back to article Rare Mac Trojan exploits Apple vuln

A rare Mac OS X Trojan has been spotted on the internet. The AppleScript-THT Trojan horse exploits a vulnerability within the Apple Remote Desktop Agent to load itself with root privileges onto compromised Mac machines. The malware, which is capable of infecting Mac OS X 10.4 and 10.5 boxes, surrenders control of compromised …

COMMENTS

This topic is closed for new posts.
  1. This post has been deleted by its author

  2. Anonymous Coward
    Anonymous Coward

    Ooooo, just as wimbledon starts

    Time to sit back and watch the Mactards vs the Vista Wristers in our OS is safer than your OS slug fest.

  3. arran
    Jobs Horns

    still

    have to download and install it though, less of a trojan and more of an exploit of un intelligent people methinks

    mines the hat with the big "D" on it

  4. This post has been deleted by its author

  5. Anonymous Coward
    Anonymous Coward

    @arran

    Isn't that the definition of a trojan. Here, look somebody made a nice big wooden horse for us.

  6. Paul Buxton

    @arran

    "less of a trojan and more of an exploit of un intelligent people methinks"

    Well they chose their target audience carfully then. ;)

  7. Omer Ozen
    Go

    A new Trojan found for OS X ver. 10.x

    No, really. I know a new trojan called MS XP spotted in the wild and if you chose to install it to your mac, it turns OS X to XP.

    Currently this version of the trojan comes on a CD.

  8. greg

    Correct me if I'm wrong please

    But if you download and install something, on any OS, can't it be giving control anyway, no matter what OS ?

    On the other side, if you're not totally stupid and have an Mac 10.5 and bought an external harddrive and use time machine correctly, you can go back to your prior-to-the-trojan-stupid-install in 30 mins, maybe less ?

    I mean, very easily, without being a computer genius, which is important since it's computer illiterate likely to be hit by such an install...

  9. Art Vanderlay

    Big news

    All systems are vulnerable if you have to download, install, and have to give your admin password surely.

    Try this in a terminal window:

    sudo rm -rf /

  10. Chris Haynes
    Boffin

    It always ceases to amaze me

    When the blended vuln in Safari and IE on Windows was discovered, Microsoft's recommendation was for users to not use Safari. A better workaround was to change your default downloads directory. Problem gone. Simple solution.

    El Reg hasn't posted any of the many workarounds available for the ARD problem. TUAW has a few solutions here: http://www.tuaw.com/2008/06/19/ardagent-setuid-allows-root-access-but-theres-an-easy-fix/

    I'd guess an awful lot of people out there don't need to be managed by an admin, so can safely stop this problem in its tracks until Apple release a fix.

    No one is reporting the solution though, only the problem.

  11. Phil Arundell
    Thumb Down

    Didn't take long

    As soon as I read about the idiotic decision to have the SUID bit set on the Apple Remote Desktop Agent, it was obvious there would be an exploit for it. This is a massive security hole in OS X and there's not really any way of defending it: A simple shell script can gain root privileges not by exploiting buffer overruns, etc but almost by design!

    The Apple Remote Desktop Agent is scriptable and runs all scripts passed to it as root because of the SUID bit: this really is security 101 stuff and it makes you wonder how many other holes exist under the hood of OS X

    You can protect yourself from this by unsetting the SUID bit, but if you subsequently run permissions repair on the disk, OS X will "helpfully" put it back for you...

    Microsoft have had a lot of (justified) stick for security issues in various versions of Windows, but this is probably the worst security issue I've seen in years, simply because someone has made a concious decision to setup the remote desktop agent in that way

    Finally, a few comments on here have tried to defend it by saying it has to be installed by the user: That is the definition of a trojan, and the big difference with this over earlier "trojans" is that the root escalation means it can do what it wants without triggering the secondary authentication that has kept other malware from freely doing what it wants on a Mac.

    This will probably hit Macs hard because many Mac users are lax about running downloaded apps because they expect the OS to protect them, and have no additional malware protection on the machine.

    And before I get flamed by Mac users trying to defend this, I am a Mac user myself and, as I said at the start, this is simply indefensible

  12. heystoopid
    Linux

    As

    As Nelson would say Ha ! Ha!

  13. amanfromMars Silver badge
    Alien

    Open Secrets .... FailSafe Security .... ZerodDay Vulnerability ..... Source?

    "have to download and install it though, less of a trojan and more of an exploit of un intelligent people methinks

    mines the hat with the big "D" on it" .... By arran Posted Monday 23rd June 2008 10:21 GMT

    Not for Hyper Virtualisation you don't. You just follow your Intelligence and click on Advanced IntelAIgently Designed Gifts Hosted on the Internet Networking InterNetworking for ITs Supporters and Drivers.

    Simple Sophisticated Push IT Technology...... for HyperRadioProActive Interactive Matches Made in Heaven ........ for A.N.Other Byte of the Big Apple Apple, Apple?

    cc. Steve Jobs and the Other Steve ?

  14. Anonymous Coward
    Paris Hilton

    Experiment

    I wonder how many people would install an executable called "If_you_install_me_hackers_will_have_full_access_to_your_computer"?

    I have a feeling there'd be loads.

