Two Trojans For Mac OS X

I Don't Believe in Imaginary Property writes "F-Secure is reporting that there are two new Mac OS X trojans. The first is just a proof-of-concept from the MacShadows people that takes advantage of the unpatched ARDAgent vulnerability to get root access when run by the user. The second relies on social engineering: it's a poker game that requests the user's password, claiming to have detected a 'corrupt preference file.' It then takes control of the computer. Now that the source of the proof-of-concept is publicly available, we can expect that future trojans won't just politely request your password."

Proof of Concept Slashdot Trojan

[frictionless+man]

Hi Slashdot User!

We have detected your Slashdot account preferences have been corrupted.

To fix this, please post your user id and password in response to this message, and one of our customer service operatives will fix your account and recover posting privileges as soon as possible.

Yours Sincerely, Trojan

Re:Proof of Concept Slashdot Trojan

[kestasjk]

And where's the comment playing down the seriousness of the first proof-of-concept? The one that uses an unpatched ARDAgent vulnerability?

Some Mac users just can't face that they're not as invincible as Apple marketing wants them to think, and reject any evidence to the contrary.

(I'm about to be told how this local root vulnerability isn't a real vulnerability, because it's local.)

Re:Proof of Concept Slashdot Trojan

[lurch_mojoff]

And where's the comment playing down the seriousness of the first proof-of-concept? The one that uses an unpatched ARDAgent vulnerability? Some Mac users just can't face that they're not as invincible as Apple marketing wants them to think, and reject any evidence to the contrary. (I'm about to be told how this local root vulnerability isn't a real vulnerability, because it's local.) That comment is in the thread of the previous "How to Save Mac OS X From Malware" article, as well as in the comment thread of the article originally reporting the ARD vulnerability posted last week. Yes, Arty McStrawman does believe that his Mac is invincible. Not many beside him do, though. Also, if you already know what will people respond to you, why do you ask your, fairly inflammatory, I might add, question, even if you intended it to be a rhetorical one?

Re:Proof of Concept Slashdot Trojan

[ohcrapitssteve]

You're about to be told that no OS is safe from it's worst users. Okay, a root vulnerability. That's bad. Why is it still asking for a password? Since it is asking (and apparently getting it from some), it doesn't even need to exploit the vulnerability. This is the real news.

Local root is "business as usual" on out of the box Windows, and has been for a long time. (I'm about to be told a nag screen with a silly make-the-background-dark effect is a reasonable substitute for a real security hierarchy. )

Just because Mac users are used to a safe operating experience doesn't mean we think we're invulnerable and we don't know how to protect ourselves. I'm sorry all three Mac users you know are morons...

Re:Proof of Concept Slashdot Trojan

[samkass]

Now that the source of the proof-of-concept is publicly available, we can expect that future trojans won't just politely request your password.

What, is this insinuating that they're going to rudely ask for your password? Because the ARDAgent vulnerability is really easy to patch... you can easily do it yourself and I'm sure Apple will have a patch any day.

But it still comes down to the user. While there aren't any viruses in the wild for MacOS X, there are always going to be trojans for every OS. It's a lot easier to fool the user than to fool the software. Once you've convinced the user somehow to type their password, it doesn't matter how much security you've got.

Yawn

[rsmith-mac]

We go through this about twice a year with the same results every time. "Someone" releases a trojan, presumably as proof that Mac OS X has security holes. Then everyone gets whipped in a frenzy and ultimately no one is infected by the damn thing in the first place. Mac OS X does have its holes (some of which are quite unreasonable), but trying to scare the users (in to buying anti-virus software, perhaps?) gets tiring after a while. No one has yet to do anything that matters with these trojans and security vulnerabilities, the real troublemakers continue to target Windows.

Mac OS X's day will definitely come at some point, but if people keep crying wolf every time someone whips up a theoretical and entirely implausible situation, no one is going to believe the security community once some black-hat does finally decide to attack the Macs.

Re:Yawn

[tibman]

The poker game trojan sounds pretty lame too. The program must be downloaded and run first which pops open a quasi-phishing "error: type your password here to fix" message. Infection vectors seem key to how fast these things spread. Having a file mac users have to manually download first is slow/weak and i doubt the downloaded file would be manually copied to another machine and run.

Re:Yawn

[Simon+(S2)]

I completely agree with you, and I too think that Mac OS X's day will definitely come at some point, and that will be the time Mac has a bit more market share. At the time being it just doesn't make sense to write a large scale virus/spambot/trojan for the mac platform.
But anyway, just to know that a Trojan is "possible" on the mac should make the mac users aware that if someone targets their machine they are just as vulnerable as a windows user (executing untrusted code locally is just bad on any platform).

Re:Yawn

[mentaldingo]

I think the point of TFA was to show that these things aren't theoretical and "implausible". Security isn't just about viruses: even if your so-called "troublemaker" virus-writers mostly target Windows machines, if there is a bounty on your Mac, it would be easy for someone to root it (in fact, some parts of the hack would be easier than on windows!).

Re:Yawn

[marcello_dl]

Except that worms for linux would find most servers on the net vulnerable- do you realize the potential for mischief?
In fact worms for linux were produced.

Re:Yawn

[rolfwind]

Mac OS X's day will definitely come at some point, but if people keep crying wolf every time someone whips up a theoretical and entirely implausible situation, no one is going to believe the security community once some black-hat does finally decide to attack the Macs.

How sure are you of that proposition? Not that I think OS X is invulnerable, but perhaps OS X isn't attacked, not because of Marketshare but because Windows is just much easier. Afterall, I don't hear people chiming the Linux bell so much in this area even though it is being sold commercially now (gPC, eeePC, etc.) and the two are built on a similiar base:

http://www.roughlydrafted.com/2008/04/01/the-unavoidable-malware-myth-why-apple-wont-inherit-microsofts-malware-crown/

I'm pretty sure most of MS's attacks come from it supporting legacy apps and legacy cruft and not letting go (like the damned Registry). One thing Apple never had a problem with. Linux neither in many areas.

Re:Yawn

[Tim+C]

Do you have any figures to back that claim up? Most servers are looked after by admins, and any admin worth their salt will at least put their machines behind a firewall, opening up only those ports that are absolutely necessary.

Yes, some will be vulnerable, but as another poster points out the number will be utterly insignificant compared to the number of networked clients running Windows. The target simply isn't big enough to be worth the effort.

Re:Yawn

[GigaplexNZ]

where it'd be "just another" piece of malware with a tiny market share You seem to be under the impression that a Windows box can only have one piece of malware installed at a time. This is simply not true.

Re:Yawn

[INT_QRK]

Your allusion to anti-virus software calls to mind a serious question that's been on my mind for some time. Since computer security software (anti-virus, anti-spyware, HIDS, NIDS, etc.) is relied upon by not only to protect consumers, but industry, government, and virtually every other institution of our society, how is it not considered Critical Infrastructure, subject to government monitoring, regulation, testing, or standards of conduct and performance? I'm curious, because installing such products seems to pose a real dilemma. They insert themselves often with the root level access, call home constantly, frequently inject code onto your system without operator visibility or intervention in various forms including updated "signature files," not to mention their own patch updates, and how can one assess what activity they allow, disallow, ignore, or accept since their code and algorithms are proprietary and trade secrets? Were I a well resourced adversary, might I not consider buying into (or infiltrating) a major institutional security software provider so that I could use it to spread my own root-kit? I may want my known performance to be otherwise impeccable, of course, to increase my market penetration, so that I could choose when and where to facilitate targeted malicious activity. I sure hope DHS, or somebody, is thinking about this.

Re:Yawn

[Tom]

Mac users are just as likely to type in their password as are Windows users. Evidence for that claim?

