Network News

X My Profile
View More Activity

New Trojan Leverages Unpatched Mac Flaw

A tool for exploiting an unpatched security hole in Mac OS X systems has been developed and until earlier today was being distributed through an online forum that caters to Mac hackers, Security Fix has learned.

The exploit tool, labeled "Applescript Trojan horse template" by hackers at Macshadows.com, appears to be a collective and ongoing effort to create a package of malicious software that capitalizes on the ARDagent security hole first publicized last week. The vulnerability essentially allows any program to run on a Mac user's machine without first prompting the user to enter his or her user name and password.

The first Macshadows.com post on developing this Trojan, dated May 18.

Currently, the Macshadows user forum appears to have been wiped clean, both from the Macshadows.com Web site and from Google's cache. However, Security Fix obtained screen shots of forum postings from the code's authors, which are sprinkled throughout this blog entry. It appears that development of this malware started back in mid-May.

Security Fix also obtained a copy of the Trojan horse template from an anti-virus industry expert who asked to remain anonymous. An analysis of the code by noted security researcher Dino Dai Zovi indicates that it is designed to be bundled with any downloadable Mac program, with the aim of turning an otherwise legitimate program into an exploit toolkit capable of handing control of the system to attackers.

"This could be bundled with any arbitrary application very easily," Dai Zovi said of the Trojan template. "Most people assume that if something is going to do something dangerous, that it will ask you for your password first, but this won't."

Dai Zovi said the Trojan tries two different exploits to install itself without having to prompt the user for his or her system credentials. One exploit is the aforementioned ARDagent attack; the other is for a privilege escalation vulnerability that Apple patched in 2006. (As an interesting aside, Dai Zovi himself reported that latter vulnerability to Apple back in 2006, only to later learn that exploit code for that same vulnerability had been publicly posted online prior to Apple issuing a patch for the flaw).

Once installed, the Trojan drops a keystroke logger called "logkext" on the Mac user's system. It then sets up a virtual network computing (VNC) server listening on the victim's machine, which would provide an attacker remote access to the victim's computer.

The code also installs a Web-based "PHP shell" program that allows the attackers to remotely manipulate the infected machine using nothing more than a Web browser. That component of the Trojan also sets the victim's system so that it can be tracked using dynamic DNS services, which permit remote users to remain connected to a system even if its numeric Internet address changes over time.

Security Fix contacted "Andrew" -- one author of the malware and an individual whose e-mail address is included in the guts of the malicious code. Andrew said he and friends wanted to test the boundaries of OS X security.

"Apple tells us that OS X is safe and secure and fails to actually confirm that it is so on their own. We are left to experiment and test our own security and too often we discover that we aren't actually as secure as we were led to believe," Andrew said in an e-mail. "When you are seeking information about how to secure your own system, frequently the best sources of that information are hackers, not the vendors."

I want to stress that there is absolutely no evidence that this Trojan is spreading in the wild, despite warnings from Mac anti-virus vendor SecureMac that it has spotted multiple variants of this code.

Still, the exploit code is now out there, and it remains unclear whether Apple intends to address the ADRagent flaw with a patch (Cupertino has yet to respond to my inquiries from last week). In the meantime, Mac users would do well to use one of the stopgap fixes mentioned in this article.

Dai Zovi said the programming approach in the Mac Trojan toolkit resembles the Visual Basic script-based Trojans that were used to infect Windows machines back in the earliest months of this decade.

"What this demonstrates is that regardless of what the larger security community is focused on, people are interested in writing malware for the Mac," Dai Zovi said.

Indeed, Andrew said he helped code the Trojan template out of curiosity.

"I helped write it because well why not its programing experience and it was in a subject I was interested in."

Update, 6:15 p.m. ET: Updated to include comment from one of the Trojan's authors.

By Brian Krebs  |  June 23, 2008; 12:59 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Serious Security Vulnerabilty In Apple OS X Leopard
Next: Report: China Home to Half of All Malicious Web Sites

Comments

Nice analysis -- it's been hard to figure out seriously to take this.

However, Cupterino is an exceedingly tiny cup made in a small factory in Italy. I would guess you mean the small Bay Area town with 1 Infinite Loop, Cupertino.

