Technology News: Hacks & Malware: Tiny Trojan Trots Into Mac OS X Turf

Tiny Trojan Trots Into Mac OS X Turf

By Chris Maxcer
MacNewsWorld
Part of the ECT News Network
06/20/08 11:28 AM PT

Security researchers at SecureMac say they've spotted Mac OS X malware in the wild capable of taking firm control of a victim's computer. The company says that distribution of the Trojan currently appears limited, though its warns it could escalate soon.

Learn How You Can Protect Your Virtual Datacenter
With Trend Micro™ Enterprise Security, powered by the Trend Micro Smart Protection Network™ infrastructure, you can mitigate risk and maximize the benefits of virtualization. Get the free eBook to learn how.

With the rise in popularity of Apple's (Nasdaq: AAPL) Mac computers and the OS X operating systems they run, dangerous malware, viruses and Trojans are now being targeted for the Mac, too. The most recent case in point comes courtesy of a security advisory released by SecureMac. The advisory warns that multiple variants of a new Trojan horse -- out in the wild -- is ready to run roughshod all over OS X 10.4 and 10.5.

SecureMac notes that while the Trojan, which is based on AppleScript and currently called "ASthtv05," is only being distributed from a hacker Web site at the moment, discussion has been edging into how it could be distributed more widely.

Critical Risk

While the Mac has enjoyed years of freedom from the viruses, Trojans and security vulnerabilities that have plagued PCs running Windows, there have been some relatively small threats in the past. This new Trojan, however, is worth being aware of, according to SecureMac.

"We classified this risk as critical," Nicholas Raba, president of SecureMac, told MacNewsWorld.

"The reason is that it takes advantage of an exploit that was discovered for Apple's operating system, the Apple Remote Desktop Agent, which allows the user to escalate privileges to root. This Trojan takes advantage of that, therefore it doesn't need to enter any administrative user names or passwords -- it bypasses all of that. Once it's launched, it gains root privilege," he explained.

How It Works

The Trojan runs hidden on the system, SecureMac reported, and it allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file-sharing.

The 60 kilobyte ASthtv05 Trojan is distributed as either a compiled AppleScript or as an application bundle called "AStht_v06" (3.1 MB in size). The user must download and open the Trojan in order for a Mac to become infected. Once the Trojan is running, it will move itself into the /Library/Caches/ folder and add itself to the System Login Items.

Wake-Up Call for Mac Users?

"As more users are switching over to the Mac environment, so are the researchers," Raba said.

"As far a wake-up call, this definitely shows that people are out there researching it. There are 47 pages of discussion on this Trojan. The source code is available for it, so we know we are going to see variants of it -- once you make the source code available, people come up with new ideas for it, and you'll see an instant spread," he added.

Apple Patchable?

While SecureMac's own product, MacScan 2.5, can detect and remove the Trojan, users might wonder if this is a problem that Apple will be able to patch.

"The script itself uses an exploit in Apple's operating system -- I'm sure they will patch it in a timely manner," Raba said, noting that the original post was made to Slashdot, which means that Apple didn't get a vendor heads-up on the issue ahead of time. Some security researchers -- as opposed to outright "hackers" -- will either alert vendors of problems or attempt to sell the problem for profit.

Next Article in Hacks & Malware

Microsoft, Apple Spar Over Safari Security Threat
June 03, 2008

Microsoft has warned Web surfers about a Safari vulnerability that could put Windows users at risk. The flaw was one of three first found by researcher Nitesh Dhanjani. One of the bugs Dhanjani found was serious enough to be kept secret until a fix is found. However, Apple said it does not consider the problem Microsoft has drawn attention to a security issue.

More by Chris Maxcer

The iPad's Cruel Teaser
March 09, 2010

The iPad ad that debuted on Sunday was remarkable in how many functions it managed to cram into just 30 seconds. Document creation, email, e-books, media viewing -- all that and more was demoed using just two hands and a hip soundtrack. However, the ad left quite a few important questions about the iPad unanswered.

The iPad Catalyst Will Light a Lot of Fires
March 02, 2010

I think we're going to get a lot of fantastic content options for mobile devices in 2010, even if you don't pony up for an iPad. While the iPad will likely be a raging success, it'll also help generate a market for alternatives. The question is, can we credit -- or blame -- the iPad for generating all this mobile action? Maybe not the iPad alone, but it's certainly the latest catalyst.

With Smut Ban, App Store Exposes a Jiggly Set of Rules
February 23, 2010

Apple's stance on risque iPhone and iPod touch apps is understandable, but the whole incident does underscore the App Store's frustratingly fickle nature. Apple should either draw up a precise, crystal-clear set of guidelines for app developers or just admit it's completely subjective -- "If we like it, it's in; if we don't, it's rejected." Right now, its policy seems to be somewhere in between.

[Search More...]

Apple	Activate Alert \| Search Archives

Hacker	Activate Alert \| Search Archives