back to article Rare Mac Trojan exploits Apple vuln

A rare Mac OS X Trojan has been spotted on the internet. The AppleScript-THT Trojan horse exploits a vulnerability within the Apple Remote Desktop Agent to load itself with root privileges onto compromised Mac machines. The malware, which is capable of infecting Mac OS X 10.4 and 10.5 boxes, surrenders control of compromised …

COMMENTS

This topic is closed for new posts.

Page:

  1. Dana W
    Happy

    So Webster Is calling himself Tom now?

    "users need to download and open the Trojan horse before they become infected.'

    Damn, and if I had Windows it would get infected automatically! Stupid Mac!

    If you are dumb enough to install and give a password to a program you got off Limewire, or some stupid porn site you DESERVE a Virus.

    So what you are telling me is I have to manually download, install, and give my password to this terrible sneaky trojan, real stealth. This isn't a virus, its an intelligence test. Pity you don't spend more time on the crap you can get in Windows by simply leaving active X on.

    Least my bad 'ol "style over substance" Mac does not get owned just by web browsing. I'll just stay a "Mactard" thanks.

  2. Temp

    @ Michael C

    >> When they come out with a virus that can infect a mac that is in a standard state (root not enabled, firewall on, etc) without any user action

    By default, the firewall is *off*, and although there's no root user per se, the default user is a member of group admin, meaning they have sudo access to everything.

    Sure, it's not a "real virus", or, indeed, much of any sort of real news. It is, however, a "real threat" - it's a very basic priviledges escalation hole, which is step 1 to a trojan. Combined with some of the more pervasive "hackable" bits of OSX like input managers, it could become a step further towards a "real virus".

    It's far from trivial. I say this as a mac user since 1987.

  3. Robin
    Paris Hilton

    Box?

    Can everyone stop saying "box" instead of "computer" please? As a weasely term to mean a server it's one thing, but laptops and such aren't really that box-like. Admittedly my 'box' from Apple probably does have a big security flaw, in that it has a big flappy hole at the top where I got the computer out.

    I might start refering to my car as a 'shell' or something.

    Rant ends. Thank you for your patience.

    (Paris, cos ... well ...)

  4. DJ

    Hardly original

    "There is no patch for stupidity."

  5. Alexis Vallance
    Black Helicopters

    You guys have forgotten what a real virus is

    Ah, the 6 monthly "Exploit for OS X found!" story.

    Then the usual crap:

    • "Market share is going up, so that's why these things are appearing!"

    • "OS X is no more secure than Windows, it's just market share"

    • "See - Apple don't take security seriously"

    You people want to see what a REAL security risk is like - install Windows XP with no services packs and go onto Google. Sit back and wait. Before you can even get to the Microsoft site to download SP2 or get hold of AVG Free, your machine will be brought to it's knees.

    OS X is not 100% secure, but it IS the operating system least likely to run into security problems in every day use. No question.

  6. Anonymous Coward
    Flame

    Re:You guys have forgotten what a real virus is

    @Alexis Vallance

    Install Windows XP with no 'services' (sic) packs (i.e. a CD from 2002)

    Step 1: TURN ON BUILT IN FIREWALL

    Step 2: Connect to Internet / Turn on automatic updates / Patch machine / whatever you like.

    Is that really so difficult?

    Now for bonus points, explain how this makes the OSX ARD root exploit any less potent please?

  7. J
    Alert

    Oh, my...

    The readership used to be more knowledgeable around here...

    "A virus is just a piece of code running into the system in order to perform malicious activities"

    Bad, bad definitions... Back to school with you. Hint: all computer viruses are malware, but not all malware are viruses.

    Too many people here sound like they have no clue about what a virus is defined as, what a Trojan horse is, etc. Gee, I'm not even an IT guy and I have read the olden documents discussing these things, back in the dark ages of the 1990's...

    "BTW the movie was 1984.. not 1974. unless that was the joke."