Posted by: Glenn Fleishman | June 23, 2008 3:46 PM | Report abuse

Ha Ha

Posted by: PC | June 23, 2008 4:32 PM | Report abuse

Hope not many people gets infected. Btw i linked to this post today

FYI

Posted by: Live Crunch | June 23, 2008 4:42 PM | Report abuse

Tried pasting the command as written into the Terminal of a Mac Pro running 10.5.3 and got the following errors:

[my command prompt]$ osascript -e 'tell app "ARDAgent" to do shell script "whoami"';
2008-06-23 13:46:03.290 osascript[4088:10b] Error loading /Library/ScriptingAdditions/QXPScriptingAdditions.osax/Contents/MacOS/QXPScriptingAdditions: dlopen(/Library/ScriptingAdditions/QXPScriptingAdditions.osax/Contents/MacOS/QXPScriptingAdditions, 262): no suitable image found. Did find:
/Library/ScriptingAdditions/QXPScriptingAdditions.osax/Contents/MacOS/QXPScriptingAdditions: mach-o, but wrong architecture
osascript: OpenScripting.framework - scripting addition /Library/ScriptingAdditions/QXPScriptingAdditions.osax declares no loadable handlers.
23:47: execution error: ARDAgent got an error: "whoami" doesn't understand the do shell script message. (-1708)

Would this mean that the vulnerability has been patched?

Posted by: Ric | June 23, 2008 4:57 PM | Report abuse

Brian,

If you look at lokin's questions you realise he doesn't have much of a clue. Perhaps some of the others did but that wasn't my impression. Also some of lokin's followup posts were rather embarrassing.

Ric,

Not it's not patched. You're either running the wrong version of the OS, put in a typo, or something's temporarily out of what. Use the osascript command line Brian posted the other day to put the sorry thing out of your misery for the time being.

Posted by: Rick | June 23, 2008 5:22 PM | Report abuse

Andrew, Thanks for telling me how macs aren't as secure as they are marketed!

Posted by: Robert | June 23, 2008 7:11 PM | Report abuse

@Ric

No. It's not patched as I had it work on a 10.5.3 machine. Something else is going on.

It doesn't work for me however because I removed...
/System/Library/CoreServices/RemoteManagement

Posted by: MACS RULE | June 23, 2008 7:54 PM | Report abuse

Anyways, How come people get bent out of shape when this is said..

"Apple tells us that OS X is safe and secure and fails to actually confirm that it is so on their own."

So what, every system including Windows claims their system is secure. And clearly, Windows is the most attacked OS on the planet. Yet some how Apple takes all the heat. I don't get it and never will.

Posted by: Anonymous | June 23, 2008 8:07 PM | Report abuse

"Yet some how Apple takes all the heat. I don't get it and never will."

Simple, we expect more from Apple, its why we pay more for Macs. :)

Posted by: Nobodyd | June 23, 2008 8:39 PM | Report abuse

This is the tip of the iceberg so to speak. Macs are going to be increasingly under attack by malware authors as their installed numbers grow. It's just a natural progression and is to be expected. That's why it is imperative that a defense in depth strategy is used (regardless of operating system). To think otherwise is just ignorant!

Posted by: TJ | June 23, 2008 8:51 PM | Report abuse

Its about somebody showed Mac users that they are vulnerable , if Apple ever gets half as many people using it as there are windows users we will see just how safe they are . If it is made by one man it can be hacked by another. There is no such thing as a safe operating system, just people dumb enough to believe its safe because Steve Jobs and his minions told them it is.

Posted by: Robert | June 23, 2008 9:03 PM | Report abuse

"Yet some how Apple takes all the heat. I don't get it and never will."

Replace "Apple" with "Microsoft" and your statement starts to make sense. There is quite a double standard in the industry where Apple is often given a pass. As far as being under increasing scrutiny and attack, as the saying goes, If you can't stand the heat in the kitchen...

Posted by: TJ | June 23, 2008 9:09 PM | Report abuse

I predict Mac users in the near future will be running firewalls and Anti-virus software.
And as far as mac taking all the heat when was this . Windows has been jumped on for years by the Mac crowd. I have been using windows operating systems for years and never had a Virus all the software the world can't save you but learning how to surf the net safely will . The Windows Vista laptop I am using right now is virus free and has been for a long time , before that it was running XP and I also had no viruses on it . Mac people are always bashing windows those Apple TV ads are lies windows vista is not a crippled OS and it is much more secure than XP was, frankly I do not care what computer you use just don't put my choice down also the reason I choose the windows platform is because I can build my own desktop PC from the motherboard on up this way I do not have buy something HP,Toshiba , or any company built,I build it the way I want it.

