AAPL Stock: 118.3 ( + 0.49 )

Printed from

New Mac OS X Trojan horse identified

updated 08:40 am EDT, Fri June 20, 2008

Mac OS X Trojan found

Multiple variants of a new 'Trojan Horse', designed to allow a malicious user complete remote access to a Mac OS X system have been discovered in the wild earlier this week according to makers of Mac anti-spyware and anti-virus solutions SecureMac. Dubbed 'Applescript.THT Trojan' and disguised as an application bundle called 'AStht_v06' (3.1MB in size), the malware seemingly originated, and is distributed via a 'hacker' website, as well as Limewire and iChat. Post system infiltration, the malicious script can reportedly "log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing". A 'copy cat' program based on the OS X Remote Management exploit was discovered earlier this week.

For added security, and protection against 'Applescript.THT' as well as other OS X malware, Macscan advises using anti-virus software, including its Macscan 2.5.2 with the latest spyware definitions (2008011); the company also cautions users to download files only from known, trusted sources.

by MacNN Staff



  1. MacnTX

    Joined: Dec 1969



    Seems quite funny to me that there are reportedly multiple variants of this trojan discovered in the wild, yet absolutely zero reports of anyone actually being impacted by them. Par for the course with these crying wolf stories.

  1. Peter Bonte

    Joined: Dec 1969



    Who has antivirus running on osX ? Nobody so we don't know how many got infected. Its luckily not a virus, it has to be installed like a regular app. The user has to be targeted, most of us don't need to worry but company's and governments will.

  1. Mr. Strat

    Joined: Dec 1969


    More bullshit

    Another virus discovered by a company that markets anti-virus products. Hmmm...I wonder...

  1. Marook

    Joined: Dec 1969


    Who will ever...

    .. install and even auth an app caled "AStht_v06" ??

  1. bjojade

    Joined: Dec 1969


    Easy to do.

    This sort of scripting is painfully easy to do especially if the user is running as an admin user. The simple step of running as a non-admin user vastly tightens your security.

    Now, the problem is that this little exploit is a problem with the ARD client that allows non admin users to run programs as admin users. This creates a big hole in security and will need to be fixed by Apple ASAP.

    Comment buried. Show
  1. testudo

    Joined: Dec 1969


    Re: more bullsh*t

    That's right, it's from a anti-virus company. So it must be garbage.

    And if MS made this announcement, you'd bash them for all the security issues in windows and ignore it.

    And if Adobe made the announcement, you'd say "bah! what does Adobe know about viruses!"

    Who exactly would you 'trust' to hear such info from?

  1. dampeoples

    Joined: Dec 1969



    We trust it from you, testudo.

  1. das

    Joined: Dec 1969



    Some folks have just recently discovered that, under certain circumstances, a Mac OS X OS component (ARDAgent) enables the local execution of arbitrary code as root. ARDAgent is part of the Apple Remote Desktop remote management framework, and is setuid root. Because of this, and combined with ARDAgent's ability to execute AppleScripts, which in turn allows the execution of shell scripts, arbitrary code can be executed as root by local users with physical access to the system.

    This doesn't work unless the same user is logged in to the console as is executing the code; this is obviously the default scenario for a local user, but it also means that it is only a threat remotely if the same user is logged into the local console (via the GUI) as the remote user, and the remote user already has some level of legitimate access to the machine. However, this can be an issue for public and shared systems, whereby users with physical access can become root.

    It is important to reiterate that this issue cannot be exploited unless someone has physical access to the system, or has legitimate, existing local access AND the same username is logged into the local console (meaning they already also have legitimate local access). This could also be an issue if a local user downloaded and ran untrusted software (e.g., trojan vector).

    ** Systems unaffected:

    Systems with Remote Management (Apple Remote Desktop) enabled for remote management (in System Preferences -> Sharing) are not affected by this issue. This means managed or server environments already using Apple Remote Desktop are not affected.

    ** Workaround: Enable Remote Management or Remote Desktop (in System Preferences -> Sharing).

    On Mac OS X 10.5.x, you can also select "Allow access for: Only these users:" and leave the field blank, essentially allowing no access. This prevents the issue from occurring.

    ** Temporary solution for other standalone systems where enabling the Remote Management setting is not desired: Remove setuid from ARDAgent.

    sudo chmod u-s /System/Library/CoreServices/RemoteManagement/

    For more information, see


    Dave Schroeder
    University of Wisconsin-Madison
    1 608 265-4737

  1. yakirz

    Joined: Dec 1969


    Testudo is my hero...

    he's saving us from the millions of malware attacks our Macs are in no danger of falling prey to.

    What would we do without his help??!

  1. ophiochos

    Joined: Dec 1969


    he's not wrong

    if testudo said the sky was blue, the forums would ring with the people insulting him. If he had not put his name to it, you would not have reacted. Judge the post not the person. Of course a security firm announced it. It's what they do. If the plumber said "your pipes need fixing" would you be surprised? And immediately disbelieve him?

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented