Mac security software maker Intego discovered last week the so called “OSX.Trojan.iServices.A" in pirated copies of Apple's iWork '09 downloaded from BitTorrent file sharing networks. According to Intego, “The actual Photoshop installer is clean, but the Trojan horse is found in a crack application that serializes the program.”

While the copy of Photoshop in the torrent is legitimate, the crack application accompanying it, which offers illegal serial numbers for CS4, is not. Apple unveiled iWork '09 at Macworld Conference & Expo on Jan. 6 when it touted changes and additions to Pages, the suite's word processor, and Numbers, its spreadsheet application.

IWork '09 retails for $79. Apple also offers a free 30-day trial version that does require a serial number, delivered via e-mail at the time of payment, in order to run as a fully functional version.

But when you run the downloaded serial cracker, it first installs a backdoor in /var/tmp/ using a random name, making it hard to identify and remove. Then it asks for an admin name and password, which is then used to install a startup item in /System/Library/StartupItems/DivX with root privileges. Once it launches, it saves a hash of your machine's root password and ostensibly transmits the password when requested by the malware writer. Intego also says that the trojan makes repeated connections to two IP addresses, therefore succeeding in downloading additional components to the infected computer.

Intego said that iWork '09 download traffic on file-sharing sites has been brisk, claiming that as of early Wednesday, 20,000 copies had been downloaded.

In other words, as sad as this may seem, the carefree days of malware-free Macs are gone.