Posted by: Robert | June 23, 2008 9:35 PM | Report abuse

PC meet MAC, MAC, uh oh, MAC you're high on dope!

Posted by: PC-XP-PRO | June 23, 2008 10:21 PM | Report abuse

I think we are in a Security Balloon. Security, Iraq Security, Globalization Security, Windows Security, Financial Security, OS X Security, Border Security, Safety Security, Communications Security. Holy smokes Batman, you're out of a Job!

I run Macs and PCs, I favor the Mac for UI and favor the PC for flexibility. Mac feels fragile, PC feels like a tank. Mac feels like a design shop, PC feels like a factory, assembly line, sales force, government etc. Mac feels like a fad, PC feels like a standard. That makes sense, fads don't stick around long enough to get whacked by all the different possibilities, standards do.

The Mac has tiny buttons for security settings and permissions, PC has a list, with easy accessibility.

A Mac has a kernel panic, a PC (which a Mac is natively with x86 processors) has a fatal exception, a blue screen of death etc. A Mac is personified, a PC is depersonalized. Botique shops are personalized, business is depersonalized.

Is it any wonder why this whole Mac vs. PC is the way it is? It's a marketing joke, it follows focus group marketing and the whole "me" generation. It targets the "I want to express myself" generation.

Get over it, Mac is now on PC architecture. It has been since Apple switched to x86. EFI was/is on Itanium systems. Windows is not PC, Windows is an OS that runs on a PC with a BIOS or EFI. OS X is an OS that runs on a PC with EFI or a BIOS (with EFI emulators).

As for Viruses, why target the security of a system? It's like blaming the transportation department for illegal drugs being passed on a highway. Like blaming an ISP for transporting copyrighted material (wait, we already blame them for that).

Sue everyone, that's the ticket, blame the DOT for traffic accidents, drug running etc. Blame the police department for allowing crime in the city. Blame the FBI for allowing terrorism. Why not apply the same logic the general public is using?

Please apply logic rather than the confused notions of emotion. Please realize that marketing has used emotion through Focus Group Marketing since the 50's (it's recent). Politicians since Regan have been using emotion and the idea of appealing to self-image/expression. We've given away our head for our heart, rather than seeking a balance between them but then again... you can read about that in my new book!

And yet the vicious cycle begins again.

Posted by: manji | June 23, 2008 11:01 PM | Report abuse

Stupid Mac users...get a PC and learn how to use a REAL computer...

Posted by: LogicStick | June 24, 2008 1:36 AM | Report abuse

@TJ

Heat? Heat from child like comments such as a few of those on this blog? Heat as in people finding security flaws? I'm all for people announcing flaws for OS X any day. I wish MOAB would happen every month. I read 30 security blogs so its not to say I have no idea Macs are not secure. Plus it's just common sense to KNOW that computers are not secure. Ubuntu, FreeBSD, WIndows, OSX, DEBIAN!!!!!!!!, not secure.

Has Apple really been given a pass on flaws? They may down play them but I've never heard them being given a pass. Usually it's a fail. I don't know.

It just seems to me that if anybody but Apple says secure it's "MEH" but if Apple include secure in any sentence, the whole internet ignites like a fire storm and starts bashing Apple and it's users. Thats what I don't understand. Call it heat. I can take it I just don't understand. Sorry if I'm the type to understand why things are being said. That's all. Now may the digg like comments continue like the one above me. :)

Posted by: Kids | June 24, 2008 2:39 AM | Report abuse

Apple doesn't have pass?
It's not their fault that they are targets?

Just look one of their adds, "PC, but Macs don't have viruses..." - that's kind of arogant, and Mac users took it for granted bashing everytihg from Windows to Linux.

And what now?

Posted by: Phil | June 24, 2008 4:24 AM | Report abuse

Your right, look at all that bashing Mac users are doing to Windows. Good I'm such an idiot.
Pshh. There is more bashing comments in this article then there is with mac users and bashing Windows in these articles below, combined. These are just a few. Your right. I don't hold any valid point. Mac users are wrong. God I should just go makeout with Steve, because, you know, thats what we do.

http://blog.washingtonpost.com/securityfix/2006/07/microsoft_patches_18_security.html
http://blog.washingtonpost.com/securityfix/2005/12/exploit_released_for_unpatched.html
http://blog.washingtonpost.com/securityfix/2006/08/spammers_exploiting_latest_mic.html
http://blog.washingtonpost.com/securityfix/2005/12/update_on_the_critical_unpatch.html

Sorry to take up space Krebbs. Was just trying to point out something so simple and the same time understand something I wasn't understanding. I'll leave the comments to others.

Take care guys.

Posted by: DONE | June 24, 2008 5:16 AM | Report abuse

What is manji smoking? I want some.

"Mac feels fragile, PC feels like a tank." What planet are you on? When was the last time you had DLL hell on a Mac? *nix beats Windows any day of the week for stability.

Anyway, computing common sense still applies. It takes user action to get this trojan. Mac users who think they're immune to any security threats "because it's a Mac" are morons and they deserve just as much to get infected as do pc fanboys who go get their pr0n on an unpatched xp box.

Posted by: James | June 24, 2008 8:06 AM | Report abuse

One operating system is just as vulnerable as any other Mac users are living in a fools paradise .Just because Steve Jobs and his minions say your safe does not make it true they are lying to their users and to the public with their Mac vs. PC commercials At least us Windows users are smart enough to know that you are never truly safe no matter what operating system you are using.Mac users beware your days are numbered .

Posted by: Robert | June 24, 2008 9:25 AM | Report abuse

This also hinges on the fact that I'm at a public IP address and not internal as MOST people are. Most people don't have port forwarding for VNC or http turned on, so exactly what can the person do?

If you want real security, write your own OS. Besides that get linux and read all the source code before you compile it and then compile it :) and compile only what you need.

Posted by: anonymous | June 24, 2008 10:51 AM | Report abuse

Wow, Some of you people are stupid.
"HA HA"
"Stupid Mac users...get a PC and learn how to use a REAL computer..."

You guys, this is cool. I have a mac, and up until now, there have been no known effective viruses. Everything that has come out in an attempt to be a virus required you to put in admin password to do in one case view some pictures. That is why Apple has been arrogant enough to say there are no viruses. Because you have to an idiot to be exploited. Now someone has finally figured out how to get around the required credentials to install a malicious program. Well, its not deleting files like other viruses, but it does allow the trojan manager to gain control of the computer.

I am impressed with the level of complexity of the trojan. It tries two different ways to install, it makes available all these remote management tools for someone. I think that is really interesting.

Why cant you people just take it for what its worth and not start a flame war. I have a mac, my work is a windows environment, and I can't tell you how many people don't know how to use windows. So keep your dumb comments to you self about learning to use a real computer if half the other people who use the same thing as you don't know how to use it. Don't be jealous that everything in my OS is simply laid out and easy to use. But you know what? I don't have to use the gui only... maybe I am using a real computer by working in terminal, are you using the command line?

Posted by: Mike | June 24, 2008 11:04 AM | Report abuse

Bummer, sounds like they need to come up with a quick fix for that baby.

JT
www.FireMe.to/udi

Posted by: Jimmy Dean | June 24, 2008 11:20 AM | Report abuse

Some people here are right...others don't have a clue of what they're talking about. Mac OS X isn't secure.Vista isn't secure.Why? because they hold 99% of the market share.The more an OS gets popular the more it gets targeted. As for linux it's different, linux relies on a community, on open source, where every single user improves the OS,flaws are quickly fixed. I used vista for 9 month now, with an anti-virus and antispyware nothing has never infiltrated my OS, and btw and microsoft says "Vista is more secure" they mean more secure than Xp not other oses.As for mac OS X i am happy this is happening, just to prove to apple that they're products aren't the best and that the macs high prices aren't justified at all.

Posted by: Joseph | June 24, 2008 11:30 AM | Report abuse

This was good for a laugh, take this crap seriously, I doubt it.


Posted by: Good@times.com | June 24, 2008 11:36 AM | Report abuse

Mike so you are saying there are no idiots using Macs It sounds like your saying only intelligent people use macs ,I seen some of the most intelligent people I know make some really stupid mistakes . Also I am not jealous of you or your Mac I could buy a mac if I actually had any use for one you are the one who is making dumb comments , it's easy to see where your coming from .

Posted by: Robert | June 24, 2008 11:42 AM | Report abuse

See here:

http://forums.applenova.com/showthread.php?t=29513

For the exact limitations of this "exploit". It's essentially worthless as it is only any use if you have physical access to the machine. In which case, all bets are off, anyway.

