Giveaway: Bracketron Case If outdoor adventures are in your future this summer, enter to win a Bracketron Sport Case with Mount Strap from MacNN and keep that iPhone, iPod or other electronic device safe from the elements.      
toggle

AAPL Stock: 454.74 ( + 1.77 )

http://www.macnn.com/articles/08/06/20/mac.os.x.trojan.found/

New Mac OS X Trojan horse identified

updated 08:40 am EDT, Fri June 20, 2008

 

Mac OS X Trojan found


Multiple variants of a new 'Trojan Horse', designed to allow a malicious user complete remote access to a Mac OS X system have been discovered in the wild earlier this week according to makers of Mac anti-spyware and anti-virus solutions SecureMac. Dubbed 'Applescript.THT Trojan' and disguised as an application bundle called 'AStht_v06' (3.1MB in size), the malware seemingly originated, and is distributed via a 'hacker' website, as well as Limewire and iChat. Post system infiltration, the malicious script can reportedly "log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing". A 'copy cat' program based on the OS X Remote Management exploit was discovered earlier this week.

For added security, and protection against 'Applescript.THT' as well as other OS X malware, Macscan advises using anti-virus software, including its Macscan 2.5.2 with the latest spyware definitions (2008011); the company also cautions users to download files only from known, trusted sources.


by MacNN Staff

Post tools:

TAGS :

 software, trojan, Mac OS X, exploit

Related Articles

Recent Articles

toggle

Comments

  1. MacnTX

    Fresh-Faced Recruit

    Joined: Apr 2004

    +1
    06/20, 09:58am | report spam | (1 reply) Reply |

    Yawn

    Seems quite funny to me that there are reportedly multiple variants of this trojan discovered in the wild, yet absolutely zero reports of anyone actually being impacted by them. Par for the course with these crying wolf stories.

  1. Peter Bonte

    Fresh-Faced Recruit

    Joined: Aug 2001

    +2
    06/20, 10:25am | report spam | Reply |

    antiviri

    Who has antivirus running on osX ? Nobody so we don't know how many got infected. Its luckily not a virus, it has to be installed like a regular app. The user has to be targeted, most of us don't need to worry but company's and governments will.

  1. Mr. Strat

    Junior Member

    Joined: Jan 2002

    +3
    06/20, 10:26am | report spam | (1 reply) Reply |

    More bullshit

    Another virus discovered by a company that markets anti-virus products. Hmmm...I wonder...

  1. Marook

    Forum Regular

    Joined: May 1999

    +2
    06/20, 10:37am | report spam | Reply |

    Who will ever...

    .. install and even auth an app caled "AStht_v06" ??
    Gee...

  1. bjojade

    Fresh-Faced Recruit

    Joined: Jun 2007

    +2
    06/20, 10:42am | report spam | Reply |

    Easy to do.

    This sort of scripting is painfully easy to do especially if the user is running as an admin user. The simple step of running as a non-admin user vastly tightens your security.

    Now, the problem is that this little exploit is a problem with the ARD client that allows non admin users to run programs as admin users. This creates a big hole in security and will need to be fixed by Apple ASAP.

  1. testudo

    Forum Regular

    Joined: Aug 2001

    -10
    06/20, 10:43am | report spam | Reply |

    Re: more bullsh*t

    That's right, it's from a anti-virus company. So it must be garbage.

    And if MS made this announcement, you'd bash them for all the security issues in windows and ignore it.

    And if Adobe made the announcement, you'd say "bah! what does Adobe know about viruses!"

    Who exactly would you 'trust' to hear such info from?

  1. dampeoples

    Mac Elite

    Joined: Jul 2002

    +9
    06/20, 11:30am | report spam | Reply |

    Why,

    We trust it from you, testudo.

  1. das

    Fresh-Faced Recruit

    Joined: Jan 2001

    +13
    06/20, 11:52am | report spam | Reply |

    Summary

    Some folks have just recently discovered that, under certain circumstances, a Mac OS X OS component (ARDAgent) enables the local execution of arbitrary code as root. ARDAgent is part of the Apple Remote Desktop remote management framework, and is setuid root. Because of this, and combined with ARDAgent's ability to execute AppleScripts, which in turn allows the execution of shell scripts, arbitrary code can be executed as root by local users with physical access to the system.

    This doesn't work unless the same user is logged in to the console as is executing the code; this is obviously the default scenario for a local user, but it also means that it is only a threat remotely if the same user is logged into the local console (via the GUI) as the remote user, and the remote user already has some level of legitimate access to the machine. However, this can be an issue for public and shared systems, whereby users with physical access can become root.

    It is important to reiterate that this issue cannot be exploited unless someone has physical access to the system, or has legitimate, existing local access AND the same username is logged into the local console (meaning they already also have legitimate local access). This could also be an issue if a local user downloaded and ran untrusted software (e.g., trojan vector).

    ** Systems unaffected:

    Systems with Remote Management (Apple Remote Desktop) enabled for remote management (in System Preferences -> Sharing) are not affected by this issue. This means managed or server environments already using Apple Remote Desktop are not affected.

    ** Workaround: Enable Remote Management or Remote Desktop (in System Preferences -> Sharing).

    On Mac OS X 10.5.x, you can also select "Allow access for: Only these users:" and leave the field blank, essentially allowing no access. This prevents the issue from occurring.

    ** Temporary solution for other standalone systems where enabling the Remote Management setting is not desired: Remove setuid from ARDAgent.

    sudo chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

    For more information, see http://www.macosxhints.com/article.php?story=20080620052233168

    Regards,

    Dave Schroeder
    University of Wisconsin-Madison
    das@doit.wisc.edu
    http://das.doit.wisc.edu
    1 608 265-4737

  1. yakirz

    Fresh-Faced Recruit

    Joined: Oct 2001

    0
    06/20, 08:08pm | report spam | Reply |

    Testudo is my hero...

    he's saving us from the millions of malware attacks our Macs are in no danger of falling prey to.

    What would we do without his help??!

  1. ophiochos

    Fresh-Faced Recruit

    Joined: Nov 2006

    +6
    06/20, 08:41pm | report spam | Reply |

    he's not wrong

    if testudo said the sky was blue, the forums would ring with the people insulting him. If he had not put his name to it, you would not have reacted. Judge the post not the person. Of course a security firm announced it. It's what they do. If the plumber said "your pipes need fixing" would you be surprised? And immediately disbelieve him?

Show More Comments

Login Here

Not a member of the MacNN forums? Register now for free.

 
close
Photo
toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

HTC One

It is hard to understate just how critically important the HTC One is to the Taiwanese company’s fortunes. Despite its alarming declin ...

Samsung Galaxy S 4

Samsung's new flagship Android smartphone, the Galaxy S 4, faces even stiffer competition than its popular predecessor. With a five-in ...

HighPoint RocketU 1144CM USB 3.0 PCI-E card

Apple was one of the first -- if not the first -- major computer manufacturers to provide then-fledgling USB support at the expense of ...

toggle

Most Commented

 

Popular News