It’s been more than 10 days since the latest AppleScript.THT Trojan horse for Mac OS X reared its ugly head, yet still no word or fix from Apple. The new threat to versions 10.4 and 10.5 is classified as critical by the SecureMac security site, exploits a hole in the Apple Remote Desktop Agent to completely overtake an infected Mac and delete files and wreak other kinds of havoc. This threat, discovered on June 19, was made public on the SecureMac site a week ago today.
There have been a few rumblings on Apple’s discussion forums, but to date, no official advice from the company. Two others Trojans were reported earlier in June involving an ARDAgent executing code as a root user. In all cases, the offending file must be downloaded and executed.
The threat “is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size),” according to the warning. Moving itself to the /Library/Caches folder, it runs hidden, and unless renamed, can be found there as “AStht_06.app.” It also adds itself to the System Login Items, and turns on file sharing, Web sharing and remote login.
The latest version of SecureMac’s US$29.95 MacScan tool can remove this Trojan, earlier versions of the threat, the PokerStealer 1.0 virus and numerous other malware. You can also get a free trial of the tool.
In a June 20 posting on his Security Fix blog, Brian Krebs of the Washington Post, explores the threat in detail, and reports of Apple’s apparent lack of concern. And in a post on June 23, Krebs reports of a template that hackers can use to further exploit the vulnerability. It may be less vulnerable than Windows, but Mac OS X is clearly not immune.