SecureMac identifies first ARDAgent-based trojan

RobK: I agree that I should have added a warning about not running Repair Permissions until this is officially fixed by Apple. My bad. Thanx.

I also agree that perhaps clearing the "sticky bit" that allows the dangerous "setuid" functionality to happen with ARDAgent could POSSIBLY be a better solution. For those of you out in TV Land that are now more confused than ever, you can apply the fix that RobK suggests by opening up Terminal, and typing the following (all on one line):

sudo chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

Then press Return.

Enter your password and press Return.

Then Quit the Terminal.

As for your suggestion to "hide" ARDAgent, that is not a practical solution for many people who depend on ARD to administer multiple Macs in educational and corporate networks, or just plain folks who want to use ARD.

By the way, Apple allegedly changed the way "setuid" works in Leopard, such that something that wants to run a "process" as the "owner" (root, in this case), cannot just rely on the setuid bit. Instead, they must call a "function", called "setuid()". I don't run Leopard, so I cannot confirm or deny this.

Until Apple patches this vulnerability, there are 2 fixes. Take your pick. Both work:

1. Don't leave your machine with a user logged in, or at least without an "Administrative" user logged in.

OR

1. Launch the "Terminal" app.
2. Enter the following incantations:

cd /usr/bin/
sudo chmod 550 osascript
(now, enter your password and press return)

Quit the Terminal. Fixed!

What that bit of Sorcery did was to block ALL access to "osascript" for any user that is not "root" (which even an Administrative-level user is NOT), or is not a member of the group "wheel" (which your user is NOT). This does NOT affect Apple Remote Desktop in any way.

If you have any problems with this (you shouldn't), simply repeat the steps above, with "555" in place of the "550". That will restore the original permissions.

You can make sure your change happened by typing the following into Terminal:

ls -ld osascript

At the left-hand side of the resulting output from the "ls" command, it SHOULD look like the following (after the chmod 550, above):

-r-xr-x--- 1 root wheel 91536 Mar 20 2005 osascript

If you were NOT successful, it will likely return the default permissions, which will look like:

-r-xr-xr-x 1 root wheel 91536 Mar 20 2005 osascript

The difference is in the last 3 characters, which define the permisions for "everyone else" (other than the "owner" and the owner's "group"). Before the "chmod 550", "everyone else" had the same permissions (read (but not write), and "execute").

And when Apple officially fixes this (probably in the next security update), I would recommend changing osascript's permissions BACK to "555" BEFORE downloading their official patch.

Folks, this isn't a virus or malware this is a "hey dumbass, please install or run this script on your computer"

There is NOTHING you can do at the OS level from stopping someone from doing this.

You've been able to do this on Mac's, Windows, Linux, HP-UX for years.

I guess that's an advantage to being double NAT'd. If back to my mac won't work, neither would this.

Why do people think Macs are magically immune to hacks, exploits, trojans and malware? They aren't, there just aren't as many people targeting OS X because it's a very small percent of the market share. Once OS X becomes more mainstream we'll all be using some kind of Anti-Virus app on our Macs - it's inevitable.

It is interesting that almost ALL of the recent critical security exploits were found on Apple developed software (not on all the Open Source *nix software underlying Mac OS X).

It sounds like Apple needs to pay more attention to security issues when developing and releasing its own applications. When will Apple take security more seriously?

You should probably mention the temporary "fix" in the post, turning *ON* ARD seems to prevent the sample 'whois' script from running.

Macintosh and Linux OS are more secure because they are better thought, but the truth is that there is little malware because the "developers" don't have interest in doing it.

If either Linux or Mac where so spread as Windoze we would have tons of malware by now.

I use both OS X and Linux. Debian about 95 percent of the time and Ubuntu or RedHat for the remainder.

Aside from the fact 'all' these platforms are secure by design they have a chance to compromise a system when a user's web surfing or other personal habits allow them to.

At my former job as a systems administrator at a community college, I now work as a systems administrator at a university, I found the computers which had the greatest risk of compromise in open labs was 'porn' rows. These were usually computers sitting away from an instructor in the back of class.

Before software like 'Deep Freeze' my Windows machines, regardless of how tightly I managed the policies, basically the 'porn row' machines were useless.

My Linux and OS X machines have over the last three years at the university have yet to be compromised. I manage them just like I do a Windows machine.

Will I get hit sooner-or-later? The probability exists. Will it be as damaging as java or activex exploits on the Windows boxes. Probably not. OS X and Linux boxes are generally good citizens on the network.

and you still have to activly download and run the trojan for it to work

I have used Macs for 20 years now, and had a virus once, at least 15 years ago. It deleted entire lines of code from all the high resolution files. Nasty. At the time, because macs were relatively slow, I worked largely with small images until sending the files to repro for high res files to be added, so the damage was minimal. Imagine the damage it would do now. Scary, especially losing all my digital photographs.