Rare Mac Trojan exploits Apple vuln A rare Mac OS X Trojan has been spotted on the internet. The AppleScript-THT Trojan horse exploits a vulnerability within the Apple Remote Desktop Agent to load itself with root privileges onto compromised Mac machines. The malware, which is capable of infecting Mac OS X 10.4 and 10.5 boxes, surrenders control of compromised …
This post has been deleted by its author
This post has been deleted by its author
But if you download and install something, on any OS, can't it be giving control anyway, no matter what OS ?
On the other side, if you're not totally stupid and have an Mac 10.5 and bought an external harddrive and use time machine correctly, you can go back to your prior-to-the-trojan-stupid-install in 30 mins, maybe less ?
I mean, very easily, without being a computer genius, which is important since it's computer illiterate likely to be hit by such an install...
When the blended vuln in Safari and IE on Windows was discovered, Microsoft's recommendation was for users to not use Safari. A better workaround was to change your default downloads directory. Problem gone. Simple solution.
El Reg hasn't posted any of the many workarounds available for the ARD problem. TUAW has a few solutions here: http://www.tuaw.com/2008/06/19/ardagent-setuid-allows-root-access-but-theres-an-easy-fix/
I'd guess an awful lot of people out there don't need to be managed by an admin, so can safely stop this problem in its tracks until Apple release a fix.
No one is reporting the solution though, only the problem.
As soon as I read about the idiotic decision to have the SUID bit set on the Apple Remote Desktop Agent, it was obvious there would be an exploit for it. This is a massive security hole in OS X and there's not really any way of defending it: A simple shell script can gain root privileges not by exploiting buffer overruns, etc but almost by design!
The Apple Remote Desktop Agent is scriptable and runs all scripts passed to it as root because of the SUID bit: this really is security 101 stuff and it makes you wonder how many other holes exist under the hood of OS X
You can protect yourself from this by unsetting the SUID bit, but if you subsequently run permissions repair on the disk, OS X will "helpfully" put it back for you...
Microsoft have had a lot of (justified) stick for security issues in various versions of Windows, but this is probably the worst security issue I've seen in years, simply because someone has made a concious decision to setup the remote desktop agent in that way
Finally, a few comments on here have tried to defend it by saying it has to be installed by the user: That is the definition of a trojan, and the big difference with this over earlier "trojans" is that the root escalation means it can do what it wants without triggering the secondary authentication that has kept other malware from freely doing what it wants on a Mac.
This will probably hit Macs hard because many Mac users are lax about running downloaded apps because they expect the OS to protect them, and have no additional malware protection on the machine.
And before I get flamed by Mac users trying to defend this, I am a Mac user myself and, as I said at the start, this is simply indefensible
"have to download and install it though, less of a trojan and more of an exploit of un intelligent people methinks
mines the hat with the big "D" on it" .... By arran Posted Monday 23rd June 2008 10:21 GMT
Not for Hyper Virtualisation you don't. You just follow your Intelligence and click on Advanced IntelAIgently Designed Gifts Hosted on the Internet Networking InterNetworking for ITs Supporters and Drivers.
Simple Sophisticated Push IT Technology...... for HyperRadioProActive Interactive Matches Made in Heaven ........ for A.N.Other Byte of the Big Apple Apple, Apple?
cc. Steve Jobs and the Other Steve ?
"have to download and install it though, less of a trojan and more of an exploit of un intelligent people methinks
mines the hat with the big "D" on it"
Not quite true..... it IS a TROJAN as the idea behind a trojan is to pretend or actually deliver software (free or otherwise) but also has another more nefarious purpose behind it....
i think you probably meant to say.... less of a virus and more of a trojan!
If I am not mistaken, you need to give your admin password for the installation to occur. Now... I have a hard time calling these "trojans" and more definitely they are not viruses. This is strictly a "malicious program" and NO platform is safe from such cases.
I stumbled across a forum (shadowmac I think), where the participants were cobbling this together while I was googling failure conditions on the ARD exploit.
Social engineering is needed to get Trojan downloaded and for first run on target computer, in this case the run part is handled by a fake applescript warning concerning broken pref panes with a 'should I repair?' style pop up at login/app run.
Uses the recent ARD exploit to gain root access to box and enable services, swiss cheese the firewall etc, does not require user to enter any password.
Full exploit will only work if:
User that activates it is logged into GUI *AND* ARD has not been set up.
So simply turn Apple Remote Desktop on and set access privileges for a user in the sharing prefs to disable the exploit.
Hopefully there will be a patch for this rather embarrassing vulnerability shortly.
Seriously? Are you kidding?
I love it when people say "Oh, well... you need to run it as a program so - there, not a virus" the same holds true for torjan's on Windows too you know.
It attaches to an illegal program downloaded through Limewire and is run when they think they are running the cracker, or it's sent from one person to another by iChat with the promise of "There are pictures in that .exe" or whatever the apple variant of an execicutible is.
This is a Virus, this is a threat, and honestly Apple needs to quit the mud-slinging - their OS is just as vulnerable as Windows - it's just Windows is more popular - but there are still programmers and script kitties are still out there with Macs, perhaps a bit spiteful, who are more than willing to take down their system.
