demand for their security software.

It's possible, those who have the most to gain from trojans/viruses etc on the Mac OS X platform are the Anti-virus companies who want to sell us 'protection'.

Edit - Just noticed that EmperorDarius must have meant to quote Europa13 above instead of kastenbrust

My bad:D *Fixed*

ihabime
Feb 2, 2009, 09:49 PM
As someone who HAS produced more then a pizza (but never a pizza) in his whole lot, I disagree. If someone were to rip my web design off, I would call it copy write infringement, but not theft. There's a difference there, but I define theft as taking something... and copying something inherently reproduces it, without removing the original, ergo I could never call using any form of P2P theft, but rather copy write infringement.

I think we mostly agree, it's just a matter the semantics. I used the term intellectual theft as a reaction to the people who claim that piracy is just copying and doesn't hurt anyone. It's true that copyright infringement is the proper term but, I find that its usage moves the argument away from the fact that real people lose real money from it.

Back on topic, however. How do I know if I'm infected? I have not downloaded CS4 off of bit torrent, iWork came from Apple.com, but in the future my concern is that a trojan gets packaged with something I legitimately download, I would have no way of knowing I was infected. That's what worries me, and that's what I feel Apple should try to fix somehow (ie making it so that you have to double-authenticate to change start-up items outside of the user start up folder)

Check my post earlier in this thread, I listed the main folders that trojans use in OSX, it really would be simple for Apple to fix this vector of attack.

reclusivemonkey
Feb 3, 2009, 06:07 AM
So put your little pirate hat on and pretend all you want that it's OK because you're just copying it, but it does have an economic effect, it does take money away from people who actually do the work.

You're assuming everyone who pirates would be a paying customer if they didn't pirate it. That's completely wrong. Maybe a small proportion would, but not all of them.

If you look on the internet, all the research shows that the vast majority of people using CS/Photoshop have pirated copies.

I suspect that Adobe's "unofficial" attitude to piracy is that of Microsoft's; they don't really care as long as theirs is the defacto software to use. Market share is the vital factor. If Adobe really cared, they wouldn't make it so easy to pirate their software.

MacFever
Feb 3, 2009, 07:24 AM
Just had a co-worker bring in a G4 PowerPC Desktop with Tiger which a friend of his owns and it caught a virus from a windows XP machine in his home network. Both machines on the same network.

His friend got this nasty virus when he searched for the Mac version of Firefox on his XP machine and downloaded a copy unknowly with a payload with it from the net. He didn't even install the file yet....the XP machine started acting strangely and suddenly the Mac started exhibiting the same behaviour as the XP machine.

I think he installed it on his Mac though...

I suspect it infected both through bonjour which is installed on both machines with itunes.

He couldn't launch any APPs on his Mac nor his PC... everything was screwed up.

the only option was to rebuild.

So it looks like the Mac virus WAR has started....what is interesting is they are making the viruses to infect all versions of the machines..

Windows, Intel Macs & PPC Macs

ihabime
Feb 3, 2009, 07:29 AM
You're assuming everyone who pirates would be a paying customer if they didn't pirate it. That's completely wrong. Maybe a small proportion would, but not all of them.

No I'm assuming that if you aren't willing to pay for it, then you don't have the right to use it and that the people who spent the time, effort and money to produce it do have the right to decide who can use it.

If you look on the internet, all the research shows that the vast majority of people using CS/Photoshop have pirated copies.

'vast majority'? Yeah that's not a figure pulled out of ass or anything is it.

I suspect that Adobe's "unofficial" attitude to piracy is that of Microsoft's; they don't really care as long as theirs is the defacto software to use. Market share is the vital factor.

I'm sure they spend all that time and effort developing DRM protections, serial numbers, phone home validation schemes and Windows Genuine Advantage as a smokescreen, they really just want to give their products away.

If Adobe really cared, they wouldn't make it so easy to pirate their software.

Why don't you give us a step by step on how easy it is to bypass their DRM? How do you write a software crack? How about overcoming WGA?

You can't can you, that's because even when pirating you let other smarter people do the work for you.

kastenbrust
Feb 3, 2009, 07:34 AM
Just had a co-worker bring in a G4 PowerPC Desktop with Tiger which a friend of his owns and it caught a virus from a windows XP machine in his home network. Both machines on the same network.

