Slashdot Mirror

← Back to Stories (view on slashdot.org)

Two Trojans For Mac OS X

Posted by kdawson on from the knock-knock-who's-there-trojan dept.

I Don't Believe in Imaginary Property writes "F-Secure is reporting that there are two new Mac OS X trojans. The first is just a proof-of-concept from the MacShadows people that takes advantage of the unpatched ARDAgent vulnerability to get root access when run by the user. The second relies on social engineering: it's a poker game that requests the user's password, claiming to have detected a 'corrupt preference file.' It then takes control of the computer. Now that the source of the proof-of-concept is publicly available, we can expect that future trojans won't just politely request your password."

19 of 326 comments (clear)

  1. users by Anonymous Coward · · Score: 5, Funny

    Now that the source of the proof-of-concept is publicly available, we can expect that future trojans won't just politely request your password. Are you sure? After all, we are talking about *mac* users. :P

    Let the flamewars begin!

  2. Two Trojans For Mac OS X Users by stuntmanmike · · Score: 5, Funny

    One for you, one for your partner.

    1. Re:Two Trojans For Mac OS X Users by somersault · · Score: 5, Insightful

      This exploit is done via AppleScript and the Apple Remote Desktop Agent, which should hopefully give you some kind of hint as to why this particular issue is not going to be a problem on Linux.

      OSX is certified yes, and presumably some of the basic shell commands will be exactly the same at a source level as in Linux, but in the Linux world patches are uploaded to repositories pretty quickly and users can then download updates immediately. Apple users (of which I am one) have to wait for Apple to release updates, unless they compile everything themself. I don't know if there's an equivalent of apt-get for OSX, I haven't looked..

      Then there's the fact that 99.99% (number pulled out of my ass obviously) of exploitable bugs will have already been patched in the common OS level commands by now simply because they are being used in so many different distros. Sure there is the odd high profile bug, I remember one a few weeks ago on /. about a bug in some file listing function, though I don't think it was actually a security risk as opposed to just an annoying bug.

      --
      which is totally what she said
  3. Worst. Trojan. Ever. by Anonymous Coward · · Score: 5, Funny

    The second relies on social engineering: it's a poker game that requests the user's password, claiming to have detected a 'corrupt preference file.' It then takes control of the computer.
    Worst. Trojan. Ever.

    Hey guys, I've got a great new idea for a worm, I'm gonna start a e-mail chain letter that tells people they'll have bad 7 years bad luck if they don't forward the e-mail to 10 friends and send me their root passwords, IP address and their bank account and credit card numbers. It's sure to be a smashing success!
  4. Proof of Concept Slashdot Trojan by frictionless+man · · Score: 5, Insightful

    Hi Slashdot User!

    We have detected your Slashdot account preferences have been corrupted.

    To fix this, please post your user id and password in response to this message, and one of our customer service operatives will fix your account and recover posting privileges as soon as possible.

    Yours Sincerely, Trojan

    1. Re:Proof of Concept Slashdot Trojan by Anonymous Coward · · Score: 5, Funny

      User Id: Anonymous Coward
      Password is blank.

      I hope you fix my preferences soon, my karma never seems to go up, no matter how much I get modded up.

    2. Re:Proof of Concept Slashdot Trojan by Hal_Porter · · Score: 5, Funny

      O/T but have you noticed how if you post sensitive information like your password here SlashCode filters it to X's. Very nice idea.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    3. Re:Proof of Concept Slashdot Trojan by mrbluze · · Score: 5, Funny

      1 2 3 4 5? That's amazing! I've got the same combination on my luggage! Is your luggage by any chance in the form of a wooden horse?
      --
      Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
    4. Re:Proof of Concept Slashdot Trojan by fatphil · · Score: 5, Funny

      Obligatory: http://www.bash.org/?244321

      --
      Also FatPhil on SoylentNews, id 863
    5. Re:Proof of Concept Slashdot Trojan by lurch_mojoff · · Score: 5, Insightful

      And where's the comment playing down the seriousness of the first proof-of-concept? The one that uses an unpatched ARDAgent vulnerability? Some Mac users just can't face that they're not as invincible as Apple marketing wants them to think, and reject any evidence to the contrary. (I'm about to be told how this local root vulnerability isn't a real vulnerability, because it's local.) That comment is in the thread of the previous "How to Save Mac OS X From Malware" article, as well as in the comment thread of the article originally reporting the ARD vulnerability posted last week. Yes, Arty McStrawman does believe that his Mac is invincible. Not many beside him do, though. Also, if you already know what will people respond to you, why do you ask your, fairly inflammatory, I might add, question, even if you intended it to be a rhetorical one?
  5. Lame by grusin · · Score: 5, Funny

