Tiny Trojan Trots Into Mac OS X Turf

With the rise in popularity of Apple's (Nasdaq: AAPL) Mac computers and the OS X operating systems they run, dangerous malware, viruses and Trojans are now being targeted for the Mac, too. The most recent case in point comes courtesy of a security advisory released by SecureMac. The advisory warns that multiple variants of a new Trojan horse -- out in the wild -- is ready to run roughshod all over OS X 10.4 and 10.5.

SecureMac notes that while the Trojan, which is based on AppleScript and currently called "ASthtv05," is only being distributed from a hacker Web site at the moment, discussion has been edging into how it could be distributed more widely.

Critical Risk

While the Mac has enjoyed years of freedom from the viruses, Trojans and security vulnerabilities that have plagued PCs running Windows, there have been some relatively small threats in the past. This new Trojan, however, is worth being aware of, according to SecureMac.

"We classified this risk as critical," Nicholas Raba, president of SecureMac, told MacNewsWorld.

"The reason is that it takes advantage of an exploit that was discovered for Apple's operating system, the Apple Remote Desktop Agent, which allows the user to escalate privileges to root. This Trojan takes advantage of that, therefore it doesn't need to enter any administrative user names or passwords -- it bypasses all of that. Once it's launched, it gains root privilege," he explained.

How It Works

The Trojan runs hidden on the system, SecureMac reported, and it allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file-sharing.

The 60 kilobyte ASthtv05 Trojan is distributed as either a compiled AppleScript or as an application bundle called "AStht_v06" (3.1 MB in size). The user must download and open the Trojan in order for a Mac to become infected. Once the Trojan is running, it will move itself into the /Library/Caches/ folder and add itself to the System Login Items.

Wake-Up Call for Mac Users?

"As more users are switching over to the Mac environment, so are the researchers," Raba said.

"As far a wake-up call, this definitely shows that people are out there researching it. There are 47 pages of discussion on this Trojan. The source code is available for it, so we know we are going to see variants of it -- once you make the source code available, people come up with new ideas for it, and you'll see an instant spread," he added.

Apple Patchable?

While SecureMac's own product, MacScan 2.5, can detect and remove the Trojan, users might wonder if this is a problem that Apple will be able to patch.

"The script itself uses an exploit in Apple's operating system -- I'm sure they will patch it in a timely manner," Raba said, noting that the original post was made to Slashdot, which means that Apple didn't get a vendor heads-up on the issue ahead of time. Some security researchers -- as opposed to outright "hackers" -- will either alert vendors of problems or attempt to sell the problem for profit.