Filed under: Security
Watch out for PokerGame trojan
In the wake of the ARDAgent vulnerability discovered yesterday, we all have something new to look out for: OSX.Trojan.PokerStealer is the official name of a trojan horse masquerading as a poker game. The trojan is distributed in a 65K .zip archive.
According to security company Intego, running the trojan activates SSH, and transmits the username, password hash, and IP address of the computer to a server. It asks for an administrator's password after displaying a message about a corrupt preference file that needs to be repaired.
The "PokerGame" application is 159,843 bytes, and includes the text "Copyright 2008 Andrew" in the version information (visible in Get Info).
As always, please remember to use extreme caution when running applications downloaded from the Internet, or received via email.
Thanks to Rosaline from Intego for the heads-up.
Get a WordPress.com Blog
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 1)
Lhasapso said 4:10PM on 6-20-2008
I think you mixed up the tags and read links. :)
Reply
Robert Palmer said 4:19PM on 6-20-2008
Thanks for that -- should be fixed now. :)
KeynoteKen said 4:18PM on 6-20-2008
So, you still need to enter your password before it will do anything? Also, does it work in non-Admin accounts?
Reply
Will said 4:39PM on 6-20-2008
It's based on an exploit uses a weakness ins the ARDAgent process to gain root access and run arbitrary code. So no, it doesn't need you to type a password, and yes it can work from non-admin accounts.
KeynoteKen said 4:45PM on 6-20-2008
The story mentioned this "It asks for an administrator's password after displaying a message about a corrupt preference file that needs to be repaired."
I was just wondering why would it do this if it just works without it... but I reckon that's part of making the user think something is broken instead of awry?
Cole Korvin said 5:38PM on 6-20-2008
It is not using the ARDAgent exploit. This is a separate trojan that does ask for you admin password and then uses that. At least according to the link.
However this is the type of trojan that would be a whole lot more dangerous if it did use the ARDAgent exploit. It wouldn't surprise if tomorrow there was a new version.
Derek said 4:19PM on 6-20-2008
Why don't they just find what server it is submitting the info to, then shut that ass down???
Reply
RWhitney said 5:57PM on 6-20-2008
I'll send an email to Steve so he can call up god and get this taken care of. : )
Reply
Fritz Laurel said 7:44PM on 6-20-2008
Nice of them to post the server it uses so we can all black list it.
Reply
Dar the Monk said 9:05PM on 6-20-2008
I've often wondered why people don't just find the server (or authors) and hack it, infecting it with other viruses or mess up the server itself. Is there anyone willing to take their disgust with people who create viruses/trojans and attack their server? After all, I doubt the feds would be to upset over someone taking down a site that is doing malicious things. Its just been a query with me. Or is my idea too much Hollywood?
Reply
Dano said 12:04AM on 6-21-2008
It's too 'vigil ante'. Old west law. Prairie justice. And maybe too bad too - I think there are a lot more good guys out here than bad guys. BUT, what about the innocents? Little servers that have been hacked and are being used by the bad guys, but are actually the server for some innocent business or even charity? If the good guys take 'em down, do they have the responsibility for settin' 'em back up? I think that's where the line is drawn...
Fairly said 11:05PM on 6-20-2008
This is good for post-mortems. For software you don't trust.
http://rixstep.com/4/0/tracker/
As for finding the server this trojan sends to: it's probably embedded in the binary. If anybody has the package they can look and post the location of the server. A US ISP would probably shut them down right away.
Reply
apeguero said 8:06PM on 6-21-2008
So is this a sign that Apple's market share in the PC world is gaining immensely where stuff like this pop up? Is it time to find an anti-virus software for the Mac (if one even exist)? Or is this a non-story?
Reply
McHoffa said 8:07AM on 6-22-2008
And wouldn't Little Snitch stop this from connecting to the server, rendering it completely useless?
Reply