Two Trojans For Mac OS X

I Don't Believe in Imaginary Property writes "F-Secure is reporting that there are two new Mac OS X trojans. The first is just a proof-of-concept from the MacShadows people that takes advantage of the unpatched ARDAgent vulnerability to get root access when run by the user. The second relies on social engineering: it's a poker game that requests the user's password, claiming to have detected a 'corrupt preference file.' It then takes control of the computer. Now that the source of the proof-of-concept is publicly available, we can expect that future trojans won't just politely request your password."

Re:Proof of Concept Slashdot Trojan

Nah, it's his infernal UID.

Re:An unpopular opinion....

I think you misunderstand how it works on OS X

When an application asks for a password to get admin rights, the user is presented with a dialog, but unlike in Vista, actually needs to type the password to continue. You can't just blindly click "OK".

Re:Society is not an OS X vulnerability

[pandrijeczko]

A virus *doesn't* have to have root to be a considerable pain in the neck. Mod parent up.

I agree entirely - but what's easier to recover? Just damaged user files or the whole system plus the damaged user files?

Re:Two Trojans For Mac OS X Users

[mrsteveman1]

Thats a stretch, the APIs are completely different, as are most of the system services, the way the kernel works. In fact, most of it is different.

Re:OS X has no functional root

[ktappe]

Root on OS X is off by default out-of-the-box, isn't it?

Yes, it is off by default.

Re:Yawn

[Aram+Fingal]

A few years ago, we had a situation where attackers were scanning the net to find machines running Irix (Silicon Graphics UNIX) because they were easy to break into. Attackers go after easy targets, not necessarily common targets.

Re:Yawn

[NtroP]

I have been one of the first to point out the same thing in each of these past cases but this is different. We have a scriptable application setuid to root. That's an obvious vulnerability on a sliver platter. What was Apple thinking? The application in question is NOT suid on my system (Yes, I looked inside the .app too). I think it's likely that a third-party app or framework, like MacPorts or something, is responsible for making the change - "fix permissions" should take care of it - I don't think this is Apple's fault.

The real "Next Step for Mac (& Windows) Users"

[argent]

History shows us that even the smartest of users can catch malware.

It's been 17 years since the last time I had to remove a virus from my own computer, even when that computer's been unpatched Windows 2000 connected to the Internet. In the years that I was network and security admin and had control of the network, the only time we had any systems infected was when a user had either downloaded and run a file (that is, they were social-engineered, and in 10 years only one person came to me with an infected laptop after doing that twice) or they had violated my policy banning IE and Outlook at our location.

The potential for infection if you avoid software that supports automatic execution of remote content is very very small, even on Windows. The reason that Windows has a high infection rate is because of IE and Outlook, not simply because it's popular.

If you're on a Mac, and use Safari, here's the next steps you should take:

(1) Go into preferences and make sure "Open 'Safe' Files after Downloading" is disabled.
(2) Get a standalone FTP client and use one of the third-party LaunchServices editors (look for internet access preference panes) and change the default application for FTP: URLs from Finder to something else.
(3) Use Tinkertool or equivalent to disable Dashboard.

#1 is the most important. #2 and #3 don't allow automatic execution of untrusted content, but they do make social engineer ing easier.

If you use a Gecko-based browser like Firefox or Camino, you don't need to worry about these.

If you're on Windows: avoid using any application that uses the Microsoft HTML control to access untrusted content. That includes IE, Outlook (not all versions, any more, but I believe you have to accept the Vista-style UI to avoid it), Windows Media Player, Realplayer, and some Firefox plugins and some versions of Netscape.

In Firefox, Windows or Mac or Linux, always clean out the whitelist for installing extensions after you install an extension... the installer is an autoexecution mechanism, and there have been exploits that took advantage of that even if you don't approve the install dialog.

The scary part is that most Mac OS users think they can't catch malware because they're smart enough not to install it.

At the moment that's not far from the truth. You can avoid catching malware by being smart enough to avoid running it, on Windows or OS X, if you exercise some care in the applications you use, and how they're configured. It's harder on Windows, but it's still possible.

Here is the Workaround patch

http://www.macfixit.com/article.php?story=20080624105604884

Re:ARDAgent on Tiger

[konohitowa]

It doesn't work on my Tiger install either having followed all of the same config caveats.

And at best it runs as user level without the ARDAagent escalation.d

Not true. Since the admin group has sudo privileges by default in OSX, simply having the password of someone who is allowed to admin the computer gives you the ability to run as root.

In Linux you have to go out of your way to add users to the /etc/sudoers file.