June 24th, 2008
Trojan exploiting unpatched Mac OS X vulnerability in the wild
The source code of a trojan horse exploiting last week’s uncovered local root escalation vulnerability in Mac OS X 10.4 and
10.5 has been released in the wild, allowing malicious attackers to take advantage of the ARDAgent-based trojan in what appears to be a very short vulnerability-to-malware cycle, since the trojan template was released on the same day as details for the vulnerability emerged.
Discussion and release of the source code originally took place at the Mac Shadows forums, whereas the source code is now circulating across many other forums and IRC chat rooms, including several popular ones mainly visited by Chinese script kiddies.
According to an advisory issued by SecureMac last week :
SecureMac has discovered multiple variants of a new Trojan horse in the wild that affects Mac OS X 10.4 and 10.5. The Trojan horse is currently being distributed from a hacker website, where discussion has taken place on distributing the Trojan horse through iChat and Limewire. The source code for the Trojan horse has been distributed, indicating an increased probability of future variants of the Trojan horse.
The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing. The Trojan horse exploits a recently discovered vulnerability with the Apple Remote Desktop Agent, which allows it to run as root.
Compared to this week’s reported PokerStealer trojan horse targeting Mac OS X users, by trying to trick them into
empowering the malware with administrator capabilities, the ARDAgent-based trojan is doing it automatically, unless of course you’ve already taken care of the issue until a fix for it is officially available.
The author of the trojan, Adrew, even left a copyright notice within, however, it appears that the source code for the trojan isn’t a one-man operation, but the result of a collaborative discussion aiming to add as many modules as possible. Here’s what he thinks of OS X security, according to his own statement :
“Apple tells us that OS X is safe and secure and fails to actually confirm that it is so on their own. We are left to experiment and test our own security and too often we discover that we aren’t actually as secure as we were led to believe,” Andrew said in an e-mail. “When you are seeking information about how to secure your own system, frequently the best sources of that information are hackers, not the vendors.”
Going full-disclosure with the idea to shorten the time until a patch is released by the vendor for the sake of closing the “window of opportunity” for malicious abuse of the vulnerability is one thing, releasing a do-it-yourself trojan template in a vulnerability-to-malware fashion is entirely another.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
