Trojan exploiting unpatched Mac OS X vulnerability in the wild

Trojan exploiting unpatched Mac OS X vulnerability in the wild

Summary: The source code of a trojan horse exploiting last week's uncovered local root escalation vulnerability in Mac OS X 10.4 and 10.

TOPICS: Security

The source code of a trojan horse exploiting last week's uncovered local root escalation vulnerability in Mac OS X 10.4 andMacshadows 10.5 has been released in the wild, allowing malicious attackers to take advantage of the ARDAgent-based trojan in what appears to be a very short vulnerability-to-malware cycle, since the trojan template was released on the same day as details for the vulnerability emerged.

Discussion and release of the source code originally took place at the Mac Shadows forums, whereas the source code is now circulating across many other forums and IRC chat rooms, including several popular ones mainly visited by Chinese script kiddies.

According to an advisory issued by SecureMac last week :

SecureMac has discovered multiple variants of a new Trojan horse in the wild that affects Mac OS X 10.4 and 10.5. The Trojan horse is currently being distributed from a hacker website, where discussion has taken place on distributing the Trojan horse through iChat and Limewire. The source code for the Trojan horse has been distributed, indicating an increased probability of future variants of the Trojan horse.

The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing. The Trojan horse exploits a recently discovered vulnerability with the Apple Remote Desktop Agent, which allows it to run as root.

Compared to this week's reported PokerStealer trojan horse targeting Mac OS X users, by trying to trick them intoARDAgent-based trojan empowering the malware with administrator capabilities, the ARDAgent-based trojan is doing it automatically, unless of course you've already taken care of the issue until a fix for it is officially available.

The author of the trojan, Adrew, even left a copyright notice within, however, it appears that the source code for the trojan isn't a one-man operation, but the result of a collaborative discussion aiming to add as many modules as possible. Here's what he thinks of OS X security, according to his own statement :

"Apple tells us that OS X is safe and secure and fails to actually confirm that it is so on their own. We are left to experiment and test our own security and too often we discover that we aren't actually as secure as we were led to believe," Andrew said in an e-mail. "When you are seeking information about how to secure your own system, frequently the best sources of that information are hackers, not the vendors."

Going full-disclosure with the idea to shorten the time until a patch is released by the vendor for the sake of closing the "window of opportunity" for malicious abuse of the vulnerability is one thing, releasing a do-it-yourself trojan template in a vulnerability-to-malware fashion is entirely another.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Any Software can be exploited

    This is just another situation that proves that any software can be exploited if someone wants to devote the time to do so. So to everyone that thinks that Mac OS is so much more secure than Windows let this be known if someone wants to find a hole a hole will be found and the more popular Macs get the more people will look for holes.
  • Root escalation bugs

    are the nastiest ones around. But that being said, these jackasses
    who release this stuff publicly are nothing more than slime. They
    aren't doing it to bring attention to the issue and force a company
    to be responsible, they are doing it to stroke their own pathetic
    little egos and make themselves feel important.

    The practice should be considered criminal, in my opinion with
    fines and possible jail time.
    • I disagree

      Apple has a well known aversion to admitting it's security bugs, instead attempting to hide them and failing that, the cult of mac attack dogs are released to attempt to discredit the researcher who found the vulnerability.

      Apple has a LONG way to go to earn back the trust of the security community.
      • i agree...

        "Apple has a LONG way to go to earn back the trust of the security community."

        Both MS and Apple need to have better disclosure and relations with security researchers. Both companies policies suck. Likewise, security researchers need to stop releasing "proof of threat" code to the hacker communities to force patching.

        We'd all be better off if there was better cooperation between these two groups. I understand the tension, but still hope for better cooperation in the future.
        • Eh?

          We didn't release 'proof of threat' code, we released 'proof of concept' code. Granted, we probably should've sent an email to Apple's security team prior to doing so, this trojan was never put 'into the wild'. It was left as source code on a forum, to which some security profiteer found and created the badly misinformed media frenzy you now have before you.

