Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Firm Reports Trojan Targets Macs


  • Please log in to reply
No replies to this topic

#1 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:49 AM

Posted 29 June 2008 - 04:17 AM

Saturday, June 28, 2008 11:10 AM PDT
Security researchers reported recently that they have spotted a Mac Trojan horse in the wild that could compromise machines running Apple Inc.'s Mac OS X 10.4 or 10.5.

Last week, SecureMac, a Mac-specific vendor of antivirus tools, posted an alert saying that its researchers had found a Trojan horse, dubbed "AppleScript.THT," being distributed from a hacker-operated site where discussions of spreading the malware via iChat, Apple's instant messaging and video chat software, were also taking place.

The company classified the threat posed by the Trojan as "critical."

The malware exploits a recently publicized vulnerability in the Apple Remote Desktop Agent (ARDAgent), part of Tiger's and Leopard's Remote Management component. Composed as a compiled AppleScript, or in another variant, script bundled into an application, the Trojan leverages the ARDAgent bug to gain full control of the victimized Mac.

"[It] allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging," claimed SecureMac. "Additionally, the Trojan can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing."

SecureMac's warning came one day after an anonymous reader disclosed a few details of the ARDAgent vulnerability on Slashdot, and on the same day that rival security vendor Intego provided more information about the bug.

Malicious AppleScript, said Intego, can call ARDAgent, which then gives that script full "root" access to the system. "When an application enables a root privilege escalation of this type, any malicious code that is run may have devastating effects. These may range from deleting all the files on the Mac to more pernicious attacks such as changing system settings and even setting up periodic tasks to perform them repeatedly," Intego's warning read.

Like any Trojan horse, AppleScript.THT does not spread on its own but relies on user actions, such as downloading and launching, to infect a machine. Trojans can also be silently introduced on a computer if it's injected after a successful attack using another vulnerability, such as a browser bug.

Some researchers downplayed the threat. Thomas Ptacek of Matasano Security LLC, a New York-based security consultancy, said the ARDAgent vulnerability wasn't much of a concern.

"Who cares if someone busts root on your Mac?" Ptacek said in a Thursday entry on the Matasano blog. "It's a single-user system. I'll let you in on a Matasano state secret: if you break [my user] account, I'm in trouble. If you're malware and just trying to spread, or redirect my browser to phishing pages, you're wasting your time with this 'root' silliness."

Ptacek and others have noted that users can protect themselves by removing ARDAgent from its normal location, which is System/Library/CoreServices/RemoteManagement, and archiving the application.

http://www.pcworld.com/businesscenter/arti...rgets_macs.html

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users