  15. Anonymous Coward
    Boffin

    The pc (political correct) term

    @arran:

    "more of an exploit of un intelligent people methinks"

    I think they prefer to be called "users" nowadays.

  16. Xander

    Actually....

    "have to download and install it though, less of a trojan and more of an exploit of un intelligent people methinks

    mines the hat with the big "D" on it"

    Not quite true..... it IS a TROJAN as the idea behind a trojan is to pretend or actually deliver software (free or otherwise) but also has another more nefarious purpose behind it....

    i think you probably meant to say.... less of a virus and more of a trojan!

  17. RainForestGuppy
    Thumb Up

    Arran

    The legend of the trojan horse says that the Greeks hid in the horse and the Trojans pulled it into the City.

    The whole point of a trojan is that it is something you bring into your own environment.

  18. Michael
    Black Helicopters

    Once Again, Don't give it your password

    If I am not mistaken, you need to give your admin password for the installation to occur. Now... I have a hard time calling these "trojans" and more definitely they are not viruses. This is strictly a "malicious program" and NO platform is safe from such cases.

  19. Anonymous Coward
    Coat

    i don't believe it

    i think someone has made a mistake here, our god would not do this to us, this is a windows problem surley!.

  20. Anonymous Coward
    Anonymous Coward

    @ James Greenhalgh

    "Linux Wouldn't have this Problem" - why? Surely executing a downloaded application after the user has been asked "are you REALLY sure?" is a problem for all operating systems. PEBKAC - Problem Exists Between Keyboard And Chair.

  21. jubtastic1
    Unhappy

    More details from A mac IT Nerd.

    I stumbled across a forum (shadowmac I think), where the participants were cobbling this together while I was googling failure conditions on the ARD exploit.

    Social engineering is needed to get Trojan downloaded and for first run on target computer, in this case the run part is handled by a fake applescript warning concerning broken pref panes with a 'should I repair?' style pop up at login/app run.

    Uses the recent ARD exploit to gain root access to box and enable services, swiss cheese the firewall etc, does not require user to enter any password.

    Full exploit will only work if:

    User that activates it is logged into GUI *AND* ARD has not been set up.

    So simply turn Apple Remote Desktop on and set access privileges for a user in the sharing prefs to disable the exploit.

    Hopefully there will be a patch for this rather embarrassing vulnerability shortly.

  22. Chris Richards
    Pirate

    @Art Vanderlay

    quote:"All systems are vulnerable if you have to download, install, and have to give your admin password surely.

    Try this in a terminal window:

    sudo rm -rf /

    "

    I really hope someone having a Monday morning brainlapse didn't try that.

  23. Jordan

    "Not a Real Virus" I love it!

    Seriously? Are you kidding?

    I love it when people say "Oh, well... you need to run it as a program so - there, not a virus" the same holds true for torjan's on Windows too you know.

    It attaches to an illegal program downloaded through Limewire and is run when they think they are running the cracker, or it's sent from one person to another by iChat with the promise of "There are pictures in that .exe" or whatever the apple variant of an execicutible is.

    This is a Virus, this is a threat, and honestly Apple needs to quit the mud-slinging - their OS is just as vulnerable as Windows - it's just Windows is more popular - but there are still programmers and script kitties are still out there with Macs, perhaps a bit spiteful, who are more than willing to take down their system.

  24. WT

    So what happens if you don't have the Apple Remote Desktop software installed?

    last time I checked this software was a separately sold, 299 USD from Apple.

  25. Thomas

    "Once Again, Don't give it your password "

    From the article and from what Phil Arundell says, it sounds like you install the script and the script requests some actions from the Remote Desktop Agent. The harmful acts are performed by the desktop agent, so that's the program you would need to change permissions to. Conversely, you could easily execute the script from anywhere without giving it your password.

    So, a real security threat but one that's easy to avoid. As an OS X user, I'm hoping that we see more of these in the short term, so that Apple are forced to start being a bit more sensible about security, rather than claiming that if the kernel and most of the core libraries are secure then the OS must be.

  26. paul
    Joke

    @WT

    So what happens if you don't have the Apple Remote Desktop software installed?

    last time I checked this software was a separately sold, 299 USD from Apple.

    I thought all proper mac men bought anything that Steve Jobs makes even if they have no use for it

  27. David
    Happy

    sudo rm -rf /

    I tried this but it did not work !!

    C:\WINNT>sudo rm -rf /

    'sudo' is not recognized as an internal or external command,

    operable program or batch file.

    What gives.

    :-p

  28. Steven Hunter
    Jobs Halo

    @WT + Paul

    The ARD *client* is installed on all Macs. You can enable it in the Sharing Preference panel. But that usually doesn't do any good if you don't have a copy of the management tool (which is the $300 software mentioned).

    Ironically, *enabling* ARD actually kills this vulnerability. You can also just do a "sudo chmod -R 000 /System/Library/CoreServices/RemoteManagement/ARDAgent.app " to disable it (this might be undone by Disk Utility if you run a permissions repair, didn't check).

  29. Shinku
    Alert

    Not real, eh?