Posted by: Bryson | June 24, 2008 11:52 AM | Report abuse

A few interesting comments, and a lot of base-less babble.

For one thing, Mac's are only marginally more expensive than PCs at the time of purchase, if at all, and one tech journalist after another has gone through the whole "study" and the answer is always "Macs are a generally a little more expensive to buy and a little cheaper to maintain." So high prices aren't justifying anything, other than some individuals are willing to pay a little more for a a product they prefer. Astounding, really, Joseph.

I find it really amusing how quickly everyone forgets that computers and their respective OS's are not divine creations. They aren't secure, they don't understand the notion of security as they don't have brains. They do what they're programmed, and what all those 1s and 0s line up to do is exactly what some human being somewhere has told them. So they are inherently prone to all the flaws encompassed by their creators, in addition to being the target of relentless exploitation attempts by individuals with equal reasoning ability as those who have created the "security" in the OS. In a word, it's technological cat-and-mouse. Just as banks will always be robbed (and why does the notion of an epic heist like Ocean's 11 appeal to so many of us?), computers will always be exploited. OSs may have individuals pros-and-cons - Windows of course has a huge install base and will be a target, Linux has the benefit of an educated and contributing user community. IMHO, Apple has a decent track-record with security OS X, and the additional benefit of a relatively small user base.

But nothing is safe, and anyone who thinks that a particular OS will protect them always in the future is very naive.

Posted by: isaac | June 24, 2008 12:07 PM | Report abuse

bryson -- it's worthless unless you have physical access to the machine? I hate to break it to ya, but that's not correct. if by physical access you're including the user actually agreeing to install software, then yes, you are correct. but 80 percent of all malware attacks against windows machines work by tricking the user into installing something, so what's your point?

Posted by: Anonymous | June 24, 2008 12:33 PM | Report abuse

I love how many people here love to bash one side or the other. Macs are better, no PCs are better....
Just some news for a lot of people Macs are PCs. The operating system doesn't change this. I realize that up until now a lot of previous attempts to hack macs has not worked b/c they do an excellent job securing their computers. But the truth is there are plenty of stupid people using both Windows OS (XP or Vista) or Mac OS. Idiots will always argue which is better but as more people flock to Macintosh PCs it will continually have people attempting to crack them, just as Windows has had in the past because it had such a larger user base. Why would computer hackers try to crack an OS used by 10% of the population 10 years ago when they could attack 90% of the population that was using Windows? (this is not actual numbers but I am just trying to make a point)Think about your arguments before you just straight up flame a post.

As for the article itself it was interesting to see something like this developed for MAC OS X.

Posted by: Tbird | June 24, 2008 12:35 PM | Report abuse

Please note that running osascript -e 'tell app "ARDAgent" to do shell script "chmod 0555 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent"'; will disable the Apple Remote Desktop application.


Posted by: Ian Rubber | June 24, 2008 12:37 PM | Report abuse

I love how rumors/theories/the possibility of a single trojan horse cause everyone to go: "OH MAN! MACS AREN'T SECURE!!!"

Even if this trojan does exist, and it is a horrible, horrible virus...

It's a single virus.

Posted by: Shaun | June 24, 2008 1:01 PM | Report abuse

I don't personally count malware, on any platform, that dupes unsuspecting or stupid users from opening and installing unknown software off a hacker web site or any other site. This is VERY VERY different than a self-propagating virus. Even if Apple patches this entry point the fact is, on ANY platform, if a user enters their Admin username and password at the time of installation, all security bets are off! I don't care what the platform is.

Again, on any platform assess the risk, minimize it, and take positive action to prevent as many known exploits as possible. On Windows that means installing anti-virus software and continually be on the look out for unknown .exe files and email enclosures and active-X controls.

On the Mac, be careful of poker games...

Posted by: Jeffsters | June 24, 2008 1:05 PM | Report abuse

so, mac has finaly got a flaw, and it's something windows 98 dealt with several years ago. what does that tell you? all these stupid p.c bashing commercials are rediculous, if mac wants to put out competition bashing commercials when vista has a flaw or two, they should expect it back, mac stirred up the pot and now their goin to bend over and take it, how can you let something so simple slip through like that? you've all had the mac wool pulled over your eyes, fase sence of security that's all i have to say.

