Nasty MacOS X Trojans In The Wild….. Oh Noes!

The word on the street is that a trojan now exists for MacOS X that exploits a “root” vulnerability in Apple Remote Desktop Agent in Mac OS X 10.4 and 10.5:

“The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing. The Trojan horse exploits a recently discovered vulnerability with the Apple Remote Desktop Agent, which allows it to run as root.”

The Apple Remote Desktop Agent that this article speaks of is the piece of software that is built into MacOS X that allows you to control your computer from another computer. The details of the vulnerability in question has been discussed at length at Slashdot. If you’re a home user, you’d likely never have to use this aspect of Mac OS X, so I would follow these directions to protect yourself.

A second trojan disguises itself as a poker game to get onto your system. Once there, it does the following:

“The Trojan horse, when run, activates ssh on the Mac on which it is running, then sends the user name and password hash, along with the IP address of the Mac, to a server. It asks for an administrator’s password after displaying a dialog saying, “A corrupt preference file has been detected and must be repaired.” Entering the administrator’s password enables the program to accomplish its tasks. After gaining ssh access to a Mac, malicious users can attempt to take control of them, delete files, damage the operating system, or much more.”

This sounds nasty, but it requires your interaction to do any sort of damage. Therefore you need to practice safe computing and never download and install software from untrusted sources or questionable web sites. Also, if something suddenly appears on your Mac asking you for your password, and you are NOT installing software or changing system settings, don’t type your password in.

Now that Apple has raised the profile of the Mac, you can fully expect to see more of this as hackers and script kiddies target the Mac. Hopefully Apple steps up its game to keep its user base safe. Given that it has been criticized in the past for not doing that, I hope this forces them to improve their repsonse to issues like these.

Leave a Reply

%d bloggers like this: