Hardware and Software
>
Apple
>
Apple Hardware and Devices
>
News Stories
>
Latest Mac OS X Trojan Might Be Sign of Things to…
Latest Mac OS X Trojan Might Be Sign of Things to Come
0
It’s been more than 10 days since the latest AppleScript.THT Trojan horse for Mac OS X reared its ugly head, yet still no word or fix from Apple. The new threat to versions 10.4 and 10.5 is classified as critical by the SecureMac security site, exploits a hole in the Apple Remote Desktop Agent to completely overtake an infected Mac and delete files and wreak other kinds of havoc. This threat, discovered on June 19, was made public on the SecureMac site a week ago today.
There have been a few rumblings on Apple’s discussion forums, but to date, no official advice from the company. Two others Trojans were reported earlier in June involving an ARDAgent executing code as a root user. In all cases, the offending file must be downloaded and executed.
The threat “is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size),” according to the warning. Moving itself to the /Library/Caches folder, it runs hidden, and unless renamed, can be found there as “AStht_06.app.” It also adds itself to the System Login Items, and turns on file sharing, Web sharing and remote login.
The latest version of SecureMac’s US$29.95 MacScan tool can remove this Trojan, earlier versions of the threat, the PokerStealer 1.0 virus and numerous other malware. You can also get a free trial of the tool.
In a June 20 posting on his Security Fix blog, Brian Krebs of the Washington Post, explores the threat in detail, and reports of Apple’s apparent lack of concern. And in a post on June 23, Krebs reports of a template that hackers can use to further exploit the vulnerability. It may be less vulnerable than Windows, but Mac OS X is clearly not immune.
Related Article: Is MAC OS capable of opening HTML files?
is a Apple discussion thread by tomcruise3230 that has 6 replies, was last updated 5 years ago and has been tagged with the keywords: mac-software.
- Virus on Mac OS 10.4.10 - 2 replies
- Solved: Mac Excel X won't open CVS created on Windows - 1 reply
- Help on MacDrive (Windows Program) for Mac OS - 2 replies
- Installing Ubuntu under OS X using VMWare Fusion - 10 replies
- mac os 9 - 8 replies
- HELP!! With Mac OS 9.1 don't know login and password - 3 replies
- Transferring files from Windows to Mac OS 9 - 1 reply
- News Story: Mac Attack - 2 replies
- How to convert excellent DVD?HELP!!!!!!!!! - 5 replies
What irks me is that virtually any Macintosh made within the last 3 years, and/or running Mac OS X 10.4 or later has had a security vulnerability that allows any user on the system to gain unrestricted root access through a single command. And that's pretty much ANY computer running Tiger -- you don't need to be running Apple Remote Desktop in order to be vulnerable; ARDAgent still runs for some odd reason.
To make matters worse, today security updates were released alongside the 10.5.3 update, and from what I can tell, those updates don't even touch ARDAgent, so we can see how concerned Apple is about this right now. I'm certainly glad I fixed the permissions on ARDAgent myself on all my Macs.
For anyone interested: here's the Terminal command you should run to fix the permissions on ARDAgent. Cleverly, this command takes advantage of ARDAgent's own security vulnerability to perform the fix:
osascript -e 'tell app "ARDAgent" to do shell script "chmod 0555 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent"'; John A
Vampirical Lurker
Team Colleague
7,633 posts since Apr 2006
Reputation Points: 2,233
Solved Threads: 340
Skill Endorsements: 7
Interesting. Thanks for the fix. I must admit I'm a bit of a Mac outsider, but not for long. I'm expecting my shiny new MacBook Pro today, and I'll be sure to lock down ARDAgent!
EddieC
Posting Whiz in Training
Staff Writer
303 posts since Apr 2008
Reputation Points: 10
Solved Threads: 1
Skill Endorsements: 0
You
© 2013 DaniWeb® LLC
Page rendered in 0.2861 seconds
using 2.66MB
RSS Feed