    I'm seeing people trying to describe this as something other than the article did, I can only imagine in some vain attempt to save face after years of laughing at Windows users. Let me just fix that for you...

    Firstly, if this isn't a real trojan then a very large amount of the malware you constantly poke fun at on the Windows platform isn't real either. Of course, at the end of the day, malicious software really is just software that does things you'd rather it didn't while the guy who wrote it is sitting there rubbing his hands together with glee. Works the same on every platform, and if it gains root/admin/system privileges without asking you then it's a problem, regardless of what you wanna call it.

    Secondly, I see people mentioning easy fixes. There are easy fixes for holes on other platforms too but that's sod all use to Joe Bloggs at No. 91 who just got his first computer 3 months ago and has abolutely no clue that computer security even exists, let alone that he has to worry about it himself. It's all very well knowing that if you turn off ARD then you're probably fine but that doesn't help all the other Apple users...

    Finally, it doesn't really matter whether this is "real" or not, or whether you're in denial about using an OS that's a lot more vulnerable than you like to believe. At the end of the day, this is a security risk. It doesn't matter whether you want to believe it, which other platforms have more malware, how intelligent users supposedly are or how much you claim to know about your precious li'l Mac. If you wanna sit there cuddling your Jobs dolls that's fine by me, but when something comes along that you should be paying attention to, get your heads out of the god damn sandbox!

    Yeah, I'm a Windows users. Oh, I use Linux too. OSX too, occasionally. OS8/9 once or twice, AmigaOS, RISCOS, FreeBSD... Well, you get the idea, I'm about as OS agnostic as you can possibly be, so no calling me a fanboy (that'd be somewhat hypocritical). Eep... Uberpost, I'm done here I think...

  30. frymaster

    What is true for all main OSs (in desktop user form anyway)...

    ... is that once an attacker gets ordinary user level access, it's pretty much game over. Just about all of the linux vulnerabilities are local privilege escalation issue; no idea about windows (I don't get emails about them, I just install them every month) but I assume it's pretty much the same. And although this is a particularly large and easy hole to exploit, I bet there's more subtle ones in OSX as well.

    The lesson from that pwn to own competition (no machine could be hacked just by having network access; all of them could be hacked* by exploiting a flash vulnerability) is that your vulnerability is linked directly into what you do with your system. If you're a desktop user, then things like that flash vulnerability have the potential to catch out ANY user on ANY system, without needing to click anything. On a server, the services you run and how well they're used (how exploitable is your dynamic website?) determine your vulnerabiliy.

    Yes, you can customise your system to be more resistant to local-user attacks (especially if you run a multi-user system) but, pretty much, if someone gets local access it's game over.

    The one thing that doesn't affect your vulnerability is OS, especially on servers. On desktops, of _course_ most people concentrate on the OS with the market share, but just coz the threat is lower doesn't affect your vulnerability.

  31. Law
    Linux

    yey - my first OSX headline freakout

    Congrats El-Reg - you are my first headline scare as an osx user!! :) That is, until I read the body of the story and decided I didn't need to worry just yet.

    Neither a mactard, or a winwhore - just liked the laptop more than the alienware stuff! :)

    Don't hate the player, hate the game.

    Tux - because tonight I'm gonna see what the fuss about Suse 11 was last week

  32. Anonymous Coward
    Gates Horns

    sudo rm -rf /

    Hmmm.... didn't work for me :~) due to my OS is smarter than me!

  33. Anonymous Coward
    Anonymous Coward

    Calm down calm down

    A simple fix is to remove SetUID from the ARDAgent executable, viz-

    sudo chmod -s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

    To undo this, simply repair permissions on your machine.

  34. Ty
    Jobs Halo

    OMG

    Some posts here are unbelievable.

    A Virus has to REPLICATE YOU MORONS!!!!

    This i the problem when Joe Public picks up a PC from PC World and suddenly think they are an expert - you get posts like alot above. How embarrassing.

    There are ZERO viruses for Mac OS X in 7 years and counting.

    You poor windoze zealots are in for a rough ride the next decade - and Apple is gonna chew you up and spit you out.

    Anyone dumb enough TO OPEN AND RUN something they DL online from a dodgy site deserves all they get.

    This is a non-story from a "security company" trying to garner sales form recent PC to Mac switchers who are yet to get over their constant fear they are used to while running a crud system.

    How sad.

  35. Mr B
    Dead Vulture

    El-Reg = Scaremonger.

    So the stuff you need to download and wilfully execute may exploit a vulnerability to gain root access.

    Privilege Escalation != Trojan ... it's a start but a wee bit of work is still needed.

  36. John

    @ mods

    You really shouldn't have let this slip through:

    "Big news

    By Art Vanderlay"

    It could really ruin someones day if they accidentally ran it (not everyone who reads the register comments is a techy).

  37. jai
    Joke

    Lister FTW

    So all of a sudden they wake up one mornin' and the Greeks have gone. And there outside the city walls they've left this gift; this tribute to their valiant foes: a huge wooden horse, just large enough to happily contain 500 Greeks in full battle dress and still leave adequate room for toilet facilities? Are you telling me not one Trojan goes, "Hang on a minute, that's a bit of a funny prezzy. What's wrong with a couple hundred pairs of socks and some aftershave?" No, they don't -- they just wheel it in and all decide to go for an early night! People that stupid deserve to be kerpowed, zapped and kersplatted in their beds! You know what the big joke is? From this particular phase in history we derive the phrase, "Beware of Greeks bearing gifts," when it would be much more logical to derive the phrase, "Beware of Trojans, they're complete smegheads!"