    Duh... and you forgot to correct the rest of the joke, BTW.

  8. Anonymous Coward
    Anonymous Coward

    @ Shinku: Cuddling your Jobs dolls

    I prefer to *fondle* my Jobs dolls, thank you very much. :)

    - Mac user since 1994, but none of that Oh-Eh-Sex stuff fer me, no thanks... and oh, actually, my Jobs doll has had some pins stuck in it for the last few years... doesn't seem to be working very well though... I'll have to brush up on my voodoo skills. ;)

    Oh hey, anyway (seriously now), what you wrote, Shinku, was pretty good IMO.

  9. Robbie
    Alert

    @ - James Greenhalgh

    its 1984.....

  10. Bounty
    Flame

    shhhhh, read this

    http://blog.washingtonpost.com/securityfix/2008/06/new_trojan_leverages_unpatched.html?nav=rss_blog

    So the hackers on the site were discussing self replication via P2P and instant messaging (probably random file names, or stupid stuff like funny_cartoon.app) and it runs as root w/o asking for password. Yeah, that's a virus.

    http://en.wikipedia.org/wiki/Computer_virus (Yeah, I link to Wikipedia, get over it.)

    And for anyone who doesn't know anything (about mac viruses.)

    http://www.viruslist.com/en/analysis?pubid=191968025

  11. Charles Manning

    Here's a Linux/Mac Trojan

    #!/bin/bash

    sudo rm -rf /

    Once you run any untrusted software with admin privs you're open to problems.

  12. Anonymous Coward
    Joke

    A tar-oil winter wash...

    ...will stop you getting worms in your apples.

  13. Clinton

    Defenition of a Trojan

    "have to download and install it though, less of a trojan and more of an exploit of un intelligent people methinks"

    A trojan is an exploit that is disguised as something you want. You have to run it for it to be installed. So it's a trojan.

  14. Ted
    Happy

    Another huge YAWN...

    A Mac user has to jump though a lot of hoops to make this "Trojan" work.

    Why does anyone even try? OSX is the most secure OS in common use for a reason, and this is further proof.

    Still no Viruses for OSX in 20 years, too funny!

  15. Kanhef
    Happy

    the creators

    This was written on the MacShadows forum: http://www.macshadows.com/forums/index.php?showtopic=8640

    (seems to be down at the moment, google might have it cached). They just about laughed their asses off at the media reaction. The version the A/V crowd found is actually one of the badly-written ones.

    I wonder what happened to Webster. Maybe he finally drowned in his own bile.

  16. This post has been deleted by its author

  17. Philip
    Thumb Down

    Move along, folks...

    That MacScan guy will say anything to promote his Not-NeededWare™ He's well known for it.

  18. Rab S
    Flame

    trojan def

    "A program that appears legitimate, but performs some illicit activity when it is run"

    Walks like a duck quacks like a duck...its a fucking duck and this a fucking trojan...

    But what the hey its on a MAC so its probably defined as myth as everybody nows MAC users don't have to worry about this stuff...

  19. Rab S
    Flame

    @Ted

    Still no Viruses for OSX in 20 years, too funny!

    Yeah since its only been out since 2001...Hmmm anti mac troll, unfunny joke or fecking clueless mac user...its so hard to tell...

  20. Anonymous Coward
    Flame

    Re: Another huge YAWN...

    "A Mac user has to jump though a lot of hoops to make this "Trojan" work."

    "Still no Viruses for OSX in 20 years, too funny!"

    Where to start. Firstly, putting quotation marks around the word trojan doesn't change the fact it's a ****ING TROJAN.

    Secondly, desktop OSX has only been around since 2001 so there goes your '20 years' claim.

    If however you want to go with viruses for 20 years of Mac OS, there were plenty:

    http://search.mcafee.com/search?q=mac&site=us_site.Virus

    And for OSX an example:

    http://antivirus.about.com/od/macintoshresource/p/oompa.htm

    Still people claiming the Mac has "never" had a virus. Too funny.

