[Swordmaker]

"In addition to their own security software, both Intego and SecureMac . . ."

Beware Geeks bearing products for sale...

[Swordmaker]

Two new Mac OSX Trojans spotted... these are apparently in the wild. PING!

Both use social engineering and require the complicity of the users.

There is also a potential remote exploit that has not been seen in the wild that would allow rooting the Mac, according to the people reporting it.

MacPing!

If you want on or off the Mac Ping List, Freepmail me.

[TLI]

[Swordmaker]

Security vendors report 'critical' Trojan Horse exploit for Mac Intego and SecureMac both report Trojan Horse danger

by Jonny Evans

Posted in MacWorld UK

SecureMac and Intego are separately reporting the existence of a new security threat for Mac, claiming the existence of multiple variants of a new Trojan horse in the wild that affects Mac OS X 10.4 and 10.5.

The Trojan horse is currently being distributed from a hacker website, where discussion has taken place on distributing the Trojan horse through iChat and Limewire.

The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can reportedly transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging.

Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing. The Trojan horse exploits a recently discovered vulnerability with the Apple Remote Desktop Agent, which allows it to run as root.

The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items.

In response, SecureMac and Intego have both issued updated virus definitions to their security software applications for Mac, MacScan 2.5.2 and Intego VirusBarrier X5.

[JillValentine]

When I first saw the headline, I thought it said, "Twin Trojans attack Mars, meaning that two Trojan asteroids were going to hit Mars.

Guess I'm more of an astronomy geek than a computer geek.

[dayglored]

I tend to believe the alarms of independent researchers more than those hawking a product. Not every vendor is always lying, of course. But a good number of them stir up fear on such a regular basis as to have become a laughingstock.

There will always be a new upcoming audience for the scare mongers. And suckers every minutes for social engineering...

"Hi, I'm a poker game! Type your administrator password!"

Social engineering exploits vulnerability in PEOPLE.

I'll wait for the trojans that auto-install in spite of the operating system, before I declare my Macs to be dangerously vulnerable at the OS level.

[Swordmaker]

MacUser UK's article on the flaw that makes these trojans possible.

---

OS X flaw exposes Leopards and Tigers

8:39AM, Friday 20th June 2008

Security firm Intego has discovered a critical security vulnerability in Leopard and Tiger which could enable programs to run with full, root access to the system.

Fortunately, it Intego says that security hole is easily closed by simply enabling Remote Management in the Sharing preferences. Once this setting is activated, any exploit will not function.

The vulnerability takes advantage of the fact that Remote Management's ARDAgent component is owned by root, so running code via the ARDAgent executable runs this code as root, without requiring a password. The exploit in question depends on ARDAgent's ability to run AppleScripts, which may, in turn, include shell script commands.

SecureMac is reporting that it has already discovered both an AppleScript and and an application that attempt to exploit the flaw: a compiled 60KB AppleScript called ASthtv05 and a 3.1MB application bundle called AStht_v06. The user must download and open either in order to become infected, whereupon the malware moves itself into the /Library/Caches/ folder and adds itself to the System Login Items.

It the runs hidden on the system and can transmit system and user passwords and allow a malicious user complete remote access to the system. It attempts to avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing.

Simon Aughton

[Swordmaker]

Several comments on multiple sites claim that the exploits have not been seen in the wild and that no one has been infected but that the various methods of utilizing the exploit have been in discussion on some hacker sites... including the suggestion of a poker game trojan and they have been trading Applescript files that appear to, perhaps, use the method.

It appears that these may be more "proof-of-concept" trojans—based on the ARDagent vulnerability than actual in-the-wild threats.

Defeating the possibility of infection appears to be easy.

[Snurple]

Pair of Trojans spotted in the wild

This one must have wandered away from the herd....

[antiRepublicrat]

So is this actually in the wild infecting people, or is this just FUD to push product?

[goldstategop]

Nonsense! Macs are inherently secure by design and software needs user permission to run before it can execute. Its much ado about nothing.

"Show me just what Mohammed brought that was new, and there you will find things only evil and inhuman, such as his command to spread by the sword the faith he preached." - Manuel II Palelologus