  38. Mathew White

    3.1Mb !

    What happened to writing exploits as a beautiful 20Kb of byte code?

  39. Gilbert Wham

    Wait, what?

    299 bucks for a remote desktop? For realz? Jesus. Does it come with a voucher for a free lapdance or something?

  40. Brian Whittle
    Gates Halo

    User=idiot ? (maybe)

    I mostly do home support and I was thinking that with the use of vista on Windows boxes there would be much less crap on the PCs I dealt with, but I was underestimating the stupidity of most users. With macs it will be just the same if not worse, after all macs don't get viruses apparently.

    A totally secure PC (and I am including macs and Linux here as they are PCs too) is one that's switched off

  41. Anonymous Coward
    Jobs Halo

    La La La, I Can't Hear You

    I have my iPhone on full volume listening to the word of Steve while surfing blasé on my MacBook Air.

    Your Trojans cannot harm us, our MacBooks are like shields of steel. Anyway if I hold my Air at the right angle the Trojan will just pass over its sleek and aerodynamic body.

    Steve is the light, Steve is the way. All hail Steve!

  42. Michael C

    Infection process

    OK, I just e-mailed a compiled script to my father's mac to see what process he had to go through to even get it on his machine.

    First of all, his e-mail account blocked the attachment, so we had to tweak his settings to allow the attachment to come through at all, without resorting to compressing it and hiding it inside another file format, which would have added an additional user required step.

    Once I managed to get an e-mail in his inbox containing the attachment, he couldn't just run it. The Mac made him save it to a file first, and bitched about the message containing an active program, promting a warning.

    Then, running the batch, per the notes online, actually runs an installer, which prompts for a keychain password... Well, most folks in a company that use ARD have administrative rights in place to prevent application installs, and user acounts typically don't have admin permissions in the keychain anyway.

    I'm sure there are a select few idiots who may have allowed this exploit to actually get on theitr machine. People in firms with clueless admins who have both a lack of knowledge and a wealth of money (ARD isn't cheap, and the need for a mac server to run it on doesn't make it any easier), are the only targets for this attack. I don't call this a virus or a trojan, I call this due reward for stupidity, aka natural selection. If you're so both innept to be able to stop it, and gullable enough to follow through with it, you DESERVE to be hacked. (I'd prefer you to not be permitted online in the first place!)

    Even my father, who I had to walk through printing his address book last week, knows enough to never download a file, even from someone he knows, unless he's expecting to get it for some reason, and then any file that asks for a keychain password is something to question a second time...

    When they come out with a virus that can infect a mac that is in a standard state (root not enabled, firewall on, etc) without any user action, then we'll call it insecure. Mac users fall to social hacking just as easy as anyone else, but phishing atacks and other social tricks aside, there's no real way to infect a mac that has yet been discovered. (unlike a PC, where simply connecting to the net is enough).

  43. Steve Mann

    Camera Activated?

    This is FUD. Young female iBook owners should continue to blog topless as God intended, though most of hem should sit about six inches further from the screen for health purposes.

  44. suc
    Go

    every OS has virus: Linux and Mac users are not immune

    A virus is just a piece of code running into the system in order to perform malicious activities, so every operating system would have a virus because in every OS you have executables, programs and processes. For this reason Linux and Mac users are NOT immune to virus.

  45. Thomas

    @Shinku, etc

    You should be more clear about who you're addressing. Until you admit that you use OS X yourself (albeit occasionally), your post reads like you're tarring all Apple users with the fanboy brush. Though your points are valid, I wouldn't suggest a career in diplomacy.

    To others:

    You may believe the conclusion, and it may even be true, but this news alone is not enough to prove that OS X and Windows are of equivalent security. Possibly you're intending to rely on the argument that a system is either secure or it isn't and that any idea of a spectrum inbetween is an illusion. If so, maybe you should actually say that rather than leaving it implicit?

  46. amanfromMars Silver badge
    Pirate

    A Life of Brian

    "A totally secure PC (and I am including macs and Linux here as they are PCs too) is one that's switched off" .... By Brian Whittle Posted Monday 23rd June 2008 14:14 GMT

    Another field of perception that may be misinformed, Mr Whittle.

    And the Jolly Roger because IT is Potent Magic. Changed Perceptions Equals Changed Times is Time Machine Twittering .... IDolLed Gossip .... HyperRadioProActive Chatter.

  47. Anonymous Coward
    Alert

    At least its not as dangerous as the average IT guy

    "IT staff are main threat for data leaks, study finds"

    at

    http://tinyurl.com/645msb

  48. Christopher Martin

    Why would you particularly care to root a Macintosh?

    I'm sure the vast majority of the machines in question are personal desktops with one or two user accounts. I'm no hacker, but it seems to me that anything you would want to exploit - sending of spam, grabbing of keystrokes - could be done almost as easily in userspace, without needing to sudo at all.