Mac's "I need your password" dialog is better done and, more importantly, a lot less common than windos UAC. As such, most Mac users don't roll their eyes and mutter "get on with it already, moron" when it pops up. In fact, when it pops up, I either expected it to, or it surprises me enough that I actually read what it's about.

Re:Yawn

[Poltras]

Hahaha! Have you met admins in real life? Most are incompetent, overpaid screen-lookers. I've met some that didn't know what TCP meant. A lot of them didn't care about opening only the necessary outbound ports, just inbound. And then, when you point out it's a software firewall, they can't see why the difference is important...

This made me very sad, and I stopped working in security. I came to the true realization that demolishing a moron's bad work only made the moron build it back exactly where it was. Lazy admins don't fix vulnerability, they make the path around them.

Disclaimer: I've met some brilliant admins in this world. Unfortunately, they were only a handful.

Re:Yawn

[Penguinisto]

While the last one died off in ~2001 or so, yes, there were worms created with the intention of targeting Linux.

Also, I wouldn't be so quick to say that all Linux machinery are looked after by professional, competent admins, either - between the expanding desktop user base and the fact that I've seen a disturbing number of incompetent admins (even where I work)? It's not that easy to dismiss.

That said, on balance Linux is a hell of a lot harder to bust into (not PHP, Linux) than a typical Windows box of any type.

/P

Re:Yawn

[Aram+Fingal]

I have been one of the first to point out the same thing in each of these past cases but this is different. We have a scriptable application setuid to root. That's an obvious vulnerability on a sliver platter. What was Apple thinking?

Re:Yawn

[Tom]

Speaking as an Ubuntu user, I get seriously annoyed by the frequency of password prompt on the mac. What are you doing? I regularily go for many days without seing that prompt at all, unless you count the login screen.

Grrr...

[mallardtheduck]

The ARDAgent vulnerability is pretty serious and stupid, but social engineering is not OS specific. The "poker game" could just as easily be implemented on Windows or Linux.

There is nothing that any OS can do to prevent trojans. (At least not without seriously limiting the functionality of legitimate programs.)

Slashdot's own summarry of the ARDAgent vulnerability included a "proof-of-concept" it is trivially easy to exploit and should be fixed ASAP.

There is no news here.

Society is not an OS X vulnerability

For crying out loud people, the poker game one is applicable to any system you want to code it on! What does this have to do with being a Mac OS X security hole? It would work on Linux, BSD, RandomOSMadeUpOnTheSpurOfTheMoment (Infinium labs).

Re:Society is not an OS X vulnerability

[squiggleslash]

Do you really think the average computer user is a "standard" sysadmin who knows "standard sysadmin stuff"?

Most people who buy computers want and expect it to "just work" rather than to spend time learning how to maintain the system. The ideal system, for them, is maintenance free. Funnily enough, one computer manufacturer in particular specializes in the whole "just works" concept. Their customers definitely do not expect to have to set up cronjobs to copy files across the network to a secure RAID server in the closet.

Can you guess which manufacturer that is?

Re:Society is not an OS X vulnerability

[mwlewis]

Depends upon what sort of information they stole from your user files. How do you 'recover' stolen proprietary information? The 'whole system' may be trivial in comparison.

FUDmeisters

[Werrismys]

It's F-Secure's business to cry wolf.

Re:Third trojan

Not on Ubuntu - the sudo command in the grandparent will still do the usual rm -rf /

Consider that a lot of people running ubuntu (myself incuded) would be the only users on the machines, and as such would be in the admin group. This means that effectively the same person and same password is used for both normal activities and sysadmin activities.

I wouldn't call this crying wolf

[Sycraft-fu]

More like warning that just because you live in a good neighbourhood, doesn't mean you should leave your door unlocked. Too many people who have Macs take the lax approach of "Well Macs don't get hacked so I don't have to worry." Ok well maybe they generally don't (though I've seen it happen due to immense user stupidity) but you should still assume that it can happen, and have security to prevent it.