Posted by: Anonymous | June 24, 2008 1:20 PM | Report abuse

Windows usually patches vulnerabilities in a timely manner yet you Mac people are all over it within hours saying vista is garbage so from what I can gather from this being an Ignorant Windows user is that a vulnerability is only a big deal when it is on the Windows platform . Its no big deal when its on the Mac Os ,the only reason you guys are safe is because you are a minority and hackers do not find you worth bothering with all they would find on your systems are pictures of yourselves in strange poses ,or videos of you talking on your over priced Iphones or listening to your overpriced Ipods go ahead and spend your money on that junk but please next you have an opinion keep it to yourself because mine is the only one that counts to me .LOL

Posted by: Robert | June 24, 2008 1:30 PM | Report abuse

So, you have to visit a hacker site, download it and install it for the thing to work. If your a retard then this article may apply to you.

I Yawned, just a way for SecureMac to drum up sales to all the PC to Mac converts, since this is all they know on that other system.

Posted by: MrWhite | June 24, 2008 1:57 PM | Report abuse

"I want to stress that there is absolutely no evidence that this Trojan is spreading in the wild..."


Move along. Nothing to see here.

Posted by: Eric | June 24, 2008 2:18 PM | Report abuse

'I love how rumors/theories/the possibility of a single trojan horse cause everyone to go: "OH MAN! MACS AREN'T SECURE!!!" '


Yeah, and "looks like the Mac is just as insecure as the PC!"

Uh-huh. You can keep your "10,000+ known viruses" PC and I'll stick to my "no viruses in the wild" Mac.

Posted by: Eric again | June 24, 2008 2:21 PM | Report abuse

"Move along. Nothing to see here.

Posted by: Eric | June 24, 2008 2:18 PM "

yes, that's right mac users. keep your palms clamped firmly over your ears, all the while yelling "blahblahblablahblahblbahblahwindowsusckslbalbhalbhablahbahbhican'thearyoublabhhablbahbalb"

Posted by: jjk | June 24, 2008 2:33 PM | Report abuse

Mac users are elitist snobs who think Macs are greatest invention since the wheel and for some reason they think us Windows users care about their opinions and when they do one day start getting viruses left ad right they will have an excuse for that too . And they will still think they are superior because that is how elitists are, look at me mine is better than yours. You would think they built those macs themselves. I don't think windows is better than Mac one is no better than the other , you Mac guys keep telling yourselves how safe you are because I am going to laugh my butt off when a bunch of get compromised .

Posted by: Robert | June 24, 2008 2:59 PM | Report abuse

I love the Mac security posts, if only because the rabid frothing trolls on both sides of the OS divide come out of their caves to display the full glory of their normally well-concealed personality disorders.

Posted by: Doc Ach | June 24, 2008 3:20 PM | Report abuse

Yeah I have a personality disorder it causes me to retaliate when Mac users constantly tell anyone who will listen how great Mac is and how horrible Windows is when the fact is one is no better than the other but you will never hear one of these Mac fanboys say that Mac is better and that's all there is to it because they say so. The truth is they are only safe because the hackers have not went after them with the same zeal that they go after Windows with. The reason for not going after the Mac OS like they do Windows is only a handful of the worlds population use macs and hackers these days are all about the money that can be made writing exploits for Windows . But as more people begin using Macs especially big business we will just see then how safe they are then.Any software can be hacked and anyone who believes otherwise is foolish .

Posted by: Robert | June 24, 2008 3:51 PM | Report abuse

"So, you have to visit a hacker site, download it and install it for the thing to work. If your a retard then this article may apply to you.

I Yawned, just a way for SecureMac to drum up sales to all the PC to Mac converts, since this is all they know on that other system."

NO, the hacker goes to that website to get the "tool"
then he/she embeds in a useful software download and puts up a legit looking site.

mac user want said useful software downloads and installs to mac, meanwhile behind the scenes the trojan quietly installs itself with no password prompt.

MAC L class user now infected

Posted by: IgaRonin | June 24, 2008 5:50 PM | Report abuse

Allot of the Windows Exploits are the same you have to visit a website and download it yet when its Windows the Mac people make a big deal of I am not running an anti-virus on this Windows vista laptop I been running this way for over a month and do not have a virus or any other malware I know because I have been scanning and have not found any yet but I am careful and I do not download software from the Internet nor do I click on links in emails or open attachments Windows Vista has made a huge difference in security so you do not necessarily need to run an anti-virus if you have a hardware firewall and your careful Vista is safe as any other operating system I will own an Apple computer on the day when I can buy brand new parts and build my own.