    So... while do I understand, on principle, why you don't want the sanctity of your root violated - If I owned a shiny white box, I'm not sure I could force myself to give two craps that it has a root vuln which requires me to execute it myself.

  49. Tom
    Jobs Horns

    Give it up

    Mactards are tools. Give it up! Your seeing a tip of an iceberg here. If more people are fooled into buying style over substance.. meaning MACs, then you'll unfortunately see the market share go up... and guess what will go up with that? VIRUSES! Over priced junk I say... IPoops, Ismacks... forgetaboutit. Cut your hair, graduate college/H.S. and buy something else. A computer company is not a culture or movement... its marketing to people with empty lives who suck it up like empty promises on an election campaign.

    BTW the movie was 1984.. not 1974. unless that was the joke.

  50. Anonymous Coward
    Flame

    No password required

    I would like to point out to the fanboys that in the case of this exploit, no, you do not have to input your admin password and nor will you be asked for it. The ARD agent is taking an applescript request from a non-privileged user and executing it as ROOT.

    If you couple this with say, a drive by browser exploit, then you have a *serious* problem.

    I was able to get the exploit to work remotely on my Macs but only with known credentials for a user on the remote machine and of course events must be enabled (not default behaviour), but it is potentially remotely exploitable.

  51. Dana W
    Happy

    So Webster Is calling himself Tom now?

    "users need to download and open the Trojan horse before they become infected.'

    Damn, and if I had Windows it would get infected automatically! Stupid Mac!

    If you are dumb enough to install and give a password to a program you got off Limewire, or some stupid porn site you DESERVE a Virus.

    So what you are telling me is I have to manually download, install, and give my password to this terrible sneaky trojan, real stealth. This isn't a virus, its an intelligence test. Pity you don't spend more time on the crap you can get in Windows by simply leaving active X on.

    Least my bad 'ol "style over substance" Mac does not get owned just by web browsing. I'll just stay a "Mactard" thanks.

  52. Temp

    @ Michael C

    >> When they come out with a virus that can infect a mac that is in a standard state (root not enabled, firewall on, etc) without any user action

    By default, the firewall is *off*, and although there's no root user per se, the default user is a member of group admin, meaning they have sudo access to everything.

    Sure, it's not a "real virus", or, indeed, much of any sort of real news. It is, however, a "real threat" - it's a very basic priviledges escalation hole, which is step 1 to a trojan. Combined with some of the more pervasive "hackable" bits of OSX like input managers, it could become a step further towards a "real virus".

    It's far from trivial. I say this as a mac user since 1987.

  53. Robin
    Paris Hilton

    Box?

    Can everyone stop saying "box" instead of "computer" please? As a weasely term to mean a server it's one thing, but laptops and such aren't really that box-like. Admittedly my 'box' from Apple probably does have a big security flaw, in that it has a big flappy hole at the top where I got the computer out.

    I might start refering to my car as a 'shell' or something.

    Rant ends. Thank you for your patience.

    (Paris, cos ... well ...)

  54. DJ

    Hardly original

    "There is no patch for stupidity."

  55. Alexis Vallance
    Black Helicopters

    You guys have forgotten what a real virus is

    Ah, the 6 monthly "Exploit for OS X found!" story.

    Then the usual crap:

    • "Market share is going up, so that's why these things are appearing!"

    • "OS X is no more secure than Windows, it's just market share"

    • "See - Apple don't take security seriously"

    You people want to see what a REAL security risk is like - install Windows XP with no services packs and go onto Google. Sit back and wait. Before you can even get to the Microsoft site to download SP2 or get hold of AVG Free, your machine will be brought to it's knees.

    OS X is not 100% secure, but it IS the operating system least likely to run into security problems in every day use. No question.

  56. Anonymous Coward
    Flame

    Re:You guys have forgotten what a real virus is

    @Alexis Vallance

    Install Windows XP with no 'services' (sic) packs (i.e. a CD from 2002)

    Step 1: TURN ON BUILT IN FIREWALL

    Step 2: Connect to Internet / Turn on automatic updates / Patch machine / whatever you like.

    Is that really so difficult?

    Now for bonus points, explain how this makes the OSX ARD root exploit any less potent please?

  57. J
    Alert

    Oh, my...

    The readership used to be more knowledgeable around here...

    "A virus is just a piece of code running into the system in order to perform malicious activities"

    Bad, bad definitions... Back to school with you. Hint: all computer viruses are malware, but not all malware are viruses.

    Too many people here sound like they have no clue about what a virus is defined as, what a Trojan horse is, etc. Gee, I'm not even an IT guy and I have read the olden documents discussing these things, back in the dark ages of the 1990's...

    "BTW the movie was 1984.. not 1974. unless that was the joke."

    Duh... and you forgot to correct the rest of the joke, BTW.

  58. Anonymous Coward
    Anonymous Coward

    @ Shinku: Cuddling your Jobs dolls

    I prefer to *fondle* my Jobs dolls, thank you very much. :)

    - Mac user since 1994, but none of that Oh-Eh-Sex stuff fer me, no thanks... and oh, actually, my Jobs doll has had some pins stuck in it for the last few years... doesn't seem to be working very well though... I'll have to brush up on my voodoo skills. ;)

    Oh hey, anyway (seriously now), what you wrote, Shinku, was pretty good IMO.