I'm all about proactive security, not reactive. Don't wait until something is a problem, identify weaknesses and fix that shit BEFORE someone exploits it. If nobody ever tries, ok great. However if someone does, you are glad you set up security.

As I said it is the difference between living in a low crime neighbourhood and a high one. You live in a low crime neighbourhood and figure "Oh well there's no crime here, so I don't need to bother with a door lock or alarm." Ok, that's great right up until the criminals try, then you are screwed since you had no security. Well someone who lives in a high crime neighbourhood might have to put up with attempts more often but if they have their doors locked, windows barred, alarm on and so on it doesn't matter because their security stops it.

Computers are the same way. Just because you run a platform that isn't targeted much, doesn't mean you should just ignore security. Hope for the best but prepare for the worst, then you are ready no matter what.

It is like backups. Backups are a waste of time and money when your system has always been reliable... Right up until the moment when it isn't and you lose all your shit. You hope you never need the backups, and most won't computers are pretty reliable, but you make them anyways just in case. You prepare for the worst, even if it is unlikely, so that if it hits you aren't screwed.

Re:"Politely request your password"... Meh

[gnasher719]

A trojan which requires the user to manually download and run it isn't really a trojan... A trojan which requires the user to manually download and run it is _exactly_ a trojan. It is not a worm or a virus. A "trojan" is software that makes the user believe it does something useful or entertaining while in reality containing malware, and it relies on the user getting around security in order to access the useful or entertaining bits.

Re:"Politely request your password"... Meh

[Tim+C]

That is exactly what a trojan is!

A trojan is a piece of software that appears to be benign or otherwise safe or desirable, but in fact is malign. It may or may not also act as advertised.

A virus is a piece of software that piggy-backs on other executables, "infecting" them with its own code and modifying them so that when they are launched, the virus code is also run. They spread by searching for and infecting other executables on the machine.

A worm is self-propagating, and does not require user intervention. It actively seeks out and exploits a given vulnerability or vulnerabilities, using them to covertly gain access to the machine.

Of the three broad types of malware, the only one that does not require the user to manually run it is a worm.

And if a program requests the root password and the user gives it, is this the OS's fault?

No, of course not - but you'd be amazed at the number of people who blame Windows even for such social engineering tricks, or believe that if we only all switched to Linux malware would be a thing of the past. The weakest link in any computer system is the user, and there's little or nothing an OS can do to protect itself from a naive or malicious user armed with the root/admin password. While this is a non-story, it does at least demonstrate that the same is true of other OSes than Windows.

Re:Worst. Trojan. Ever.

[rwiggers]

Unfortunately I think it will be a huge success. People do the dumbest thing all the time. Otherwise I wouldn't see every now and then a no-news in the journal about some lottery-ticket scam and the police saying its quite common. Just in case a lottery-ticket scam isn't common in your area: Someone approaches the victim saying that has won the lottery, but for some bogus and nonsense reason can't draw the prize, so the need to exchange the ticket with the victim for a fraction of the prize...

No, non-password variants won't appear

[ktappe]

we can expect that future trojans won't just politely request your password. Um....except that they won't have any choice. If they want to modify the filesystem, OS X won't let them unless they've obtained authority and that requires them doing so via the authentication system that asks for the user's password. The above fact IS the OS X security system doing its job. If a user chooses to subvert the system by entering their password whenever requested without asking any questions, then how is that OS X's fault? Do you hand your housekey to any random guy who walks up on the street? Then don't give your password to random software. I could tell before I even checked that this "story" was approved by kdawson.

Re:Two Trojans For Mac OS X Users

[somersault]

This exploit is done via AppleScript and the Apple Remote Desktop Agent, which should hopefully give you some kind of hint as to why this particular issue is not going to be a problem on Linux.

OSX is certified yes, and presumably some of the basic shell commands will be exactly the same at a source level as in Linux, but in the Linux world patches are uploaded to repositories pretty quickly and users can then download updates immediately. Apple users (of which I am one) have to wait for Apple to release updates, unless they compile everything themself. I don't know if there's an equivalent of apt-get for OSX, I haven't looked..