  21. Kanhef
    Thumb Up

    @Bounty

    That's one of the better articles I've seen. The guy who started the thread was a script kiddie who had no idea how to write code. He stopped posting a couple of pages in.

    "I love how people are 'Oh its nothing' and some are 'Oh MY God, its the Mac death bringer quick buy MacSCan2.200 so that the attackers will just change the MO and your money will be wasted'"

    ( http://64.233.169.104/search?q=cache:1YyF9Bmu5IEJ:www.macshadows.com/forums/index.php%3Fshowtopic%3D8640%26st%3D480 )

  22. Ted
    Happy

    @ anonymous

    OSX is just NeXTSTEP version 8.0, it's the SAME OS that has been around since 1988.

    Yes, the Classic MacOS had around 60 viruses, but none caused any data loss. Most just would make the machine crash, or the famous WDEF that would simply attach itself to files, boring...

    And no, oompa was never considered a virus since it couldn't replicate. it was a benign worm if I remember right.

    Viruses can't be crafted for OS X since the Mac community doesn't allow for them. ZERO in 20 years is a pretty damn good record.

  23. Anonymous Coward
    Flame

    @ Ted

    "Still no Viruses for OSX in 20 years, too funny!"

    "Yes, the Classic MacOS had around 60 viruses"

    "Viruses can't be crafted for OS X since the Mac community doesn't allow for them. ZERO in 20 years is a pretty damn good record."

    Flip / flop / flip - which is it Ted? Either there have been viruses or there haven't. 'The Mac community doesn't allow viruses' - well that's a new one on me. I think however that should read "Whenever a Mac threat appears the Mac community will bend over backwards to redefine what a 'virus' is to the point where, if applied to the number of viruses for Windows, would reduce the total number from 'millions' to 'about three'."

    OSX is not the 'same' OS as 'Next Step'. Sure it draws on it and may share some code, but if it were the 'same' then I would be able to boot up a NEXT box and run, say, iPhoto on it, which of course I cannot. If you had wanted to say NEXT had no viruses then why didn't you say that?

    To be honest Ted the biggest problem with the Mac as a platform are people like you spouting specious crap about how invulnerable Mac OS is. As this exploit - nay - TROJAN - has neatly illustrated yet again, it demonstrably is not the case and you simply contribute to the impression many have that Mac fanboys are twats, thus further alienating them against the platform and from realistic people like me who actually do know what we're talking about and have a difficult time promoting OSX as a result.

  24. Hans
    Boffin

    Weird

    Mine does not have the setuid bit set and NO, before you ask, I did not remove it ... I have 10.5.3.

    Yes, it is a trojan, and it is a valid security threat - I have always said that a Mac is NOT immune, however, what counts is that in 7 years not one virus, a few "trojans" ... compare that to 100 000+ viri and trojans ... and even if they find/create 1000 trojans/viri this year for mAc, windows still has 100x more .... :-)

    Linux and Solaris are just as vulnerable as Mac OS X ... I believe that Windows is more vulnerable by design, though ... and the silly default settings in Windows don't help ...

    Before you ask, OpenBSD is far safer than the rest!

    As for Mac OS 8/9, most viruses were for MS Office ... lol - I only remember 40 for Mac OS 8/9 ... source: Symantec ... but that was way back in 2002.

    BTW, Gilbert Wham, ARD is "slightly more" than remote desktop software ... did I stress slightly? when you don't know, do us & yourself a favor, :-x or go read what it is about.

    Am I the only Solaris fanboy here ? :(

  25. Thomas

    @some of AC, immediately above Hans

    > "Still no Viruses for OSX in 20 years, too funny!"

    >

    > "Yes, the Classic MacOS had around 60 viruses"

    >

    > "Viruses can't be crafted for OS X since the Mac community doesn't allow for

    > them. ZERO in 20 years is a pretty damn good record."