Posted by: Robert | June 24, 2008 6:57 PM | Report abuse

Interesting article. It's a shame that the average commenter is either 11 years old or has a below-100 IQ (and a keyboard that prevents them from using proper capitalization and punctuation).

And yes, mine *is* bigger than yours and always works :).

Posted by: hjv | June 25, 2008 1:26 AM | Report abuse

@Ric

The error message you received is due to the presence of the QXPScriptingAdditions.osax file in the \Library\Scripting Additions folder. It is installed by Quark Xpress , and is problematic and only works on PPC systems anyway. I'd just delete it.

Posted by: James | June 25, 2008 5:20 AM | Report abuse

These comments are childish and unproductive not to mention uncoordinated babble. How is anyone reading this be able to understand the extent of the issue, that alone what you people a arguing about. You jokers need to take a lesson in cooperation. Sesame Street is on at 3:00pm straight after prep-school is finished for you. by the way...Isn't it all passed your bed time children. Off you go...

Posted by: Tmempis | June 25, 2008 5:27 AM | Report abuse

One of my friends has been hit with this already - I have no idea what he downloaded, but the payload is malware: redirection of his browser activity and various other things happening.

The version he's been hit by is reminiscent of the old browser hijacking windows suffers.

It's definitely in the wild.

Posted by: Les | June 25, 2008 7:31 AM | Report abuse

Windows - 100,000+ viruses
Mac - Uh ... 3?

Windows - **Millions** of zombie computers screwing up the entire internet, email, server security for everyone on the planet.
Mac - Perhaps a couple of thousand zombies tops, likely less.

That's why the Mac gets a pass. That's why the Mac has a reputation of being more secure and less exploited. Because it is far less exploited, causing far less damage, and causing far less disruption to users.

It's not perfect. It has bugs, holes and vulnerabilities. They will be fixed as found, and hopefully forward thinking will improve the current levels of security through improved strategies as we move into the future.

Posted by: Zaph | June 25, 2008 8:30 AM | Report abuse

All you people, back to work NOW!

Posted by: Pete from Arlington | June 25, 2008 8:56 AM | Report abuse

@Les -- Your friend probably downloaded one of the DNS Changer Trojans disguised as a "video codec".

http://www.f-secure.com/v-descs/trojan_osx_dnschanger.shtml

I haven't tried this tool, but SecureMac is giving away a tool that claims to be able to remove the DNSchanger Trojan from infected Macs.

See here:

http://www.dnschanger.com/

Posted by: Bk | June 25, 2008 9:42 AM | Report abuse

Hehe. Pete from Arlington nailed it. While various OS users are bickering, the malware writers are honing their 'product' and getting their respective payloads ready for prime time.

Let us "get back to work" on sharing OS-agnostic best practices for securing our machines against the inevitable vulnerabilities of software written by humans for humans.

Posted by: C.B. | June 25, 2008 10:09 AM | Report abuse

To the OS bigots: Lighten up! You guys sound like combatants in a religious war. Since when did the choice of a computer become the defining characteristic of a person? I'm having a hard time believing we'll ever have a moment of peace on this planet if so many people can get so worked up over such a minor issue.

Posted by: lofti | June 25, 2008 5:02 PM | Report abuse

I used to use Webroot's SpySweeper anti-spyware program on my Windows machine and every time it updated its signatures it would say how many different exploits it was being protecting my system from. I stopped using the program over a year ago, but it was already up to over 295,000 - not including viruses. WOW! That really puts a few Mac exploits in perspective.

Posted by: TJR | June 25, 2008 9:22 PM | Report abuse

I'm new to mac, after just buying an iMac - I have to say, I'm pretty disappointed overall. Apple treat their customers like sh*t and ignore things like this which they'd prefer no-one hear about. I'm sure this will be repaired for the next service pack (I mean OSX 10.6 for $129) - I can't believe apple users have been so brainwashed that they actually have accepted the fact that updates have to be paid for! This is also true of iPhone and iPod updates. Steve Jobs is nothing short of a money grabbing freak.

Posted by: Disgruntled Goat | June 26, 2008 2:45 AM | Report abuse

Why does everybody insist on treating the fact that other people prefer something different as somehow an attack on them personally, and respond with the kind of BS that would get a backward ten-year-old yelled at?

