Researchers spot Mac Trojan in the wild

Computerworld - Security researchers reported last week that they have spotted a Mac Trojan horse in the wild that could compromise machines running Apple Inc.'s Mac OS X 10.4 or 10.5.

Last Thursday, SecureMac, a Mac-specific vendor of antivirus tools, posted an alert saying that its researchers had found a Trojan horse, dubbed "AppleScript.THT," being distributed from a hacker-operated site where discussions of spreading the malware via iChat, Apple's instant messaging and video chat software, were also taking place.

The company classified the threat posed by the Trojan as "critical."

The malware exploits a recently publicized vulnerability in the Apple Remote Desktop Agent (ARDAgent), part of Tiger's and Leopard's Remote Management component. Composed as a compiled AppleScript, or in another variant, script bundled into an application, the Trojan leverages the ARDAgent bug to gain full control of the victimized Mac.

"[It] allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging," claimed SecureMac. "Additionally, the Trojan can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing."

SecureMac's warning came one day after an anonymous reader disclosed a few details of the ARDAgent vulnerability on Slashdot, and on the same day that rival security vendor Intego provided more information about the bug.

Malicious AppleScript, said Intego, can call ARDAgent, which then gives that script full "root" access to the system. "When an application enables a root privilege escalation of this type, any malicious code that is run may have devastating effects. These may range from deleting all the files on the Mac to more pernicious attacks such as changing system settings and even setting up periodic tasks to perform them repeatedly," Intego's warning read.

Like any Trojan horse, AppleScript.THT does not spread on its own but relies on user actions, such as downloading and launching, to infect a machine. Trojans can also be silently introduced on a computer if it's injected after a successful attack using another vulnerability, such as a browser bug.

Some researchers downplayed the threat. Thomas Ptacek of Matasano Security LLC, a New York-based security consultancy, said the ARDAgent vulnerability wasn't much of a concern.

"Who cares if someone busts root on your Mac?" Ptacek said in a Thursday entry on the Matasano blog. "It's a single-user system. I'll let you in on a Matasano state secret: if you break [my user] account, I'm in trouble. If you're malware and just trying to spread, or redirect my browser to phishing pages, you're wasting your time with this 'root' silliness."

Ptacek and others have noted that users can protect themselves by removing ARDAgent from its normal location, which is System/Library/CoreServices/RemoteManagement, and archiving the application.