http://www.macworld.com/article/134084/2008/06/securemac.html

Watch out boys and girls:scared:

Thanks for the head's up. But I have to say one of the comments was right. It isn't much of a trojan horse if you have to click on it after you download it.

Just a thought... Couldn't a website say it's an .mp3 tune to download, change the name of the file and get people to install it that way? Scary stuff anyhow.

Thank you for this Kilted. :coolthumbup:

Thanks - good to know, although I don't open files at random.

If I understand this correctly, it is an AppleScript, you have to download it, run the installer which requires an admin level password, then accept the "This is an application downloaded from the internet are you sure you want to open it?" warning.
There are lots of AppleScripts that are created to run repetitive tasks, so I don't see how this qualifies as a Trojan horse. It certainly is a nasty AppleScript! However, in the classic model of a Trojan, it finds you, it installs itself without your knowledge or permission, it can't be easily found and it can't be easily removed.
You also don't need an anti-virus program to remove this one. You can trash it from the Startup Items folder manually. This follows the model of a typical program installation, the only protection is your own common sense!

Is Kilted a spam bot trying to get us to secretly buy the Mac Scan program? MHC you need to have a close look at him.:rolleyes:

Is Kilted a spam bot trying to get us to secretly buy the Mac Scan program? MHC you need to have a close look at him.:rolleyes:

Hahahahhahaha! You are a funny dood Mad Dog! :thumbup:

Sorry Kilted, but that was funny after a night of Spammers! :laugh:

Seriously though - we need to be vigilant nowadays. Now Apple has Intel and is gaining popularity we would be stupid to think that the virus writers won't come after us also.

Sorry Kilted - just couldn't resist.:)

MacInTouch (http://www.macintouch.com/) has a big article on security now. There is unfortunately no permalink to link you guys to it so... Here we go:

Security
SecureMac reports multiple variants of a Trojan horse "in the wild" that exploits a "root" vulnerability in Apple Remote Desktop Agent in Mac OS X 10.4 and 10.5 described yesterday by Intego. Though the security problem is rated "critical", a user must download and open the Trojan file in order to become infected. Bugtraq also covers the problem, and Slashdot has a discussion about it.

Apple Mac OS X AppleScript ARDAgent Shell Local Privilege Escalation Vulnerability (http://www.securityfocus.com/bid/29831)
Mac OS X is prone to a local privilege-escalation vulnerability affecting ARDAgent (Apple Remote Desktop).

Successful exploits allow local attackers to execute arbitrary code with superuser privileges, completely compromising the affected computer.

This issue is confirmed to affect Mac OS X 10.5 versions; earlier versions may also be vulnerable.

Currently we are not aware of any vendor-supplied patches.

AppleScript.THT Trojan Horse (http://www.securemac.com/applescript-tht-trojan-horse.php)
SecureMac has discovered multiple variants of a new Trojan horse in the wild that affects Mac OS X 10.4 and 10.5. The Trojan horse is currently being distributed from a hacker website, where discussion has taken place on distributing the Trojan horse through iChat and Limewire.

The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing. The Trojan horse exploits a recently discovered vulnerability with the Apple Remote Desktop Agent, which allows it to run as root.

The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items....

Mac OS X Root Escalation Through AppleScript (http://it.slashdot.org/article.pl?sid=08/06/18/1919224)
Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript: osascript -e 'tell app "ARDAgent" to do shell script "whoami"'; Works for normal users and admins, provided the normal user wasn't switched to via fast user switching. Secure? I think not.

Intego posted this Mac OS X security alert, which it rated "critical:"

Apple Remote Desktop Vulnerability Allows Malicious Programs to Execute Code as Root (http://www.intego.com/news/ism0802.asp)
A vulnerability has been discovered that allows malicious programs to execute code as root when run locally, or via a remote connection, on computers running Mac OS X 10.4 and 10.5. This vulnerability takes advantage of the fact that ARDAgent, a part of the Remote Management component of Mac OS X 10.4 and 10.5, has a setuid bit set. Any user running such an executable gains the privileges of the user who owns that executable. In this case, ARDAgent is owned by root, so running code via the ARDAgent executable runs this code as root, without requiring a password. The exploit in question depends on ARDAgent's ability to run AppleScripts, which may, in turn, include shell script commands.

Tipping Point reports a Firefox vulnerability affecting the new Firefox 3, as well as Firefox 2:

Mozilla Firefox 3.0 Vulnerability (http://dvlabs.tippingpoint.com/blog/2008/06/18/vulnerability-in-mozilla-firefox-30)
...What we can confirm is that about five hours after the official release of Firefox 3.0 on June 17th, our Zero Day Initiative program received a critical vulnerability affecting Firefox 3.0 as well as prior versions of Firefox 2.0.x. We verified the vulnerability in our lab, acquired it from the researcher, then promptly reported the vulnerability to the Mozilla security team shortly after. Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code. Not unlike most browser based vulnerabilities that we see these days, user interaction is required such as clicking on a link in email or visiting a malicious web page.

While Mozilla is working on a fix, we won't be divulging anything else until a patch is available, adhering to our vulnerability disclosure policy. Once the issue is patched, we'll be publishing an advisory here. Working with Mozilla on past security issues, we've found them to have a good track record and expect a reasonable turnaround on this issue as well.


And in the same post, MacInTouch goes on to say that Safari for Windows has been updated to version 3.1.2 and that it fixes security problems.