    On windows they do that without asking for password

  6. Yawn by rsmith-mac · · Score: 5, Insightful

    We go through this about twice a year with the same results every time. "Someone" releases a trojan, presumably as proof that Mac OS X has security holes. Then everyone gets whipped in a frenzy and ultimately no one is infected by the damn thing in the first place. Mac OS X does have its holes (some of which are quite unreasonable), but trying to scare the users (in to buying anti-virus software, perhaps?) gets tiring after a while. No one has yet to do anything that matters with these trojans and security vulnerabilities, the real troublemakers continue to target Windows.

    Mac OS X's day will definitely come at some point, but if people keep crying wolf every time someone whips up a theoretical and entirely implausible situation, no one is going to believe the security community once some black-hat does finally decide to attack the Macs.

    1. Re:Yawn by KGIII · · Score: 5, Interesting

      At risk of being called a troll... The adage does actually apply but I will spell it out a bit. If you're going to attack then your goal is to do as much damage as you can as efficiently as you can. The vast majority of users are still using Windows. The vast majority of business data is still being transported on Windows based machines. You are as unlikely to find mass-effect malware for a Mac as you are for RiscOS, Amiga, Solaris, BSD, or Linux. The ends don't justify the means from a realistic view and if anyone thinks that malware authors are out there doing it just to "show the man" or for "fame" these days hasn't actually paid attention to the malware scene for the past five years. Today it is about blended threats, specific highly targeted attacks, gaining information as opposed to causing destruction and the goal isn't geekiness nor fame but rather is about money. Mac users are just as likely to type in their password as are Windows users. (As *NIX is not aimed at the mainstream I'd argue that *NIX users are less likely to do so, and yes, I use all the above OSes when required or have used them to play with them.)

      --
      "So long and thanks for all the fish."
    2. Re:Yawn by marcello_dl · · Score: 5, Insightful

      Except that worms for linux would find most servers on the net vulnerable- do you realize the potential for mischief?
      In fact worms for linux were produced.

      --
      ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
    3. Re:Yawn by Tom · · Score: 5, Insightful

      Mac users are just as likely to type in their password as are Windows users. Evidence for that claim?

      Mac's "I need your password" dialog is better done and, more importantly, a lot less common than windos UAC. As such, most Mac users don't roll their eyes and mutter "get on with it already, moron" when it pops up. In fact, when it pops up, I either expected it to, or it surprises me enough that I actually read what it's about.

      --
      Assorted stuff I do sometimes: Lemuria.org
  7. Grrr... by mallardtheduck · · Score: 5, Insightful

    The ARDAgent vulnerability is pretty serious and stupid, but social engineering is not OS specific. The "poker game" could just as easily be implemented on Windows or Linux.

    There is nothing that any OS can do to prevent trojans. (At least not without seriously limiting the functionality of legitimate programs.)

    Slashdot's own summarry of the ARDAgent vulnerability included a "proof-of-concept" it is trivially easy to exploit and should be fixed ASAP.

    There is no news here.

  8. Society is not an OS X vulnerability by Anonymous Coward · · Score: 5, Insightful

    For crying out loud people, the poker game one is applicable to any system you want to code it on! What does this have to do with being a Mac OS X security hole? It would work on Linux, BSD, RandomOSMadeUpOnTheSpurOfTheMoment (Infinium labs).

  9. You'd be amazed how dumb users are by Sycraft-fu · · Score: 5, Funny

    I swear, some people go out of their way to infect their machines. The one that stands out in my mind the most was a virus for Windows a number of years ago. Came as an attachment in a message that said "Hi I send you the file in order to have your advice." So never mind the bad grammar and such, but before campus got hit we got wind of the thing and sent out an e-mail message to all users saying "Don't open this shit it's bad news." One of the users called in saying she was having problems with e-mail, we came and looked. The "problem" was that she wasn't an admin and so, thankfully, couldn't run the damn virus.

    Or somewhat more recently we had a virus that slipped by our e-mail scanner. It did so by sending itself in encrypted zip files, and then putting the decryption key in the message. That meant you had to open the mail, save the zip, open the zip, enter the code, extract the executable, and run it. Two users did just that and got infected.

    So while it seems armature to do a "Download this then enter your password," kind of trojan, that shit works waaaay more than you'd think.

  10. Re:Apple spin by doyoulikeworms · · Score: 5, Funny

    iTrojan - It just works.