Intego, makers of VirusBarrier, posted an alert on Thursday 2009-01-22 regarding a newly discovered Trojan horse specific to Mac OS X. They have designated it "OSX.Trojan.iServices.A". It was found in torrented/pirated copies of Apple's iWork 09 installer.
Conclusion: If you have torrented, downloaded or been given any pirated copy of iWork 09, do not install it! Throw it away!
Cures: Intego of course has provided a removal method in the latest malware definitions file for VirusBarrier. The folks at MacScan have also provided a FREE removal tool here.
A MacRumors article about the Trojan can be found here.
How does it work?
1) Included with the iWorks 09 package is an added bogus Trojan package entitled "iWorkServices.pkg". When you install iWork 09, the Trojan is installed along with the legitimate program packages. It is specifically installed as a startup item within your system.
2) According to Intego: "The malicious software connects to a remote server over the Internet; this means that a malicious user will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac."
Essentially, you've been zombied. The cracker controlling the program can do anything with your computer. Examples include money making schemes such as stealing your identity, spamming the net or using your machine in a denial of service attack.
For Mac users, this method of infection is entirely new. It can also be used in any other similarly pirated program installer, not just iWorks 09. The only things specific to iWork 09 about this Trojan are the name of the package used and its placement along side all the other installer packages for iWorks 09.
In other words, pirated Mac program installers are now all suspect. Pirates beware.