His friend got this nasty virus when he searched for the Mac version of Firefox on his XP machine and downloaded a copy unknowly with a payload with it from the net. He didn't even install the file yet....the XP machine started acting strangely and suddenly the Mac started exhibiting the same behaviour as the XP machine.

I think he installed it on his Mac though...

I suspect it infected both through bonjour which is installed on both machines with itunes.

He couldn't launch any APPs on his Mac nor his PC... everything was screwed up.

the only option was to rebuild.

So it looks like the Mac virus WAR has started....what is interesting is they are making the viruses to infect all versions of the machines..

Windows, Intel Macs & PPC Macs

I should just say thats impossible for so so so many reasons.

MacFever
Feb 3, 2009, 07:45 AM
I should just say thats impossible for so so so many reasons.


From what I've been told he installed the mac version of firefox that he found from another source on the net and while installing on the Mac his zonealarm on his XP asked for him to allow something in...

I suspect it executed something else on his XP machine.

Not sure how but it did.

we are puzzled also...never heard of anything like this happening..with both versions of the virus for windows and mac.

I suppose it's the same idea of bundling ppc and intel apps in one package...and probably looks for other machines whether windows or macs to put infected files and I think he did say it only started happening after he rebooted the XP machine meanwhile his Mac already had the signs. I suspect it could put the windows version in the startup folder and let it execute on boot.

ihabime
Feb 3, 2009, 07:48 AM
Whatever problem your friends Mac is having, there is zero chance that it was caused by downloading a firefox installer on a networked PC. Cross platform viruses are non-existent, aside from a few warnings about malicious Office scripts a long time ago.

There's absolutely no chance that a PPC firefox installer could infect both. None, nada, zip, zilch.

Just had a co-worker bring in a G4 PowerPC Desktop with Tiger which a friend of his owns and it caught a virus from a windows XP machine in his home network. Both machines on the same network.

His friend got this nasty virus when he searched for the Mac version of Firefox on his XP machine and downloaded a copy unknowly with a payload with it from the net. He didn't even install the file yet....the XP machine started acting strangely and suddenly the Mac started exhibiting the same behaviour as the XP machine.

I think he installed it on his Mac though...

I suspect it infected both through bonjour which is installed on both machines with itunes.

He couldn't launch any APPs on his Mac nor his PC... everything was screwed up.

the only option was to rebuild.

So it looks like the Mac virus WAR has started....what is interesting is they are making the viruses to infect all versions of the machines..

Windows, Intel Macs & PPC Macs

EmperorDarius
Feb 3, 2009, 08:23 AM
From what I've been told he installed the mac version of firefox that he found from another source on the net and while installing on the Mac his zonealarm on his XP asked for him to allow something in...

I suspect it executed something else on his XP machine.

Not sure how but it did.

we are puzzled also...never heard of anything like this happening..with both versions of the virus for windows and mac.

I suppose it's the same idea of bundling ppc and intel apps in one package...and probably looks for other machines whether windows or macs to put infected files and I think he did say it only started happening after he rebooted the XP machine meanwhile his Mac already had the signs. I suspect it could put the windows version in the startup folder and let it execute on boot.

It's a strange yet interesting story.

The only cross-platform virus is a proof of concept made by Kaspersky Lab (2006), but which infects Linux and Windows machines only.

Sehnsucht
Feb 3, 2009, 08:43 AM
As someone who has paid for every copy of software that I own, including iLife 09 (which needs to hurry up and get here) and Adobe Creative Suite CS4, I have NO sympathy.

Looks like the recurring theme is downloading pirated software, it serves them right !!

I own a legit copy of iWork '09 and a 30-day trial version of Photoshop CS4 (only 9 more days left.) :( Personally I can handle $79 for iWork. Now, although I'm definitely not a software thief, I can understand why the Adobe suite is pirated. It's too hella-*********-EXPENSIVE!!! I mean, SEVEN THOUSAND BUCKS for ********* software?! :eek: I could buy a maxed-out 17" MacBook Pro or a midrange Mac Pro with that! I could buy a small Honda!!! :eek:

By the way, I realize that the Adobe suite is professional software and they have a right to charge however much they please for it. But still...there are zillions of younger people who don't want the limitations of the Student Edition but can't afford to drop thousands of dollars on the full suite. :( With prices that ridiculous, it's no wonder that piracy is a problem.

ihabime
Feb 3, 2009, 09:07 AM
From what I've been told he installed the mac version of firefox that he found from another source on the net and while installing on the Mac his zonealarm on his XP asked for him to allow something in...