Then there's the fact that 99.99% (number pulled out of my ass obviously) of exploitable bugs will have already been patched in the common OS level commands by now simply because they are being used in so many different distros. Sure there is the odd high profile bug, I remember one a few weeks ago on /. about a bug in some file listing function, though I don't think it was actually a security risk as opposed to just an annoying bug.

ARDAgent on Tiger

[goombah99]

I've tried the ARDAagent on dozens of different people's computers now and it only worked on Leopard not on Tiger.

Has anyone seen this work on Tiger? If so what's the configuration where it actually works.

It also does not work on most Leopard computers as things like Fast User switching, or having remote desktop turned on (yes on) cause it to fail.

Now as for trojans. Well what can you say. All computers are vulnerable to trojans. The poker game would run on linux too.

in the case of the poker game download the mac is going to ask you three times:

1) The item being downloaded contains an application, are you sure?

2) The application being launched for the first timw was downloaded from the internet, are you sure

3) than finally when it asks for your password.

And at best it runs as user level without the ARDAagent escalation.

Re:ARDAgent on Tiger

[Sancho]

Has anyone seen this work on Tiger? If so what's the configuration where it actually works. My wife's notebook runs Tiger, and the exploit worked there. The same set of configurations for which it works on Leopard seem to work on Tiger, too:

User must be logged into the desktop environment (not just logged in through SSH). You must not have used Fast User Switching to log in. ARDAgent must not be running.

All computers are vulnerable to trojans. The poker game would run on linux too. Yup. Of course, the main reason that Mac-using Slashdotters point to for why OS X is more secure than Windows is that you aren't running as administrator. Seriously, go look at any OS X/Apple/Mac story, and it always comes up (and frequently) within the comments. Everyone ignores the fact that 99% of what a trojan would want to do can be accomplished without the password, and exploits like this get it that remaining 1%.

It's not "immunity", it's "resistance".

[argent]

I'm so damn sick of people going "oooh, aaah, I thought $software was immune to $threat" when no credible commentator has made such a claim.

Just quit it, OK? It just makes you look like an utter twit.

And it's not just a lack of being targeted. It's a smaller surface area for attack, as well. OS X has nothing comparable to the rich viral petrie dish that the tight desktop-browser integration in Windows provides. Before 1997, Windows viruses were virtually all a matter of tricking people into running software, not having software automatically run when you just select an email message so you can delete it... which is how bad things were in the late '90s. Microsoft has tightened up the gaping holes in Windows since then, but they have done NOTHING to remove the underlying flaw that makes these kinds of attacks so easy there.

Compared to Windows, OS X is "virus resistant". That doesn't mean "virus proof". But it does mean that it's going to remain harder to infect than Windows until such time as Apple decides to implement something as barking mad as ActiveX.

Still nothing to see here.

[argent]

These trojans are purely payload. The delivery mechanism is still social engineering... not remote execution. We know that "once you're penetrated you're ****ed", pointing out again the ways you can be ****ed is not news (for nerds or otherwise) nor stuff that matters.

These are not the viruses you're looking for. Nothing to see here, move along.

2 Exploits? Thats all?

[Em0ry42]

I'm sorry... but am I alone in thinking that its HILarious that everyone gets whipped into a frenzy when _2_ POSSIBLE exploits are discovered in Mac OS, when Windows has over the years shown... thousands if not millions?

I don't mean to be an anti-windows troll, trust me, I still have 2 Windows machines at home (and then 10 Ubuntu) but assuming that whoever discovered these vulnerabilities spends a large portion of their time looking for them, I'd say the record looks pretty good thus far...

I personally have concluded that its not possible to make a COMPLETELY secure OS, (especially given PEBKAC) but if you make one that demonstrates issues on a rare/reasonably rare basis then you've done it well.

So Hurrah Apple (and contributing OSS Devs), I say job well done!!!