    >

    > Flip / flop / flip - which is it Ted? Either there have been viruses or there

    > haven't.

    His argument is entirely consistent. The Classic OS is an entirely different set of code to OS X. Viruses that were designed for the Classic OS won't function on OS X, in the same way that viruses that were designed for AmigaOS won't function on Windows.

    > 'The Mac community doesn't allow viruses' - well that's a new one on me. I

    > think however that should read "Whenever a Mac threat appears the Mac

    > community will bend over backwards to redefine what a 'virus' is to the point

    > where, if applied to the number of viruses for Windows, would reduce the total

    > number from 'millions' to 'about three'."

    Yeah, "the Mac community doesn't allow viruses" is clearly a ridiculous statement. However, since several Mac users have openly admitted that their OS is not a panacea for security problems on this discussion page, the statement isn't correct even when interpretted as you attempt.

    > OSX is not the 'same' OS as 'Next Step'. Sure it draws on it and may share

    > some code, but if it were the 'same' then I would be able to boot up a NEXT

    > box and run, say, iPhoto on it, which of course I cannot. If you had wanted to

    > say NEXT had no viruses then why didn't you say that?

    Your test is fatuous. Is OS X v10.5 the 'same' OS as OS X v10.4? It can run the same applications. But there are some applications that will run on v10.5 but not v10.4. So if we apply your test then it is possible that A is the same OS as B, but B is not the same OS as A.

    It's probably better to say that if OS X is the same OS as NextStep just a little less than Vista is the same OS as Windows NT.

  26. Anonymous Coward
    Anonymous Coward

    @Viruses etc

    OK, so 1 million Windows viruses / trojans / worms = about 1 per 70 users

    3 OSX viruses / trojans / worms = about 1 per 0.6666667 users

    Oh, and the most important is that whereas in general Windows users have a Sounding-like-a-Twat co-efficient of 0.56 this rises to 4.93 for Mac Fanboys. With the exception of Webster Phreaky who breaks the scale at 9.99998.

  27. Anonymous Coward
    Flame

    @ Thomas

    "His argument is entirely consistent."

    No it isn't. He claims that OSX is 20 years old and has never had a virus. Both points are untrue. He then tries to back pedal and claim he was actually talking about NeXT the whole time, in a Mac news story.

    "The Classic OS is an entirely different set of code to OS X. Viruses that were designed for the Classic OS won't function on OS X, in the same way that viruses that were designed for AmigaOS won't function on Windows."

    Wrong - ever hear of 'Classic'? Or is OSX only 10.5 now?

    "Your test is fatuous. Is OS X v10.5 the 'same' OS as OS X v10.4? It can run the same applications. But there are some applications that will run on v10.5 but not v10.4. So if we apply your test then it is possible that A is the same OS as B, but B is not the same OS as A."

    So you are saying that there are any NeXT apps that will run on OSX? Or that there are any OSX apps that will run on NeXT? It's not the same OS. Derived from, maybe. Not the same. It's also derived from UNIX - so does that mean we can count every UNIX virus against OSX now?

    You cannot compare what was basically a niche OS against commercially available to the average consumer on the street modern OSX in some specious claim that is has 'not had a virus for 20 years'. You might as well claim that Windows was virus free for hundreds of years because it's a more advanced abacus and there were no viruses for the abacus.

    Simple fact is when exploits appear people target boxes that they can get time on to develop, and are likely to benefit from attacking, hence we see this OSX trojan installing a keylogger, turning off logging and other root kit type behaviour.

  28. Ted
    Happy

    @anonymous

    You certainly seem bitter that OSX has the best security track record of any mainstream OS.

