toggle

AAPL Stock: 102.99 ( + 0.52 )

Printed from http://www.macnn.com

New Mac OS X Trojan horse identified

updated 08:40 am EDT, Fri June 20, 2008

Mac OS X Trojan found

Multiple variants of a new 'Trojan Horse', designed to allow a malicious user complete remote access to a Mac OS X system have been discovered in the wild earlier this week according to makers of Mac anti-spyware and anti-virus solutions SecureMac. Dubbed 'Applescript.THT Trojan' and disguised as an application bundle called 'AStht_v06' (3.1MB in size), the malware seemingly originated, and is distributed via a 'hacker' website, as well as Limewire and iChat. Post system infiltration, the malicious script can reportedly "log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing". A 'copy cat' program based on the OS X Remote Management exploit was discovered earlier this week.

For added security, and protection against 'Applescript.THT' as well as other OS X malware, Macscan advises using anti-virus software, including its Macscan 2.5.2 with the latest spyware definitions (2008011); the company also cautions users to download files only from known, trusted sources.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. MacnTX

    Joined: Dec 1969

    +1

    Yawn

    Seems quite funny to me that there are reportedly multiple variants of this trojan discovered in the wild, yet absolutely zero reports of anyone actually being impacted by them. Par for the course with these crying wolf stories.

  1. Peter Bonte

    Joined: Dec 1969

    +2

    antiviri

    Who has antivirus running on osX ? Nobody so we don't know how many got infected. Its luckily not a virus, it has to be installed like a regular app. The user has to be targeted, most of us don't need to worry but company's and governments will.

  1. Mr. Strat

    Joined: Dec 1969

    +3

    More bullshit

    Another virus discovered by a company that markets anti-virus products. Hmmm...I wonder...

  1. Marook

    Joined: Dec 1969

    +2

    Who will ever...

    .. install and even auth an app caled "AStht_v06" ??
    Gee...

  1. bjojade

    Joined: Dec 1969

    +2

    Easy to do.

    This sort of scripting is painfully easy to do especially if the user is running as an admin user. The simple step of running as a non-admin user vastly tightens your security.

    Now, the problem is that this little exploit is a problem with the ARD client that allows non admin users to run programs as admin users. This creates a big hole in security and will need to be fixed by Apple ASAP.

    Comment buried. Show
  1. testudo

    Joined: Dec 1969

    -10

    Re: more bullsh*t

    That's right, it's from a anti-virus company. So it must be garbage.

    And if MS made this announcement, you'd bash them for all the security issues in windows and ignore it.

    And if Adobe made the announcement, you'd say "bah! what does Adobe know about viruses!"

    Who exactly would you 'trust' to hear such info from?

  1. dampeoples

    Joined: Dec 1969

    +9

    Why,

    We trust it from you, testudo.

  1. das

    Joined: Dec 1969

    +13

    Summary

    Some folks have just recently discovered that, under certain circumstances, a Mac OS X OS component (ARDAgent) enables the local execution of arbitrary code as root. ARDAgent is part of the Apple Remote Desktop remote management framework, and is setuid root. Because of this, and combined with ARDAgent's ability to execute AppleScripts, which in turn allows the execution of shell scripts, arbitrary code can be executed as root by local users with physical access to the system.

    This doesn't work unless the same user is logged in to the console as is executing the code; this is obviously the default scenario for a local user, but it also means that it is only a threat remotely if the same user is logged into the local console (via the GUI) as the remote user, and the remote user already has some level of legitimate access to the machine. However, this can be an issue for public and shared systems, whereby users with physical access can become root.

    It is important to reiterate that this issue cannot be exploited unless someone has physical access to the system, or has legitimate, existing local access AND the same username is logged into the local console (meaning they already also have legitimate local access). This could also be an issue if a local user downloaded and ran untrusted software (e.g., trojan vector).

    ** Systems unaffected:

    Systems with Remote Management (Apple Remote Desktop) enabled for remote management (in System Preferences -> Sharing) are not affected by this issue. This means managed or server environments already using Apple Remote Desktop are not affected.

    ** Workaround: Enable Remote Management or Remote Desktop (in System Preferences -> Sharing).

    On Mac OS X 10.5.x, you can also select "Allow access for: Only these users:" and leave the field blank, essentially allowing no access. This prevents the issue from occurring.

    ** Temporary solution for other standalone systems where enabling the Remote Management setting is not desired: Remove setuid from ARDAgent.

    sudo chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

    For more information, see http://www.macosxhints.com/article.php?story=20080620052233168

    Regards,

    Dave Schroeder
    University of Wisconsin-Madison
    das@doit.wisc.edu
    http://das.doit.wisc.edu
    1 608 265-4737

  1. yakirz

    Joined: Dec 1969

    0

    Testudo is my hero...

    he's saving us from the millions of malware attacks our Macs are in no danger of falling prey to.

    What would we do without his help??!

  1. ophiochos

    Joined: Dec 1969

    +6

    he's not wrong

    if testudo said the sky was blue, the forums would ring with the people insulting him. If he had not put his name to it, you would not have reacted. Judge the post not the person. Of course a security firm announced it. It's what they do. If the plumber said "your pipes need fixing" would you be surprised? And immediately disbelieve him?

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Kenu Airframe Plus

Simple, stylish and effective, the Kenu Airframe + portable car mount is the latest addition to Kenu's lineup. Released earlier this ...

Plantronics Rig Surround 7.1 headset

Trying to capture the true soundscape of video games can be a daunting task. Looking to surround-sound home theater options, users hav ...

Adesso Compagno X Bluetooth keyboard

The shift from typing on physical keyboards to digital versions on smartphones and tablets hasn't been an easy for many consumers. Fr ...

toggle

Most Commented