Come on, people, nothing's perfect. Some things are closer than others; one of the major problems we have is that the most widely-deployed system software, if it were any consumer product other than software, would have been sued out of existence with a gigantic class-action suit for gross negligence. It does occasionally work, and for those who are happy with the amount of work they get done with it, more power to you. Just don't expect to get any support on my network; I've got too many other people who need to get their work done.

Posted by: Jeff | June 26, 2008 5:02 AM | Report abuse

Everyone seems to forget this ia a technical analyses of malware. This has become a Mac/Windows war. So I'll join the fun:
Why do WIndow users get so angry at Apple-fans in postings like this?
Answer: Envy (not good, but understandable)
Why do Mac-users get mad at the Redmond-clan?
Answer: Evangelism (also not good, but understandable)

It's not my own quote, but Windows-users should think about how true it is and if this doesn't prove something:
"Mac-users swear by their computers, Windows users swear at their computers"

(I use both the dark and the bright side of computinglife)

Posted by: Ralph | June 26, 2008 10:14 AM | Report abuse

Every last one of the Mac bashers in this forum -that accuse Mac users of being elitist snobs- are sitting on their own high horses while pointing the finger. Who is the elitist snob? I'm confused?

Fear is the #1 fuel source of ignorance. Ignorance arrests all creativity and progress. If you don't open up your minds and find something else worthwhile to adhere to other than this ignorant platform bashing nonsense, you might find it's yourself -rather than your PC- that becomes obsolete.

So with that said. It's a trojan, meaning it takes an idiot to invite it in. The world is full of idiots that use both Macs and PC's. Disable the ARD service if you don't need it, and educate your users if you do. With more than 65% of our Freshman class bringing Mac systems to college, it's hard to call yourself any kind of an IT professional if your only answer is "[x-product] sucks". [you] learn to deal with it and do your job, or find yourself replaced.

Posted by: Jafro | July 1, 2008 5:56 PM | Report abuse

Jafro, come back on Patch Tuesday and count the getamac/installlinux trolls.

Alex Lindsay of Pixel Corps/MacBreakWeekly reports on Twitter that someone in the office picked up the trojan.

http://twitter.com/alexlindsay/statuses/848058136

" So..someone in the office got nailed with the ARD trojan horse on OSX...so it's definitely in the wild and in use. Be careful with net files

about 5 hours ago from web"

Posted by: MarkC | July 2, 2008 2:21 AM | Report abuse

There is a free patch utility available at versiontracker.com which resolves this issue entirely without disabling the functionality of ARD. This is the best solution to-date.

http://www.versiontracker.com/dyn/moreinfo/macosx/34662

For what it's worth, I clicked into this thread because it has "Security Fix" in the title. I found nothing useful in here. It's just a lot of crybabies with soiled diapers.

I've never run virus protection on any of my Macs, and for over 16 years, I've never had a virus. HALF the support calls we receive on campus are Windows boxes with a Virus. HALF. Still!... after all these years. Is it any wonder that MORE than half the students here carry Macs? The hottest selling laptop model, the most-stolen laptop model, the most coveted computer system on college campuses and K-12. These people eventually graduate and continue buying what they're comfortable with.

We turn job applicants away if they don't have Mac skills, and we don't care what other certifications they hold. Techs that think like that are useless to us because the users dictate what we have to support-with what they buy, and our staff doesn't like picking up the slack for the lazy bigots looking for an excuse to not do their jobs. We don't pick the favorites, the USERS do. Is it starting to become clear now? That's why they call it "User support".

IT pro's - TAKE NOTE. Diversify your skills and lose this Mac vs. PC ignorance for your own sake. Your opinion doesn't matter where it comes to job security, and Mac is NOT GOING AWAY. Anyone who thinks they are, or tells you that is a fool.

Posted by: Jafro | July 7, 2008 2:34 PM | Report abuse

I tried to set the ARDAgent to chmod 555 using the given instructions, but this doesn't seem to fix the security issue. You can test this by creating a file as root, enter the following in a terminal:

sudo -s
touch testfile

The file should be created and owned by root. Now enter this into terminal:

exit

You should now be giving up root privileges and return to your own "less-privileged" account. Now enter this into the terminal:

osascript -e 'tell app "ARDAgent" to do shell script "rm -rf /Users//testfile"';

You should ofcourse enter the path to where the file is located. You'll see it's still possible to delete a file owned by root with your less-privileged account. The fix doesn't seem to work.

Posted by: Vinnie | July 8, 2008 6:40 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company