As reported recently all over the blogosphere, the world’s first Mac-based botnet is active after infiltrating people’s systems in January by way of a trojan hidden inside pirated iWork’09 installers. If you downloaded and installed iWork’09 from a torrent, binary newsgroup, or any other source not from Apple’s trial download links or official DVDs, you have a high likelihood of infection and need to do something about it.
We’re not here to judge — we are here to help. So if you know you’re possibly at risk, you should immediately determine if you are infected or not, and if you are rid yourself of infection.
Manually Determining Infection
To manually determine if you are infected or not, fire up a terminal (run Terminal.app). There are three ways to detect infection and all three should be used for thoroughness. The Trojan masquerades by the name iWorkServices and this is the key to determine infection.
1. Check for the process running
sudo ps aux |grep -i iworkserv |grep -v "grep"
This checks that no process is running containing the name iworkserv on your system. If this returns anything at all, you are most likely infected.
2. Checking for opened file
sudo lsof -i -P|grep -i iworkserv
This checks that no process with the name containing iworkserv has any open files on your system, and no files containing iworkserv are opened by anything else. If this returns anything at all, you are most likely infected.
3. Checking for the files on your hard drive
sudo find / -iname "iworkserv*" -print
This searches your hard drive from top to bottom, inside and out, looking for a file starting with iworkserv. If this returns anything at all, you are most likely infected.
Quick Detection and Removal
The people over at SecureMac have posted a simple (and free) tool that will detect and rid you of infection. If you even think there’s a slight chance of infection, you should run this. This will scan your system and inform you if you need to clean the infection. If so, it will offer to clean it for you. For peace of mind, you can test manually with the steps above before and after cleaning, to ensure removal is complete.
There is a strong debate relating to how necessary virus checking is for Macs. The situation is clearly becoming more risky, so I take the middle ground by running the full MacScan software as a scheduled process once a week. This gives me peace of mind that I will identify anything within a week, without slowing down my system with a constantly running process checking every file I open.
But crucially (and I cannot stress this enough), the most effective prevention is to be careful what you download and install — and especially be careful what you enter your admin password for. I’ve never had an infection on Windows or Mac in my life and they’re not hard to avoid if you keep your systems updated with security patches and don’t download and install without prejudice. Just as you look left and right before you cross the road, look before you install.