macnn
06/20/2008, 8:40am, EDT
Friday, June 20th
New Mac OS X Trojan horse identified
Multiple variants of a new 'Trojan Horse', designed to allow a malicious user complete remote access to a Mac OS X system have been discovered in the wild earlier this week according to makers of Mac anti-spyware and anti-virus solutions SecureMac. Dubbed 'Applescript.THT Trojan' and disguised as an application bundle called 'AStht_v06' (3.1MB in size), the malware seemingly originated, and is distributed via a 'hacker' website, as well as Limewire and iChat. Post system infiltration, the malicious script can reportedly "log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing". A 'copy cat' program based on the OS X Remote Management exploit was discovered earlier this week.
For added security, and protection against 'Applescript.THT' as well as other OS X malware, Macscan advises using anti-virus software, including its Macscan 2.5.2 with the latest spyware definitions (2008011); the company also cautions users to download files only from known, trusted sources.
Filed under: software
Other story tags: Mac OS X, trojan, exploit
, 
, 13
, 
, 
, 
, 
, 
, 
Top
subscribe to comments
for this article
Yawn
Seems quite funny to me that there are reportedly multiple variants of this trojan discovered in the wild, yet absolutely zero reports of anyone actually being impacted by them. Par for the course with these crying wolf stories.
antiviri
Who has antivirus running on osX ? Nobody so we don't know how many got infected. Its luckily not a virus, it has to be installed like a regular app. The user has to be targeted, most of us don't need to worry but company's and governments will.
More bullshit
Another virus discovered by a company that markets anti-virus products. Hmmm...I wonder...
Who will ever...
.. install and even auth an app caled "AStht_v06" ??
Gee...
Easy to do.
This sort of scripting is painfully easy to do especially if the user is running as an admin user. The simple step of running as a non-admin user vastly tightens your security.
Now, the problem is that this little exploit is a problem with the ARD client that allows non admin users to run programs as admin users. This creates a big hole in security and will need to be fixed by Apple ASAP.
Re: more bullsh*t
That's right, it's from a anti-virus company. So it must be garbage.
And if MS made this announcement, you'd bash them for all the security issues in windows and ignore it.
And if Adobe made the announcement, you'd say "bah! what does Adobe know about viruses!"
Who exactly would you 'trust' to hear such info from?
Why,
We trust it from you, testudo.
Summary
Some folks have just recently discovered that, under certain circumstances, a Mac OS X OS component (ARDAgent) enables the local execution of arbitrary code as root. ARDAgent is part of the Apple Remote Desktop remote management framework, and is setuid root. Because of this, and combined with ARDAgent's ability to execute AppleScripts, which in turn allows the execution of shell scripts, arbitrary code can be executed as root by local users with physical access to the system.
This doesn't work unless the same user is logged in to the console as is executing the code; this is obviously the default scenario for a local user, but it also means that it is only a threat remotely if the same user is logged into the local console (via the GUI) as the remote user, and the remote user already has some level of legitimate access to the machine. However, this can be an issue for public and shared systems, whereby users with physical access can become root.
It is important to reiterate that this issue cannot be exploited unless someone has physical access to the system, or has legitimate, existing local access AND the same username is logged into the local console (meaning they already also have legitimate local access). This could also be an issue if a local user downloaded and ran untrusted software (e.g., trojan vector).
** Systems unaffected:
Systems with Remote Management (Apple Remote Desktop) enabled for remote management (in System Preferences -> Sharing) are not affected by this issue. This means managed or server environments already using Apple Remote Desktop are not affected.
** Workaround: Enable Remote Management or Remote Desktop (in System Preferences -> Sharing).
On Mac OS X 10.5.x, you can also select "Allow access for: Only these users:" and leave the field blank, essentially allowing no access. This prevents the issue from occurring.
** Temporary solution for other standalone systems where enabling the Remote Management setting is not desired: Remove setuid from ARDAgent.
sudo chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
For more information, see http://www.macosxhints.com/article.php?story=20080620052233168
Regards,
Dave Schroeder
University of Wisconsin-Madison
das@doit.wisc.edu
http://das.doit.wisc.edu
1 608 265-4737
Testudo is my hero...
he's saving us from the millions of malware attacks our Macs are in no danger of falling prey to.
What would we do without his help??!
he's not wrong
if testudo said the sky was blue, the forums would ring with the people insulting him. If he had not put his name to it, you would not have reacted. Judge the post not the person. Of course a security firm announced it. It's what they do. If the plumber said "your pipes need fixing" would you be surprised? And immediately disbelieve him?