Latest Mac OS X Trojan Might Be Sign of Things to Come
Please support our Web Development advertiser: Programming Forums
Jun 30th, 2008, 8:26 pm
It’s been more than 10 days since the latest AppleScript.THT Trojan horse for Mac OS X reared its ugly head, yet still no word or fix from Apple. The new threat to versions 10.4 and 10.5 is classified as critical by the SecureMac security site, exploits a hole in the Apple Remote Desktop Agent to completely overtake an infected Mac and delete files and wreak other kinds of havoc. This threat, discovered on June 19, was made public on the SecureMac site a week ago today.
There have been a few rumblings on Apple’s discussion forums, but to date, no official advice from the company. Two others Trojans were reported earlier in June involving an ARDAgent executing code as a root user. In all cases, the offending file must be downloaded and executed.
The threat “is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size),” according to the warning. Moving itself to the /Library/Caches folder, it runs hidden, and unless renamed, can be found there as “AStht_06.app.” It also adds itself to the System Login Items, and turns on file sharing, Web sharing and remote login.
The latest version of SecureMac’s US$29.95 MacScan tool can remove this Trojan, earlier versions of the threat, the PokerStealer 1.0 virus and numerous other malware. You can also get a free trial of the tool.
In a June 20 posting on his Security Fix blog, Brian Krebs of the Washington Post, explores the threat in detail, and reports of Apple’s apparent lack of concern. And in a post on June 23, Krebs reports of a template that hackers can use to further exploit the vulnerability. It may be less vulnerable than Windows, but Mac OS X is clearly not immune.
There have been a few rumblings on Apple’s discussion forums, but to date, no official advice from the company. Two others Trojans were reported earlier in June involving an ARDAgent executing code as a root user. In all cases, the offending file must be downloaded and executed.
The threat “is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size),” according to the warning. Moving itself to the /Library/Caches folder, it runs hidden, and unless renamed, can be found there as “AStht_06.app.” It also adds itself to the System Login Items, and turns on file sharing, Web sharing and remote login.
The latest version of SecureMac’s US$29.95 MacScan tool can remove this Trojan, earlier versions of the threat, the PokerStealer 1.0 virus and numerous other malware. You can also get a free trial of the tool.
In a June 20 posting on his Security Fix blog, Brian Krebs of the Washington Post, explores the threat in detail, and reports of Apple’s apparent lack of concern. And in a post on June 23, Krebs reports of a template that hackers can use to further exploit the vulnerability. It may be less vulnerable than Windows, but Mac OS X is clearly not immune.
•
•
•
•
This blog entry was written by Edward J Correia, staff writer aka EddieC. It has been filed under the Web Development category. It has received 2,380 views, 2 comment(s), and 18 linkbacks. It was promoted to featured news status Jun 30th, 2008.
EddieC | Newbie Poster | Jul 1st, 2008
John A | Vampirical Moderator | Jun 30th, 2008
•
•
•
•
What irks me is that virtually any Macintosh made within the last 3 years, and/or running Mac OS X 10.4 or later has had a security vulnerability that allows any user on the system to gain unrestricted root access through a single command. And that's pretty much ANY computer running Tiger -- you don't need to be running Apple Remote Desktop in order to be vulnerable; ARDAgent still runs for some odd reason.
To make matters worse, today security updates were released alongside the 10.5.3 update, and from what I can tell, those updates don't even touch ARDAgent, so we can see how concerned Apple is about this right now. I'm certainly glad I fixed the permissions on ARDAgent myself on all my Macs.
For anyone interested: here's the Terminal command you should run to fix the permissions on ARDAgent. Cleverly, this command takes advantage of ARDAgent's own security vulnerability to perform the fix:
To make matters worse, today security updates were released alongside the 10.5.3 update, and from what I can tell, those updates don't even touch ARDAgent, so we can see how concerned Apple is about this right now. I'm certainly glad I fixed the permissions on ARDAgent myself on all my Macs.
For anyone interested: here's the Terminal command you should run to fix the permissions on ARDAgent. Cleverly, this command takes advantage of ARDAgent's own security vulnerability to perform the fix:
osascript -e 'tell app "ARDAgent" to do shell script "chmod 0555 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent"';
Related Blog Entries
- Michael Jackson sparks celebrity death hoax epidemic (3 Days Ago)
- Reading a 200 year old newspaper in the hot tub (5 Days Ago)
- Michael Jackson and web events (7 Days Ago)
- Barmy Ballmer and his Ba Da Bing Billions (10 Days Ago)
- Montana City Demands Passwords from Job Applicants (15 Days Ago)
Related Forum Threads
- MSN Messenger crashing (Mac Software)
- Are FAT32/NTFS file systems handled by Mac OSX? (OS X)
- Spybot/Spy Blaster. For Mac OS X (Mac Software)
- PC Guy that wants a Mac (Mac Rumors and Reports)