From the article and from what Phil Arundell says, it sounds like you install the script and the script requests some actions from the Remote Desktop Agent. The harmful acts are performed by the desktop agent, so that's the program you would need to change permissions to. Conversely, you could easily execute the script from anywhere without giving it your password.
So, a real security threat but one that's easy to avoid. As an OS X user, I'm hoping that we see more of these in the short term, so that Apple are forced to start being a bit more sensible about security, rather than claiming that if the kernel and most of the core libraries are secure then the OS must be.
The ARD *client* is installed on all Macs. You can enable it in the Sharing Preference panel. But that usually doesn't do any good if you don't have a copy of the management tool (which is the $300 software mentioned).
Ironically, *enabling* ARD actually kills this vulnerability. You can also just do a "sudo chmod -R 000 /System/Library/CoreServices/RemoteManagement/ARDAgent.app " to disable it (this might be undone by Disk Utility if you run a permissions repair, didn't check).
I'm seeing people trying to describe this as something other than the article did, I can only imagine in some vain attempt to save face after years of laughing at Windows users. Let me just fix that for you...
Firstly, if this isn't a real trojan then a very large amount of the malware you constantly poke fun at on the Windows platform isn't real either. Of course, at the end of the day, malicious software really is just software that does things you'd rather it didn't while the guy who wrote it is sitting there rubbing his hands together with glee. Works the same on every platform, and if it gains root/admin/system privileges without asking you then it's a problem, regardless of what you wanna call it.
Secondly, I see people mentioning easy fixes. There are easy fixes for holes on other platforms too but that's sod all use to Joe Bloggs at No. 91 who just got his first computer 3 months ago and has abolutely no clue that computer security even exists, let alone that he has to worry about it himself. It's all very well knowing that if you turn off ARD then you're probably fine but that doesn't help all the other Apple users...
Finally, it doesn't really matter whether this is "real" or not, or whether you're in denial about using an OS that's a lot more vulnerable than you like to believe. At the end of the day, this is a security risk. It doesn't matter whether you want to believe it, which other platforms have more malware, how intelligent users supposedly are or how much you claim to know about your precious li'l Mac. If you wanna sit there cuddling your Jobs dolls that's fine by me, but when something comes along that you should be paying attention to, get your heads out of the god damn sandbox!
Yeah, I'm a Windows users. Oh, I use Linux too. OSX too, occasionally. OS8/9 once or twice, AmigaOS, RISCOS, FreeBSD... Well, you get the idea, I'm about as OS agnostic as you can possibly be, so no calling me a fanboy (that'd be somewhat hypocritical). Eep... Uberpost, I'm done here I think...
... is that once an attacker gets ordinary user level access, it's pretty much game over. Just about all of the linux vulnerabilities are local privilege escalation issue; no idea about windows (I don't get emails about them, I just install them every month) but I assume it's pretty much the same. And although this is a particularly large and easy hole to exploit, I bet there's more subtle ones in OSX as well.
The lesson from that pwn to own competition (no machine could be hacked just by having network access; all of them could be hacked* by exploiting a flash vulnerability) is that your vulnerability is linked directly into what you do with your system. If you're a desktop user, then things like that flash vulnerability have the potential to catch out ANY user on ANY system, without needing to click anything. On a server, the services you run and how well they're used (how exploitable is your dynamic website?) determine your vulnerabiliy.
Yes, you can customise your system to be more resistant to local-user attacks (especially if you run a multi-user system) but, pretty much, if someone gets local access it's game over.
The one thing that doesn't affect your vulnerability is OS, especially on servers. On desktops, of _course_ most people concentrate on the OS with the market share, but just coz the threat is lower doesn't affect your vulnerability.
Congrats El-Reg - you are my first headline scare as an osx user!! :) That is, until I read the body of the story and decided I didn't need to worry just yet.
Neither a mactard, or a winwhore - just liked the laptop more than the alienware stuff! :)
Don't hate the player, hate the game.
Tux - because tonight I'm gonna see what the fuss about Suse 11 was last week
Some posts here are unbelievable.
A Virus has to REPLICATE YOU MORONS!!!!
This i the problem when Joe Public picks up a PC from PC World and suddenly think they are an expert - you get posts like alot above. How embarrassing.
There are ZERO viruses for Mac OS X in 7 years and counting.
You poor windoze zealots are in for a rough ride the next decade - and Apple is gonna chew you up and spit you out.
Anyone dumb enough TO OPEN AND RUN something they DL online from a dodgy site deserves all they get.
This is a non-story from a "security company" trying to garner sales form recent PC to Mac switchers who are yet to get over their constant fear they are used to while running a crud system.
How sad.
So all of a sudden they wake up one mornin' and the Greeks have gone. And there outside the city walls they've left this gift; this tribute to their valiant foes: a huge wooden horse, just large enough to happily contain 500 Greeks in full battle dress and still leave adequate room for toilet facilities? Are you telling me not one Trojan goes, "Hang on a minute, that's a bit of a funny prezzy. What's wrong with a couple hundred pairs of socks and some aftershave?" No, they don't -- they just wheel it in and all decide to go for an early night! People that stupid deserve to be kerpowed, zapped and kersplatted in their beds! You know what the big joke is? From this particular phase in history we derive the phrase, "Beware of Greeks bearing gifts," when it would be much more logical to derive the phrase, "Beware of Trojans, they're complete smegheads!"
