The New Mac OS X Trojan: Are the Naysayers Right After All?
June 23rd, 2008The news first come to listeners of The Tech Night Owl LIVE during the final portion of last Thursday’s episode. According to commentator Kirk McElhearn, a new potentially critical exploit had been discovered that could really impact Mac OS X users.
Dubbed by some “AppleScript-THT,” it uses AppleScript to apparently exploit a vulnerability in the Apple Remote Desktop Agent, allowing it to load itself with super user or root privileges. The end result is that the invader can take control of the unwary victim’s Mac and do some nasty stuff, such as delete your files, retrieve your stored passwords, and other unwelcome things.
One method in which the Trojan is supplied is in the form of a file bearing the unlikely name of ASthtv05. It doesn’t strike me as something you’d casually download — or am I missing something?
Regardless of what it’s called, however, you can’t succumb to this malware infection unless you actually download the file and launch it. There’s no other way to surrender control of your Mac.
You can bet that such virus protection applications as Intego’s VirusBarrier have already been updated to guard against this exploit. But, according to Kirk, there’s an even easier way to protect yourself. In 10.5, for example, just open System Preferences, choose Sharing, and check Remote Management to turn it on. Just make sure that all the choices listed under Options are left unselected.
This may sound counterintuitive, of course, but a test that Kirk and I ran during the radio show demonstrated that the Trojan couldn’t take over my Mac Pro with Remote Management activated, which is quite enough protection for me. I would also expect that, if there’s a chance at all that this Trojan is spreading, Apple will close the security hole in a future Mac OS X update for 10.4 and 10.5 user.
This particular episode, raises the larger question of whether Mac users are in for a deluge of malware now that the flood gates are open. However, let’s try to look at this a bit more realistically, because there have been a handful of other exploits in the wild over the past few years, and none of them have amounted to anything, except for limited infections.
No, I’m not taking the nature of this threat lightly. You wouldn’t want to suffer the consequences of having your Mac compromised simply because you accidently downloaded and executed the wrong file. It would seem likely that some people will be affected, regardless.
I also expect that Windows fanboys will now be flooding their blogs with inane chatter that Mac users are now finally getting what they deserve, a true epidemic of malware. Serves them right, they’ll say, to dare criticize the Windows platform as being too vulnerable.
But it’s not as easy as that. It has taken years for the number of Windows exploits to hit six figures. From day one, the number of Mac infections is still a few dozen. Sure, Apple has patched lots of potential vulnerabilities in Mac OS X in recent years, but a potential security leak doesn’t translate into rampant malware.
AppleScript exploits, for example, aren’t new to Mac OS X. We had some under the Classic Mac OS as well, and they didn’t amount to much then either. So, my friends, I don’t think the dam is about to burst. At the same time, though, that doesn’t mean you shouldn’t show a little caution about how you use your Mac.
You see, it’s far too easy to download files willy-nilly without paying a lot of attention to where they came from and what they’re designed to do. Even when a password prompt appears, how often do you just enter the login information without considering the consequences of what you’re doing?
In the end the simplest thing to do is just download your stuff from trusted sources, such as Apple or a software developer’s own site. As an alternate, you might go to one of the well-known software update repositories, such as VersionTracker.com. These steps alone will help protect you from getting the wrong file and launching it.
Even then, before you open a file, make doubly sure you know what it’s designed to do and whether you rally need it. Leopard adds a little warning prompt first time you open a file you downloaded, and you should read the message to confirm you really want to open that file.
I do, however, think it’s still premature to go the whole hog and acquire virus prevention software. The time may come, but it’s probably not worth buying a product and keeping up with annual subscriptions for the rare exploit that does appear. If they become ubiquitous, though, then maybe you’ll want to rethink your position, and I surely would as well.
One more way to protect yourself from visiting the wrong sites that might offer up potential malware, and speed up your Web access slightly, is to switch your DNS settings to the free OpenDNS. Libraries, schools and private companies are embracing this free service, and I highly recommend you consider it carefully. The setup process, explained at the site, takes less than a minute, and you’ll be delighted with the results and your enhanced security.