    Fact is, NeXTStep and OSX are the same thing, just under a different name. follow the pretty arrows and you'll clearly see this fact... it starts with NeXTStep 0.8 in 1988.

    http://www.levenez.com/unix/history.html#06

    OSX is the largest installed UNIX in the world by a large margin, so it's much more than a "niche", it's the primary high end OS anyone can buy, and the most secure. 31,400 new OSX boxes come online every 24 hours, nobody is even close to that level of deployment... and still not a SINGLE Virus.

    And what applications will run on 10.5 but not on 10.4? That's a foolish statement. Sure, there might be something extremely obscure, or something that requires hardware that only runs on a 10.5 box, but 99.9% of all 10.4 apps run on 10.5 and visa-versa.

    Yes, the Mac Community does not allow for security issues, just like some cities do not allow for "graffiti", they simply have higher standards and ferret out mischief and lock up or prevent those individuals from causing damage in the future. The Mac Community works in the same way, the Windows world does not, that's why it's so "trashy".

    And lastly, you said: "OSX trojan installing"... OSX cannot "install" this benign trojan without lots of effort by the User. Nobody has ever been infected by it so far, nor has it been found in the wild, it's just simply a "clean room" example of a small bug. It's been fix, so time to move on.

  29. Anonymous Coward
    Anonymous Coward

    Mac noobs

    These trojans won't affect the more experienced Mac owners, but I can guarantee it will affect the newbies - you know the sort who have bought iBooks because they are "cool" and were the same people who didn't patch their Windows boxes. Just because the OSX platform is more secure it won't stop stupid users or lazy programmers from being the weak link.

  30. Anonymous Coward
    Flame

    @Ted

    "You certainly seem bitter that OSX has the best security track record of any mainstream OS."

    Wrong. Speaking as someone who owns three Macs, I'm rather happy with the security record of OSX thanks.

    "Fact is, NeXTStep and OSX are the same thing, just under a different name. "

    Wrong. It may be built upon the basis of OPENSTEP which was a derivative of NeXTSTEP but that does not make them the same OS, (and incidentally the niche OS I was referring to is NeXTSTEP, not OSX; unless of course there are a few million users out there I'm not aware of.)

    If you want to claim that OSX is every OS it's ever based on that kind of damages your 'no viruses' claim as we would have to basically factor in every UNIX security threat -ever- seeing as it's based on UNIX and all.

    "And what applications will run on 10.5 but not on 10.4?"

    Time Machine for a start? - but wait - surely that's a NeXTSTEP - no wait - BSD app!

    "Yes, the Mac Community does not allow for security issues,"

    And you have the audacity to claim that _I've_ said something foolish?

    "OSX cannot "install" this benign trojan without lots of effort by the User."

    What - you mean clicking an icon? Perhaps you consider this 'lots of effort' but I and a very large number of other people certainly wouldn't. What if someone blends it with a Safari vulnerability that means it becomes a drive-by install? What if it starts spreading by email to people in the address book? 'Hey click this - it's ok - Macs can't get viruses right?'

    Not been found in the wild? Securemac disagree with you:

    http://www.securemac.com/applescript-tht-trojan-horse.php

    Oh wait - you haven't seen it have you so therefore nobody else in the entire world must have either. 'It's been fix'(sic) has it? How's that then?

    Oh and one other thing:

    "And no, oompa was never considered a virus since it couldn't replicate. it was a benign worm if I remember right."

    You evidently remember wrong. 'oompa' aka OSX/Leap-A spreads via iChat, whereupon it is run by the user at the other end before spreading further over that user's iChat. That is VIRUS behaviour. If it did not spread it would be a TROJAN. If it spread with no human interaction it would be a WORM.

  31. Anonymous Coward
    Flame

    @ted

    Christ you are like the nightmare fucking Mac user i spent 2 hours trying to explain that entering DNS servers by hand would not break her perisous fucking poser box...give me strengh...AAAAARGHHHHHH.

    Even our resident Mac envanglist don't want to speak to her...

Page:

This topic is closed for new posts.

Other stories you might like