          -- Siph0n
          • which concept? the fact that there is a threat...

            you are going to nitpick semantics now? boring and tiresome. source code in a forum is usually how these snippets of code are released into the wild at first, only later are they turned into kits for the kiddies. how about providing some real information instead of just playing around with the namecalling. if you feel you know more then please educate us with information instead!
      • Apple OSX has a long way....

        to go before there will be the thousands of
        Zombied Macs, such as there are with Windows
        even still today, after MS has more come out with
        uncountable patches. This repeated Mac bashing
        here is so tiresome. It appears that the security
        community is desperately seeking a new market
        for their garbage. It galls them that most Mac
        users don't install their expensive crap, whose
        main function is for slowing down any system to a
        crawl. Even for Windows system, most of the so
        called security software is not worth the electrons
        it takes to load it into memory.

        Please alert me when the equivalent of a Mac
        storm virus appears and manages to infect
        millions of Macs running any flavor of OS X. With
        enough effort, every house can be broken into and
        every safe cracked. So far, Apple has made it much
        more work to break into Macs than Windows. Only.
        when, if ever, Windows makes it harder to break
        into than OSX, will there be a more than a
        snowball in hell type of chance of a massive
        infection of Macs. The number of each type of
        systems there are out there is only of secondary
  • It is, unfortunately,needed

    Apple has a penchant for ignoring security flaws. I reported a flaw to them that can be used by a blended threat (it in itself couldn't be used in a compromise, but it was a great way to hide things), and it was marked an "enhancement"

    The Safari fiasco also shows that they won't do anything until slammed over the head with it.
    • I Use a Mac Laptop, and THAT Worries Me Too

      Apple needs to be a LOT more proactive with security, b/c while I [i][b]do[/b][/i] believe OSX is inherently more secure than anything Windoze (look at how Vista has to behave like Homeland F$&king Security just to provide a halfway reasonable level of safety for endusers!), that is FAR from saying OSX is now and will always be 100% secure.

      It is especially far from 100% secure now that we've been shown how exploits are possible, and Macs are gaining in popularity thanks to MSFT's arrogance regarding ending XP (for the love of Heaven, they offered Windows 98 for longer after XP came out!)....
      • Iiherently safe?

        [i]while I do believe OSX is inherently more secure than anything Windoze[/i]

        How is it [i]inherently[/i] more secure? What do you base that on?
        To me, the public release of this Trojan shows how inherently UNsafe OSX is, based no the knowledge of the general public using it. What I mean by that is that typical Mac users are under the illusion that OSX is immune to malware, so they usually run no protective software besides whatever the OS offers. Therefore, trojans, viruses, etc would have an easier time getting in once a flaw is found. At least on Windows people are on the lookout for this kind of thing.

        [i]look at how Vista has to behave like Homeland F$&king Security just to provide a halfway reasonable level of safety for end users![/i]

        First off, do you use Vista? Do you actually have first-hand experience on its behavior, or are you just referring to the Apple vs Mac commercials?

        I guess you could be talking about UAC? Sure, it brings in a slight level of inconvenience, but it does make the OS more secure.
        • Thats what is perceived

          Mac owners/users always seem to throw that Mac OS ins "inherently" more secure. There is no real world proof of that because no one gives a crap enough to try and exploit it. That is something that they will never get. Just because you leave your front door open (or car unlocked) and no one robs you doesn't mean you are secure. Just means that they took one look at your house (or car) and said to hell with that POS it is not worth it.
          • Agreed

            I just get a chuckle every time I read that a OSX is inherently safer than Win, and i can't resist the temptation to ask how exactly that works. I expect no answers from the guy.
          • hmmmmm.....really? no one has been able to explain this?

            read up on security in the various OS, BSD is built very securely from the ground up through a number of different ways it was engineered. Does this mean ZERO security risks? NO! Does the fact that any OS has some risk make them all equal risk, ABSOLUTELY NOT! Each OS has its own security strengths and weaknesses, and there isn't a security researcher or hacker on the planet that would consider them all on even par security-wise.

            They are not all equal!

            I'd suggest reading some of the papers written by the various security experts on the subject, they usually explain the difference quite clearly.
    • The Security Fiasco...

      of Safari apparently has not resulted in a number
      of infected Macs that is even worth counting. When
      a real bug comes along that infects thousands of
      Macs and sends their user information to some far
      flung Internet location in a distant land, a
      screaming headline will surely come about that.