  59. Robbie
    Alert

    @ - James Greenhalgh

    its 1984.....

  60. Bounty
    Flame

    shhhhh, read this

    http://blog.washingtonpost.com/securityfix/2008/06/new_trojan_leverages_unpatched.html?nav=rss_blog

    So the hackers on the site were discussing self replication via P2P and instant messaging (probably random file names, or stupid stuff like funny_cartoon.app) and it runs as root w/o asking for password. Yeah, that's a virus.

    http://en.wikipedia.org/wiki/Computer_virus (Yeah, I link to Wikipedia, get over it.)

    And for anyone who doesn't know anything (about mac viruses.)

    http://www.viruslist.com/en/analysis?pubid=191968025

  61. Charles Manning

    Here's a Linux/Mac Trojan

    #!/bin/bash

    sudo rm -rf /

    Once you run any untrusted software with admin privs you're open to problems.

  62. Anonymous Coward
    Joke

    A tar-oil winter wash...

    ...will stop you getting worms in your apples.

  63. Clinton

    Defenition of a Trojan

    "have to download and install it though, less of a trojan and more of an exploit of un intelligent people methinks"

    A trojan is an exploit that is disguised as something you want. You have to run it for it to be installed. So it's a trojan.

  64. Ted
    Happy

    Another huge YAWN...

    A Mac user has to jump though a lot of hoops to make this "Trojan" work.

    Why does anyone even try? OSX is the most secure OS in common use for a reason, and this is further proof.

    Still no Viruses for OSX in 20 years, too funny!

  65. Kanhef
    Happy

    the creators

    This was written on the MacShadows forum: http://www.macshadows.com/forums/index.php?showtopic=8640

    (seems to be down at the moment, google might have it cached). They just about laughed their asses off at the media reaction. The version the A/V crowd found is actually one of the badly-written ones.

    I wonder what happened to Webster. Maybe he finally drowned in his own bile.

  66. This post has been deleted by its author

  67. Philip
    Thumb Down

    Move along, folks...

    That MacScan guy will say anything to promote his Not-NeededWare™ He's well known for it.

  68. Rab S
    Flame

    trojan def

    "A program that appears legitimate, but performs some illicit activity when it is run"

    Walks like a duck quacks like a duck...its a fucking duck and this a fucking trojan...

    But what the hey its on a MAC so its probably defined as myth as everybody nows MAC users don't have to worry about this stuff...

  69. Rab S
    Flame

    @Ted

    Still no Viruses for OSX in 20 years, too funny!

    Yeah since its only been out since 2001...Hmmm anti mac troll, unfunny joke or fecking clueless mac user...its so hard to tell...

  70. Anonymous Coward
    Flame

    Re: Another huge YAWN...

    "A Mac user has to jump though a lot of hoops to make this "Trojan" work."

    "Still no Viruses for OSX in 20 years, too funny!"

    Where to start. Firstly, putting quotation marks around the word trojan doesn't change the fact it's a ****ING TROJAN.

    Secondly, desktop OSX has only been around since 2001 so there goes your '20 years' claim.

    If however you want to go with viruses for 20 years of Mac OS, there were plenty:

    http://search.mcafee.com/search?q=mac&site=us_site.Virus

    And for OSX an example:

    http://antivirus.about.com/od/macintoshresource/p/oompa.htm

    Still people claiming the Mac has "never" had a virus. Too funny.

  71. Kanhef
    Thumb Up

    @Bounty

    That's one of the better articles I've seen. The guy who started the thread was a script kiddie who had no idea how to write code. He stopped posting a couple of pages in.

    "I love how people are 'Oh its nothing' and some are 'Oh MY God, its the Mac death bringer quick buy MacSCan2.200 so that the attackers will just change the MO and your money will be wasted'"

    ( http://64.233.169.104/search?q=cache:1YyF9Bmu5IEJ:www.macshadows.com/forums/index.php%3Fshowtopic%3D8640%26st%3D480 )

  72. Ted
    Happy

    @ anonymous

    OSX is just NeXTSTEP version 8.0, it's the SAME OS that has been around since 1988.

    Yes, the Classic MacOS had around 60 viruses, but none caused any data loss. Most just would make the machine crash, or the famous WDEF that would simply attach itself to files, boring...

    And no, oompa was never considered a virus since it couldn't replicate. it was a benign worm if I remember right.

    Viruses can't be crafted for OS X since the Mac community doesn't allow for them. ZERO in 20 years is a pretty damn good record.

  73. Anonymous Coward
    Flame

    @ Ted

    "Still no Viruses for OSX in 20 years, too funny!"

    "Yes, the Classic MacOS had around 60 viruses"

    "Viruses can't be crafted for OS X since the Mac community doesn't allow for them. ZERO in 20 years is a pretty damn good record."

    Flip / flop / flip - which is it Ted? Either there have been viruses or there haven't. 'The Mac community doesn't allow viruses' - well that's a new one on me. I think however that should read "Whenever a Mac threat appears the Mac community will bend over backwards to redefine what a 'virus' is to the point where, if applied to the number of viruses for Windows, would reduce the total number from 'millions' to 'about three'."

