Killer Mac Trojan Takes The World By Storm…. Wait, What?
Author: Rees | Date: June 22, 2008
Ars Technica are reporting today that a new Mac OS X trojan, known as AppleScript.THT, has been spotted in the wild. The trojan comes in the form of an executable that needs to be manually downloaded and run by the user, and is rumoured to be distributed via Limewire and iChat.
It takes advantage of a privilege escalation vulnerability in Apple’s remote desktop software, allowing an attacker to remotely run commands as the root (admin) user. The trojan can do anything that the root user can do, including some of these scary things listed by SecureMac:
…allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing.
As Apple slowly gains marketshare we’ll more than likely be seeing more and more of this, especially with OS X’s perceived security advantage being an enticing target for hackers and virus writers. The moral of the story? Don’t run random things you find on the internet.
To be on the safe side, the vulnerability can be disabled by either enabling Remote Desktop Access (which makes it run as the current user, not as root), or by running this terminal command to remove all permissions from the Remote Desktop Agent, effectively disabling the service altogether. It’s a horrendous bodge, but it’ll work:
sudo chmod -R 000 /System/Library/CoreServices/RemoteManagement/ARDAgent.app
SecureMac advises that anyone who thinks they may be infected should run their MacScan security product. Out of interest I ran it on my machine, and I can safely say that it’s still lovely and clean after 18 months of hardcore unprotected internet usage.
*Ahem*
My preferences panel (under Sharing) doesn’t have any such category as ‘Remote Desktop Access’. It has some similar sounding ones, like Remote Screen Sharing, but not sure that’s exactly the same thing.
I’m guessing that Remote Screen Sharing would be handled by the Remote Desktop Access app. That’s just a wild guess, though, so don’t take my word for it. It could also be that they renamed it at some point, depending on the version of OS X that you’re using.