Watch out for PokerGame trojan

Filed under: Security

Watch out for PokerGame trojan

by Robert Palmer on Jun 20th 2008

In the wake of the ARDAgent vulnerability discovered yesterday, we all have something new to look out for: OSX.Trojan.PokerStealer is the official name of a trojan horse masquerading as a poker game. The trojan is distributed in a 65K .zip archive.

According to security company Intego, running the trojan activates SSH, and transmits the username, password hash, and IP address of the computer to a server. It asks for an administrator's password after displaying a message about a corrupt preference file that needs to be repaired.

As always, please remember to use extreme caution when running applications downloaded from the Internet, or received via email.

Thanks to Rosaline from Intego for the heads-up.

Tags: ardagent, intego, trojan

Reader Comments (Page 1 of 1)

Lhasapso said 4:10PM on 6-20-2008

I think you mixed up the tags and read links. :)

↓↑report

Robert Palmer said 4:19PM on 6-20-2008

Thanks for that -- should be fixed now. :)

↓↑report

KeynoteKen said 4:18PM on 6-20-2008

So, you still need to enter your password before it will do anything? Also, does it work in non-Admin accounts?

↓↑report

Will said 4:39PM on 6-20-2008

It's based on an exploit uses a weakness ins the ARDAgent process to gain root access and run arbitrary code. So no, it doesn't need you to type a password, and yes it can work from non-admin accounts.

↓↑report

KeynoteKen said 4:45PM on 6-20-2008

The story mentioned this "It asks for an administrator's password after displaying a message about a corrupt preference file that needs to be repaired."

I was just wondering why would it do this if it just works without it... but I reckon that's part of making the user think something is broken instead of awry?

↓↑report

Cole Korvin said 5:38PM on 6-20-2008

It is not using the ARDAgent exploit. This is a separate trojan that does ask for you admin password and then uses that. At least according to the link.

However this is the type of trojan that would be a whole lot more dangerous if it did use the ARDAgent exploit. It wouldn't surprise if tomorrow there was a new version.

↓↑report

Derek said 4:19PM on 6-20-2008

Why don't they just find what server it is submitting the info to, then shut that ass down???

↓↑report

RWhitney said 5:57PM on 6-20-2008

I'll send an email to Steve so he can call up god and get this taken care of. : )

↓↑report

Fritz Laurel said 7:44PM on 6-20-2008

Nice of them to post the server it uses so we can all black list it.

↓↑report

Dar the Monk said 9:05PM on 6-20-2008

I've often wondered why people don't just find the server (or authors) and hack it, infecting it with other viruses or mess up the server itself. Is there anyone willing to take their disgust with people who create viruses/trojans and attack their server? After all, I doubt the feds would be to upset over someone taking down a site that is doing malicious things. Its just been a query with me. Or is my idea too much Hollywood?

↓↑report

Dano said 12:04AM on 6-21-2008

It's too 'vigil ante'. Old west law. Prairie justice. And maybe too bad too - I think there are a lot more good guys out here than bad guys. BUT, what about the innocents? Little servers that have been hacked and are being used by the bad guys, but are actually the server for some innocent business or even charity? If the good guys take 'em down, do they have the responsibility for settin' 'em back up? I think that's where the line is drawn...

↓↑report

Fairly said 11:05PM on 6-20-2008

This is good for post-mortems. For software you don't trust.

http://rixstep.com/4/0/tracker/

As for finding the server this trojan sends to: it's probably embedded in the binary. If anybody has the package they can look and post the location of the server. A US ISP would probably shut them down right away.

↓↑report

apeguero said 8:06PM on 6-21-2008

So is this a sign that Apple's market share in the PC world is gaining immensely where stuff like this pop up? Is it time to find an anti-virus software for the Mac (if one even exist)? Or is this a non-story?

↓↑report

McHoffa said 8:07AM on 6-22-2008

And wouldn't Little Snitch stop this from connecting to the server, rendering it completely useless?

↓↑report

Tip of the Day

Holding the Command key (aka the Apple key) and pressing Tab will cycle through your open applications. It's easier to Cmd-Tab if you are Copy (Cmd-C) and Pasting (Cmd-V) to and from various applications.

Learn More

TUAW flickr Pool

www.flickr.com

Advertise with us. (Learn more)

Featured Galleries

TUAW bloggers (30 days)

#	Blogger	Posts	Cmts
1	Steven Sande	40	13
2	Michael Rose	31	28
3	Mel Martin	30	0
4	Mike Schramm	28	1
5	Victor Agreda, Jr.	25	8
6	Erica Sadun	19	2
7	Brett Terpstra	18	11
8	Dave Caolo	17	0
9	Megan Lavey	16	6
10	Robert Palmer	15	6
11	David Winograd	12	0
12	Chris Rawson	12	0
13	Michael Jones	10	0
14	Christina Warren	10	28
15	Tim Wasson	8	0
16	Sang Tang	7	1
17	Casey Johnston	6	0
18	Cory Bohon	6	0
19	Jason Clarke	6	1
20	Mat Lu	4	0

More Apple Analysis

AAPL on BloggingStocks The Apple category feed from BloggingStocks.com
AAPL Quote, News & Summary The AAPL financials page from AOL Money and Finance
iPhone analysis from BloggingStocks iPhone tag feed from BloggingStocks
Macintosh news and reviews on Download Squad The Macintosh category feed from Download Squad

The Unofficial Apple Weblog (TUAW)