    OSX is not the 'same' OS as 'Next Step'. Sure it draws on it and may share some code, but if it were the 'same' then I would be able to boot up a NEXT box and run, say, iPhoto on it, which of course I cannot. If you had wanted to say NEXT had no viruses then why didn't you say that?

    To be honest Ted the biggest problem with the Mac as a platform are people like you spouting specious crap about how invulnerable Mac OS is. As this exploit - nay - TROJAN - has neatly illustrated yet again, it demonstrably is not the case and you simply contribute to the impression many have that Mac fanboys are twats, thus further alienating them against the platform and from realistic people like me who actually do know what we're talking about and have a difficult time promoting OSX as a result.

  74. Hans
    Boffin

    Weird

    Mine does not have the setuid bit set and NO, before you ask, I did not remove it ... I have 10.5.3.

    Yes, it is a trojan, and it is a valid security threat - I have always said that a Mac is NOT immune, however, what counts is that in 7 years not one virus, a few "trojans" ... compare that to 100 000+ viri and trojans ... and even if they find/create 1000 trojans/viri this year for mAc, windows still has 100x more .... :-)

    Linux and Solaris are just as vulnerable as Mac OS X ... I believe that Windows is more vulnerable by design, though ... and the silly default settings in Windows don't help ...

    Before you ask, OpenBSD is far safer than the rest!

    As for Mac OS 8/9, most viruses were for MS Office ... lol - I only remember 40 for Mac OS 8/9 ... source: Symantec ... but that was way back in 2002.

    BTW, Gilbert Wham, ARD is "slightly more" than remote desktop software ... did I stress slightly? when you don't know, do us & yourself a favor, :-x or go read what it is about.

    Am I the only Solaris fanboy here ? :(

  75. Thomas

    @some of AC, immediately above Hans

    > "Still no Viruses for OSX in 20 years, too funny!"

    >

    > "Yes, the Classic MacOS had around 60 viruses"

    >

    > "Viruses can't be crafted for OS X since the Mac community doesn't allow for

    > them. ZERO in 20 years is a pretty damn good record."

    >

    > Flip / flop / flip - which is it Ted? Either there have been viruses or there

    > haven't.

    His argument is entirely consistent. The Classic OS is an entirely different set of code to OS X. Viruses that were designed for the Classic OS won't function on OS X, in the same way that viruses that were designed for AmigaOS won't function on Windows.

    > 'The Mac community doesn't allow viruses' - well that's a new one on me. I

    > think however that should read "Whenever a Mac threat appears the Mac

    > community will bend over backwards to redefine what a 'virus' is to the point

    > where, if applied to the number of viruses for Windows, would reduce the total

    > number from 'millions' to 'about three'."

    Yeah, "the Mac community doesn't allow viruses" is clearly a ridiculous statement. However, since several Mac users have openly admitted that their OS is not a panacea for security problems on this discussion page, the statement isn't correct even when interpretted as you attempt.

    > OSX is not the 'same' OS as 'Next Step'. Sure it draws on it and may share

    > some code, but if it were the 'same' then I would be able to boot up a NEXT

    > box and run, say, iPhoto on it, which of course I cannot. If you had wanted to

    > say NEXT had no viruses then why didn't you say that?

    Your test is fatuous. Is OS X v10.5 the 'same' OS as OS X v10.4? It can run the same applications. But there are some applications that will run on v10.5 but not v10.4. So if we apply your test then it is possible that A is the same OS as B, but B is not the same OS as A.

    It's probably better to say that if OS X is the same OS as NextStep just a little less than Vista is the same OS as Windows NT.

  76. Anonymous Coward
    Anonymous Coward

    @Viruses etc

    OK, so 1 million Windows viruses / trojans / worms = about 1 per 70 users

    3 OSX viruses / trojans / worms = about 1 per 0.6666667 users

    Oh, and the most important is that whereas in general Windows users have a Sounding-like-a-Twat co-efficient of 0.56 this rises to 4.93 for Mac Fanboys. With the exception of Webster Phreaky who breaks the scale at 9.99998.

  77. Anonymous Coward
    Flame

    @ Thomas

    "His argument is entirely consistent."

    No it isn't. He claims that OSX is 20 years old and has never had a virus. Both points are untrue. He then tries to back pedal and claim he was actually talking about NeXT the whole time, in a Mac news story.

    "The Classic OS is an entirely different set of code to OS X. Viruses that were designed for the Classic OS won't function on OS X, in the same way that viruses that were designed for AmigaOS won't function on Windows."

    Wrong - ever hear of 'Classic'? Or is OSX only 10.5 now?

    "Your test is fatuous. Is OS X v10.5 the 'same' OS as OS X v10.4? It can run the same applications. But there are some applications that will run on v10.5 but not v10.4. So if we apply your test then it is possible that A is the same OS as B, but B is not the same OS as A."

    So you are saying that there are any NeXT apps that will run on OSX? Or that there are any OSX apps that will run on NeXT? It's not the same OS. Derived from, maybe. Not the same. It's also derived from UNIX - so does that mean we can count every UNIX virus against OSX now?