      Apple should be very careful though when they
      make programs for Windows, because that
      underlying OS is MUCH more easily compromised
      by application software that is anything less than

      In all of Apple's history, there has never been a
      single instance of an infected Mac, that got that
      way by simply being connected to the Internet.
      After all these years, Microsoft has finally been
      able to mostly close that particular kind of hole in
  • RE: Trojan exploiting unpatched Mac OS X vulnerability in the wild

    "releasing a do-it-yourself trojan template in a
    vulnerability-to-malware fashion is entirely another"

    ARDAgent's ability to execute 'do shell script' as root was
    released by Apple, Inc.

    It is all that is required.

    The "trojan template" isn't actually necessary and is
    therefore irrelevant, no matter how many clicks it may
    bring to your website and its advertisers.

    Apple made it possible for anyone to issue commands as
    root which does not require the posted source code in any
    way. Very simple commands from either Apple's own
    AppleScript Script Editor, or from its Terminal, or from
    within any simple or complex program are all that is
  • Where's the beef?!

    For a trojan to run, the user has to stupidly run software
    from an untrusted source.

    A trojan is not a virus.

    There are thousands of Windows viruses created everyday.

    There is not one Mac OS X virus. Not one.
    • Does it really matter?

      You get pwned, you're still PWNED. Don't matter if it's Windows, OSX or Linux. You still got problems.
    • That's why it's called a trojan!

      But I fail to see how that's relevant. Researchers (and presumably criminals) are just starting to look at OS X.

      What's more, this is pretty much how the original attacks on Windows went as well. Almost all of them required the user to open a file or execute a program.

      Maybe things have changed, but I believe that most attacks on windows are Trojans. For the most part, people don't differentiate between Trojans, Worms and Viruses. At this point, it's frequently jsut called Malware.

      Bottom line is OS X is not safe. It never was, and It amazes me that people are still arguing it is, even though almost every month the attacks appear to be more sophisticated and sinister.

      That this can attack the Mac without the user escalating privileges is very serious....and franklky, if this was an attack on Windows, you'd likely be talking about how bad Windows is and how much Vista's new [i]insecurity[/i] model sux.

      Is it the end of the world? No. More than likely, if Mac users practice safe computing, their system will never be compromised, but when you think your'e invincible, there's no reason to practice safe computing.

      It won't be as bad as the late 90's attacks. There's simply not enough macs to matter, this is especially true within businesses, but as Mac's marketshare grows, so will the attacks. Still there's reason to be cheery: while Apples share is way up in the U.S., it's still less than 2 or 3 percent in the world.
      • Merely Connecting a PC to the Internet...

        was it enough to get it infected with a virus. That
        was never the case with OS X in all of its history.
        Only with the appearance of VISTA as Microsoft
        finally closed this method of attack, at least as far
        as we can tell.

        Mac users get several warnings concerning stuff
        downloaded from the Internet that may contain
        malware. There is no way any operating system
        can protect a computer, if a user deliberately
        decides to run a program, whether such a program
        is good or evil. No malware detection system can
        determine the function of any program is has
        never encountered before. Even then, the pattern
        matching systems currently used don't always work
        on existing malware.

        The argument about how many Macs there are is
        empty. What matters, which OS is easier to
        compromise. On that, Windows wins hands down.
        The fact that there are fewer Macs would not
        matter much, if Macs were much easier to break
        into than Windows.
  • Pretty Vague Threat...

    When configured correctly, ARD does give remote access to virtually
    all of the Mac OS; however, I am not sure I understand how this
    threatens a standard Mac OS install. As a trojan horse it has to
    pose as something else to get superuser access. No application can
    make system-wide changes without at explicitly requesting a
    superuser password (and username if the current user is not a

    Essentially, unless a user (with superuser status) is really careless,
    deliberately downloads the trojan and willy-nilly gives out his/her
    superuser name and password any time they are requested, I
    cannot see how this could constitute a significant threat. If there is
    a way to bypass superuser permissions, that would constitute a real

    For those who are curious, the shell command to kickstart ARD and
    grant full access to all local users is:

    sudo /System/Library/CoreServices/RemoteManagement/
    Contents/Resources/kickstart -activate -configure -access -on -
    privs -all -restart -agent

    I suppose you could also modify the /etc/hostconfig file and modify
    system settings that would require a restart to enable, but, again,
    you can't do this without explicitly providing a superuser name and