Filed under: Security
SecureMac identifies first ARDAgent-based trojan
SecureMac has identified AppleScript.THT, a trojan-horse type virus of malware that exploits a Apple Remote Desktop Agent vulnerability publicized earlier this week that can "allow a malicious user complete access to the system."
The malware is distributed as a compiled AppleScript, named ASthtv05, or an application bundle named AStht_v06. The files are 60K and 3.1MB in size, respectively.
Users must download and run the scripts in order for their computer to become infected. The trojan will install itself in the /Library/Caches folder, and will set itself to run at startup.
To protect yourself, use extreme caution when running AppleScript files or applications sent to you in an email, or downloaded from the internet.
While we can't say for sure that these are the same people that developed this malware, you can read about the evolution of a very similar exploit script here, including a June 14th mention of the ARDAgent vulnerability. Very depressing.
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
JoshK said 11:26PM on 6-19-2008
Is this is it? Can we Mac Lovers no longer mock Windows security flaws and now have to live in fear of malicious software? Sigh...time to move onto Linux.
Reply
Bassir said 11:41PM on 6-19-2008
Actually the fact that Mac-based sites actually blog about a new virus surfacing shows that Mac OS X has a very small amount of "viruses" as compared to Windows.
We can still make fun of them.
Jon said 1:21AM on 6-20-2008
I remember about 6-7 years ago there was a massive virus for Windows going around like an epidemic. My friend kept reinstalling the OS but he kept getting the virus about 30 secs after he connected to the internet for the first time (which I found hilarious). He was trying to download a firewall but he never succeeded and in the end he went to a shop and bought one.
The Mac has a long way to go.
Also, many people say that the Mac doesn't get viruses or trojans. This is not true. It gets them from time to time but the infections are usually EXTREMELY low (most are proof-of-concept) and they are normally patched very quickly. No OS is completely infallible.
totoro said 1:52AM on 6-20-2008
Yeah, thats the ticket. "Move to Linux". Because of an Applescript trojan. Christ.
paja said 6:31AM on 6-20-2008
Linux Troll !
JoshK said 9:03AM on 6-20-2008
Wow. "Linux "troll. One comment and I'm suddenly a troll. Grow up douchebag. For those with more enlightening comments here, thanks.
Rafe H. said 12:00AM on 6-20-2008
It's not clear from the summary above what the script does, other than gain root-privileges. What's the infection? The proof-of-concept has already been well publicized. How does this script take advantage of the vulnerability?
Reply
Al said 12:14AM on 6-20-2008
You do realize there have been other instances where Macs have been targeted by spyware. However, if I'm correct, I believe they have already been patched against.
Reply
Dan said 12:34AM on 6-20-2008
Just to be clear, a Trojan Horse is NOT a virus. There is a very well-defined difference between the two. Viruses propagate on their own without the need for user interaction. Trojans require the user's action to deliver their payload.
Reply
Tony said 6:23AM on 6-20-2008
Actually all viruses traditionally have had some form of user interaction - either downloading a file, inserting a floppy disk, executing some kind of script, etc.
The nature of a virus is that it replicates - the mechanism it uses to do so doesn't change the fact that it's a virus - maybe this one isn't or maybe it is.. haven't looked at it - but it's possibly for an applescript to call up mail.app and send itself to your friends, which would be a true virus.
Dan said 7:36AM on 6-20-2008
What you've just described is known as a "blended threat."
RobK said 9:59AM on 6-20-2008
IMHO this is NOT a Blended Threat. Typically a blended threat is one that relies on two or more exploits. With just the ARDAgent root escalation exploit one could easily install a trojan, a virus or spyware.
Yes, one would typically have to click on an attachment in an EMAIL or click on a file downloaded from a web site. But that is how most trojans, viruses and Spyware are installed.
If the malware uses an exploit and then uses mail.app or something similar to send out a copy of itself to your friends, that does not make it a "blended threat".
But as we have seen there have been a number of other exploits found on the Mac. It may be possible to use one or more of these along with the ARDAgent exploit to install malware on your Mac just be visiting a website WITHOUT User Interaction. That is why it is "root escalation" exploits are the worst IMHO. A hacker needs one to really install malware on a Mac. I hope Apple patches this one quickly. But as we have seen in the past, Apple is often very slow to react.
Brandon Martinez said 10:47AM on 6-20-2008
Thank You, Webster ;)
ericdano said 2:18AM on 6-20-2008
Virus is not equal to a Trojan. If this is all we have to worry about, then I'm not worried. I'm sure there will be a security patch in the next 48 hours that will nip this in the butt.
Reply
Mr Lizard said 2:45AM on 6-20-2008
NOT a virus!
A virus must self-replicate and spread, by itself, without help from the user. Just like a real virus does.
This is a tojan, yes, but just like the handful of malware created to target OS X so far, it relies on the user doing the leg work.
So, the same rules apply. Don't be stupid, don't go opening attachments from people you don't know, and you'll be a lot better off.
TUAW, please, PLEASE ammend the story to remove the word virus. It's wrong, and it causes undue alarm. Ta.
Reply
Tice said 2:54AM on 6-20-2008
I just don't get the exitement. It's a trojan, so you have to download it yourself and doubleclick it yourself. practically all other apps can harm your system that way.
So just don't download anything you don't know or doubleclick stuff send by E-mail. Voilá - problem solved.
Reply
Chris said 6:58AM on 6-20-2008
I have used Macs for 20 years now, and had a virus once, at least 15 years ago. It deleted entire lines of code from all the high resolution files. Nasty. At the time, because macs were relatively slow, I worked largely with small images until sending the files to repro for high res files to be added, so the damage was minimal. Imagine the damage it would do now. Scary, especially losing all my digital photographs.
Reply
bwilliams18 said 6:59AM on 6-20-2008
and you still have to activly download and run the trojan for it to work
Reply
Max Howell said 8:33AM on 6-21-2008
Unlike the trojan last month that had to ask the user for his/her root password before it could do damage. Any application that can execute Applescript can immediately without warning compromise your machine, or do something malicious.
Coupled with another exploit in another application, like for instance, Safari, were screwed.
Troy Banther said 8:13AM on 6-20-2008
I use both OS X and Linux. Debian about 95 percent of the time and Ubuntu or RedHat for the remainder.
Aside from the fact 'all' these platforms are secure by design they have a chance to compromise a system when a user's web surfing or other personal habits allow them to.
At my former job as a systems administrator at a community college, I now work as a systems administrator at a university, I found the computers which had the greatest risk of compromise in open labs was 'porn' rows. These were usually computers sitting away from an instructor in the back of class.
Before software like 'Deep Freeze' my Windows machines, regardless of how tightly I managed the policies, basically the 'porn row' machines were useless.
My Linux and OS X machines have over the last three years at the university have yet to be compromised. I manage them just like I do a Windows machine.
Will I get hit sooner-or-later? The probability exists. Will it be as damaging as java or activex exploits on the Windows boxes. Probably not. OS X and Linux boxes are generally good citizens on the network.
Reply