I suspect it executed something else on his XP machine.

Not sure how but it did.

we are puzzled also...never heard of anything like this happening..with both versions of the virus for windows and mac.

I suppose it's the same idea of bundling ppc and intel apps in one package...and probably looks for other machines whether windows or macs to put infected files and I think he did say it only started happening after he rebooted the XP machine meanwhile his Mac already had the signs. I suspect it could put the windows version in the startup folder and let it execute on boot.

It would be nothing like bundling intel and ppc code in a fat binary. OSX uses mach-o executables which allows for linking to different binary files, windows does not. You can't put a windows program inside a mach-o bundle, it won't work.

Your story keeps wavering, you can't quite remember whether the windows PC was acting up first or the Mac. You're not sure whether the installer was run or not. Then of course it might have happened over bonjour. Of course you had to wipe both computers so there are no logs to check, no history to browse and your co-workers friend can't seem to remember the random site he downloaded firefox from. It's a bit strange that your co-workers friend would have had to DL firefox from a dodgy site when a google for firefox turns up an entire first page of links to sites owned by mozilla and offering real firefox DLs.

MacFever
Feb 3, 2009, 09:42 AM
I'll have to get more details but it seems as a previous poster eluded too...cross platform viruses are not impossible.

first seen in 06/07

http://www.eweek.com/c/a/Security/CrossPlatform-Sample-Virus-Targets-Windows-Linux/

they warned this could happen to Mac's also.

reclusivemonkey
Feb 4, 2009, 02:19 AM
'vast majority'? Yeah that's not a figure pulled out of ass or anything is it.


No, its not actually,

http://blog.epicedits.com/2008/03/28/60-of-photoshop-users-are-pirates/

but clearly trying to discuss anything with you is a waste of time.

xdcdx
Mar 16, 2009, 11:39 PM
Can someboy email me either of the two versions of the iServices trojan? I want to do some antivirus testing. My email: [edited]
Thanks!

Jethryn Freyman
Mar 17, 2009, 04:26 AM
Can someboy email me either of the two versions of the iServices trojan? I want to do some antivirus testing. My email: agentriot -at- gmail -dot- com

Thanks!

If someone ends up sending you a copy, submit it to the ClamAV developers as well.

Apparently the crack is in the keygen ("keygens" are always a load of trouble.) If the Photoshop torrent has the keygen as a separate file, you should be able get the .torrent and just download the keygen with the trojan. Unfortunately, the only infected torrent I can find was a single .rar file. I didn't look very hard, though.

It is perfectly legal to download the keygen, as it is not copyrighted software. Just had to point that out in case someone decided to mount their high horse and preach the legality to torrents to me.

xdcdx
Mar 17, 2009, 05:07 PM
Could you post the torrent with the infected .rar? I was not able to find any infected package, it seems people are quite dilligent in reporting and removing them.


If someone ends up sending you a copy, submit it to the ClamAV developers as well.

Apparently the crack is in the keygen ("keygens" are always a load of trouble.) If the Photoshop torrent has the keygen as a separate file, you should be able get the .torrent and just download the keygen with the trojan. Unfortunately, the only infected torrent I can find was a single .rar file. I didn't look very hard, though.

It is perfectly legal to download the keygen, as it is not copyrighted software. Just had to point that out in case someone decided to mount their high horse and preach the legality to torrents to me.

xdcdx
Mar 17, 2009, 10:05 PM
I got hold of iWorkServices.pkg (the iWork '08 version of the virus), here's the VirusTotal analysis data:
- http://www.virustotal.com/analisis/e6c6fe3221848421674a22634e141d93

ClamAV does not detect it, I have already sumitted to them. PCTools' iAntiVirus does decect it indeed.

Still looking for the CS4 crack version of the virus.