MaDDog is this close enough ???

http://img.skitch.com/20080620-tgwmnf6fenssnpx5q485gfcn4t.preview.jpg (http://skitch.com/kilted1/qd1k/photo-booth)
Click for full size (http://skitch.com/kilted1/qd1k/photo-booth) - Uploaded with plasq (http://plasq.com)'s Skitch (http://skitch.com)

I am going to change my mind about this AppleScript, it is a serious problem, it does give you root access to an installer. You get root access even if you are logged in a guest account! All those new Macs in the Apple Stores are vulnerable to any one who runs that script! It looks like an easy fix but I am amazed that an Apple product that has been around as ARD and scripting has been overlooked.

I betcha they're already at work on a patch. They really can't afford to see this gain any more traction.



MaDDog is this close enough ???

http://img.skitch.com/20080620-tgwmnf6fenssnpx5q485gfcn4t.preview.jpg (http://skitch.com/kilted1/qd1k/photo-booth)
Click for full size (http://skitch.com/kilted1/qd1k/photo-booth) - Uploaded with plasq (http://plasq.com)'s Skitch (http://skitch.com)


Oh I'd see this gives a very close look. :biggrin:

I am going to change my mind about this AppleScript, it is a serious problem, it does give you root access to an installer. You get root access even if you are logged in a guest account! All those new Macs in the Apple Stores are vulnerable to any one who runs that script! It looks like an easy fix but I am amazed that an Apple product that has been around as ARD and scripting has been overlooked.
Yes, this ARD priveledge escalation thing is a big deal. And the speed at which it was exploited after it became public is also notable.

If there is a silver lining, it's that this is not an architectural flaw...it's more of an oh-crap-I-forgot-to-lock-the-door kind of flaw. Really stupid but easy to fix.

Hey tech! You are absolutely right. This ARD root exploit should be embarrassing enough for Apple to fix by sundown tonight. Normally, there is no way to protect people from themselves and if they willingly download files from pr0n sites and give up an admin password to install it, they deserve what happens. But this is different, it is a completely wrong programming exploit.

Pr0n websites? I thought it was forum passwords... :tongue:

Pr0n websites? I thought it was forum passwords... :tongue:

Ya gotta get around the naughty word filt3rs soemhow oar a nuther.
:w00t:

If I haven't got Apple Remote Desktop enabled, would this impact me at all?

Don't throw rocks at the tech novice?

If I haven't got Apple Remote Desktop enabled, would this impact me at all?

Don't throw rocks at the tech novice?

ah, but you do! It is built in as ARDAgent. Do this:
Open terminal, type in this:
osascript -e 'tell application "ARDAgent" to do shell script "whoami"'
You are presented with root, no password necessary! :scared:
From terminal you can install pretty much anything you want. That includes the ability to run from a non-admin account and most ominously, from a guest account.
No one here will throw rocks at novices! I have spent a couple of hours this morning trying figure out how this thing works. And it looks like it has been an exploitable problem for all of Leopard and Tiger! We are all novices on this bus!

Pr0n websites? I thought it was forum passwords... :tongue:

Yeah people use prOn to get around the filters yet still talk about it. I did it the other day as a joke in a PM where no one could see it but who I wrote it to.

MaDDog is this close enough ???

http://img.skitch.com/20080620-tgwmnf6fenssnpx5q485gfcn4t.preview.jpg (http://skitch.com/kilted1/qd1k/photo-booth)
Click for full size (http://skitch.com/kilted1/qd1k/photo-booth) - Uploaded with plasq (http://plasq.com)'s Skitch (http://skitch.com)


eeewwww!!!! HAHAHAHA:lol:

See, this is why you should all upgrade to dial-up like I was just forced to. Then you dont have to worry about downloading things like this. Or just things

Trojan 'Orse no this is more my style


http://www.youtube.com/watch?v=9v-4Ug0IgVo

What's all the fuss about? I love horses. :wub:



Good one, Kilted! :laugh:

Your father was a hamster and your mother smelled of eldeberries... Clip (http://idisk.mac.com/macheadcase/Public/My_Sounds/hamster.wav).

Just caught this from TUAW and there seems to be at least one concrete use of this Trojan, Watch out for PokerGame trojan (http://www.tuaw.com/2008/06/20/watch-out-for-pokergame-trojan/):

In the wake of the ARDAgent vulnerability (http://www.tuaw.com/2008/06/19/ardagent-setuid-allows-root-access-but-theres-an-easy-fix/) discovered yesterday, we all have something new to look out for: OSX.Trojan.PokerStealer (http://www.intego.com/news/ism0803.asp) is the official name of a trojan horse masquerading as a poker game. The trojan is distributed in a 65K .zip archive. ...

I think you guys should really take a look at that small article. :blink:

Trojan 'Orse no this is more my style


http://www.youtube.com/watch?v=9v-4Ug0IgVo

I LOVE Monty Python......my daughter just thinks its silly. She has a strange sense of humour.

I always thought it was those who LOVED Monty Python who had the "strange sense of humour." :rolleyes:

Hers a trojan that stops you getting a virus.

http://www.trojancondoms.com/

I always thought it was those who LOVED Monty Python who had the "strange sense of humour." :rolleyes:

I do, but then again I would have you realised that already:thumbup:

It would seem there is a new variant out? New Mac Trojan Disables Security, Steals Passwords (http://news.yahoo.com/s/nf/20080623/tc_nf/60404). The one discussed earlier was AStht_v05 now this one is AStht_v06... Unless one of these articles has made a typo in the malware name. :blink:

So is this maybe not a good time for Apple's latest spam for their educational deal to mention that you won't get any PC viruses if you buy a Mac? True on its surface, but, um...

So Mac users, who uses a anti virus or other related program and what do you have? I'm just downloading the Sophos trial for a look see. And I thought I had left this behind.....

macs are not very strong in terms of security actually. I've recently read an interview with Charlie Miller, and Safari on a Mac is the easiest for him to take control of! Interview (http://blogs.zdnet.com/security/?p=2941)