    You cannot compare what was basically a niche OS against commercially available to the average consumer on the street modern OSX in some specious claim that is has 'not had a virus for 20 years'. You might as well claim that Windows was virus free for hundreds of years because it's a more advanced abacus and there were no viruses for the abacus.

    Simple fact is when exploits appear people target boxes that they can get time on to develop, and are likely to benefit from attacking, hence we see this OSX trojan installing a keylogger, turning off logging and other root kit type behaviour.

  78. Ted
    Happy

    @anonymous

    You certainly seem bitter that OSX has the best security track record of any mainstream OS.

    Fact is, NeXTStep and OSX are the same thing, just under a different name. follow the pretty arrows and you'll clearly see this fact... it starts with NeXTStep 0.8 in 1988.

    http://www.levenez.com/unix/history.html#06

    OSX is the largest installed UNIX in the world by a large margin, so it's much more than a "niche", it's the primary high end OS anyone can buy, and the most secure. 31,400 new OSX boxes come online every 24 hours, nobody is even close to that level of deployment... and still not a SINGLE Virus.

    And what applications will run on 10.5 but not on 10.4? That's a foolish statement. Sure, there might be something extremely obscure, or something that requires hardware that only runs on a 10.5 box, but 99.9% of all 10.4 apps run on 10.5 and visa-versa.

    Yes, the Mac Community does not allow for security issues, just like some cities do not allow for "graffiti", they simply have higher standards and ferret out mischief and lock up or prevent those individuals from causing damage in the future. The Mac Community works in the same way, the Windows world does not, that's why it's so "trashy".

    And lastly, you said: "OSX trojan installing"... OSX cannot "install" this benign trojan without lots of effort by the User. Nobody has ever been infected by it so far, nor has it been found in the wild, it's just simply a "clean room" example of a small bug. It's been fix, so time to move on.

  79. Anonymous Coward
    Anonymous Coward

    Mac noobs

    These trojans won't affect the more experienced Mac owners, but I can guarantee it will affect the newbies - you know the sort who have bought iBooks because they are "cool" and were the same people who didn't patch their Windows boxes. Just because the OSX platform is more secure it won't stop stupid users or lazy programmers from being the weak link.

  80. Anonymous Coward
    Flame

    @Ted

    "You certainly seem bitter that OSX has the best security track record of any mainstream OS."

    Wrong. Speaking as someone who owns three Macs, I'm rather happy with the security record of OSX thanks.

    "Fact is, NeXTStep and OSX are the same thing, just under a different name. "

    Wrong. It may be built upon the basis of OPENSTEP which was a derivative of NeXTSTEP but that does not make them the same OS, (and incidentally the niche OS I was referring to is NeXTSTEP, not OSX; unless of course there are a few million users out there I'm not aware of.)

    If you want to claim that OSX is every OS it's ever based on that kind of damages your 'no viruses' claim as we would have to basically factor in every UNIX security threat -ever- seeing as it's based on UNIX and all.

    "And what applications will run on 10.5 but not on 10.4?"

    Time Machine for a start? - but wait - surely that's a NeXTSTEP - no wait - BSD app!

    "Yes, the Mac Community does not allow for security issues,"

    And you have the audacity to claim that _I've_ said something foolish?

    "OSX cannot "install" this benign trojan without lots of effort by the User."

    What - you mean clicking an icon? Perhaps you consider this 'lots of effort' but I and a very large number of other people certainly wouldn't. What if someone blends it with a Safari vulnerability that means it becomes a drive-by install? What if it starts spreading by email to people in the address book? 'Hey click this - it's ok - Macs can't get viruses right?'

    Not been found in the wild? Securemac disagree with you:

    http://www.securemac.com/applescript-tht-trojan-horse.php

    Oh wait - you haven't seen it have you so therefore nobody else in the entire world must have either. 'It's been fix'(sic) has it? How's that then?

    Oh and one other thing:

    "And no, oompa was never considered a virus since it couldn't replicate. it was a benign worm if I remember right."

    You evidently remember wrong. 'oompa' aka OSX/Leap-A spreads via iChat, whereupon it is run by the user at the other end before spreading further over that user's iChat. That is VIRUS behaviour. If it did not spread it would be a TROJAN. If it spread with no human interaction it would be a WORM.

  81. Anonymous Coward
    Flame

    @ted

    Christ you are like the nightmare fucking Mac user i spent 2 hours trying to explain that entering DNS servers by hand would not break her perisous fucking poser box...give me strengh...AAAAARGHHHHHH.

    Even our resident Mac envanglist don't want to speak to her...

This topic is closed for new posts.

Other stories you might like

  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • FabricScape: Microsoft warns of vuln in Service Fabric
    Not trying to spin this as a Linux security hole, surely?

    Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release.

    The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/write access to the cluster as well as the ability to execute code within a Linux container granted access to the Service Fabric runtime in order to wreak havoc.

    Through a compromised container, for instance, a miscreant could gain control of the resource's host Service Fabric node and potentially the entire cluster.

    Continue reading

Biting the hand that feeds IT © 1998–2022