I mostly do home support and I was thinking that with the use of vista on Windows boxes there would be much less crap on the PCs I dealt with, but I was underestimating the stupidity of most users. With macs it will be just the same if not worse, after all macs don't get viruses apparently.
A totally secure PC (and I am including macs and Linux here as they are PCs too) is one that's switched off
I have my iPhone on full volume listening to the word of Steve while surfing blasé on my MacBook Air.
Your Trojans cannot harm us, our MacBooks are like shields of steel. Anyway if I hold my Air at the right angle the Trojan will just pass over its sleek and aerodynamic body.
Steve is the light, Steve is the way. All hail Steve!
OK, I just e-mailed a compiled script to my father's mac to see what process he had to go through to even get it on his machine.
First of all, his e-mail account blocked the attachment, so we had to tweak his settings to allow the attachment to come through at all, without resorting to compressing it and hiding it inside another file format, which would have added an additional user required step.
Once I managed to get an e-mail in his inbox containing the attachment, he couldn't just run it. The Mac made him save it to a file first, and bitched about the message containing an active program, promting a warning.
Then, running the batch, per the notes online, actually runs an installer, which prompts for a keychain password... Well, most folks in a company that use ARD have administrative rights in place to prevent application installs, and user acounts typically don't have admin permissions in the keychain anyway.
I'm sure there are a select few idiots who may have allowed this exploit to actually get on theitr machine. People in firms with clueless admins who have both a lack of knowledge and a wealth of money (ARD isn't cheap, and the need for a mac server to run it on doesn't make it any easier), are the only targets for this attack. I don't call this a virus or a trojan, I call this due reward for stupidity, aka natural selection. If you're so both innept to be able to stop it, and gullable enough to follow through with it, you DESERVE to be hacked. (I'd prefer you to not be permitted online in the first place!)
Even my father, who I had to walk through printing his address book last week, knows enough to never download a file, even from someone he knows, unless he's expecting to get it for some reason, and then any file that asks for a keychain password is something to question a second time...
When they come out with a virus that can infect a mac that is in a standard state (root not enabled, firewall on, etc) without any user action, then we'll call it insecure. Mac users fall to social hacking just as easy as anyone else, but phishing atacks and other social tricks aside, there's no real way to infect a mac that has yet been discovered. (unlike a PC, where simply connecting to the net is enough).
A virus is just a piece of code running into the system in order to perform malicious activities, so every operating system would have a virus because in every OS you have executables, programs and processes. For this reason Linux and Mac users are NOT immune to virus.
You should be more clear about who you're addressing. Until you admit that you use OS X yourself (albeit occasionally), your post reads like you're tarring all Apple users with the fanboy brush. Though your points are valid, I wouldn't suggest a career in diplomacy.
To others:
You may believe the conclusion, and it may even be true, but this news alone is not enough to prove that OS X and Windows are of equivalent security. Possibly you're intending to rely on the argument that a system is either secure or it isn't and that any idea of a spectrum inbetween is an illusion. If so, maybe you should actually say that rather than leaving it implicit?
"A totally secure PC (and I am including macs and Linux here as they are PCs too) is one that's switched off" .... By Brian Whittle Posted Monday 23rd June 2008 14:14 GMT
Another field of perception that may be misinformed, Mr Whittle.
And the Jolly Roger because IT is Potent Magic. Changed Perceptions Equals Changed Times is Time Machine Twittering .... IDolLed Gossip .... HyperRadioProActive Chatter.
I'm sure the vast majority of the machines in question are personal desktops with one or two user accounts. I'm no hacker, but it seems to me that anything you would want to exploit - sending of spam, grabbing of keystrokes - could be done almost as easily in userspace, without needing to sudo at all.
So... while do I understand, on principle, why you don't want the sanctity of your root violated - If I owned a shiny white box, I'm not sure I could force myself to give two craps that it has a root vuln which requires me to execute it myself.
Mactards are tools. Give it up! Your seeing a tip of an iceberg here. If more people are fooled into buying style over substance.. meaning MACs, then you'll unfortunately see the market share go up... and guess what will go up with that? VIRUSES! Over priced junk I say... IPoops, Ismacks... forgetaboutit. Cut your hair, graduate college/H.S. and buy something else. A computer company is not a culture or movement... its marketing to people with empty lives who suck it up like empty promises on an election campaign.
BTW the movie was 1984.. not 1974. unless that was the joke.
I would like to point out to the fanboys that in the case of this exploit, no, you do not have to input your admin password and nor will you be asked for it. The ARD agent is taking an applescript request from a non-privileged user and executing it as ROOT.
If you couple this with say, a drive by browser exploit, then you have a *serious* problem.
I was able to get the exploit to work remotely on my Macs but only with known credentials for a user on the remote machine and of course events must be enabled (not default behaviour), but it is potentially remotely exploitable.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