Print This Post
Well said Gene
A nice “balanced” response.
I have always felt that the biggest seurity risk is often the person behind the keyboard.
Going to sites that are by their nature dubious and downloading things based on what someone says it si is really the users issue. As to this new exploit as they call it i did what was suggested and that means I am safe. Mind you I suppose I could go to a website and they could say to fix a problem I want you to delete this file and it is a critical system file. I could be suckered that way.
My ignorance “exploited” Apple I am sure will fix this hole in a few days or a week at the most.
I still cant leave my Windows PC sitting on the web with no Anti Virus or Anti spyware yet you can with OS X as long as you keep it patched and use your brain.
If anyone claimed that os x was impossible to penetrate, that person is an idiot. I claim that it is much more difficult to penetrate than windows, but that doesn’t imply that there will forever be zero successful exploits.
Jim
Unfortunately, the simple solution doesn’t actually work.
You can see that the vulnerability is still there if you type this into the Apple Script Editor and run:
do shell script “kill `ps -acx | grep ARDAgent | awk ‘{print $1}’`”
tell application “ARDAgent” to do shell script “whoami”
You will still get “root” as the reply even if you tried the mentioned fix. The ARDAgent application runs with the logged in user as owner so it can be “killed” without any warning or security dialog. Once it is killed, your fix is undone.
All right, thanks for the update. Indeed Kirk confirms that you are correct; it’s something they discovered the very next day. I asked him to post an update when he has the chance.
Peace,
Gene
What, me worry? 🙂
As the saying goes, “One swallow doesn’t make a spring.”
(Or is it “One swallow doesn’t make a gulp.” ?)
Anyway, it’s too soon to call in the exterminators (for those who hate swallows!) Just check your house to beware of all those little holes they love!
(Personally, I LIKE those little sporters of the skies but they have been absent the last couple of years. Global warming? I even cleaned out their dryer vent hole for them! 🙂 )
I agree. We should give this more time to see if the floodgates have been pried open. Personally, I don’t think so.
Peace,
Gene
MacFixIt has posted a simple workaround until Apple issues a patch:
http://www.macfixit.com/article.php?story=20080624105604884
It looks scary, but anyone capable of cuting and pasting a line of code into Terminal can do this.
From the link:
Apple is aware of this problem, but until they issue a patch for ARDAgent, running the following command to remove the setting of user/group ID upon execution will prevent the execution of commands as root:
* sudo chmod -s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
If this leads to any faulty screen sharing behavior, then users can switch it back to normal by entering the same code with the ” s” option instead of “-s”, as follows:
* sudo chmod s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
I’d be careful with the stuff you read about in MacFixIt. They can be very extreme in their recommendations at times. If you just take a little care in what you download, this should not be an issue.
Peace,
Gene
Yes, it turns out that the following day we realized that the ARDAgent process was easy to kill.
The only real fix, then, is to zip or remove the ARDAgent application (located in /System/Library/CoreServices/RemoteManagement). I don’t like the idea of changing perms or owner for it – that’s something that you can forget, and that can be fixed if you repair permissions. If you really don’t need it, just zip it up, then unzip it when there’s a new system update (because that update is likely to patch it).
Kirk
Thanks, Kirk, for the added enlightenment.
Peace,
Gene
I don’t disagree with either of your concerns (or method), but considering you have to remember to put the files back how you found them before updates, how is that any difference from needing to remember change things back before repairing permissions?
Both methods should work, with approximately the same amount of hassle, and the same end result.
The file with the unlikely name of ‘asthtv05’ is a text file containing the source code of one version of the program. It is not compiled, a user would have to download the file, open it in Apple’s AppleScript Script Editor and then click ‘Run’ to actually execute the source code. A later version was posted in compiled form. Its name is irrelevant however, it was designed specifically to be renamed using the name of -any- real program and then to have that programs icon pasted to it as well. The ‘real’ program would then be placed inside the Trojan package. When run, the Trojan can, among other things, move itself and leave the ‘real’ program alone in its place.