Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Businesses Apple

Two Trojans For Mac OS X 326

I Don't Believe in Imaginary Property writes "F-Secure is reporting that there are two new Mac OS X trojans. The first is just a proof-of-concept from the MacShadows people that takes advantage of the unpatched ARDAgent vulnerability to get root access when run by the user. The second relies on social engineering: it's a poker game that requests the user's password, claiming to have detected a 'corrupt preference file.' It then takes control of the computer. Now that the source of the proof-of-concept is publicly available, we can expect that future trojans won't just politely request your password."
This discussion has been archived. No new comments can be posted.

Two Trojans For Mac OS X

Comments Filter:
  • users (Score:5, Funny)

    by Anonymous Coward on Wednesday June 25, 2008 @02:35AM (#23930551)

    Now that the source of the proof-of-concept is publicly available, we can expect that future trojans won't just politely request your password.
    Are you sure? After all, we are talking about *mac* users. :P

    Let the flamewars begin!

    • by stuntmanmike ( 1289094 ) on Wednesday June 25, 2008 @02:40AM (#23930583)

      One for you, one for your partner.

      • Re: (Score:2, Funny)

        by Anonymous Coward
        And ribbed for the mac users pleasure!

        Seriously, OS X is a unix system, so anything that works on it will work also work on Linux. More slashdot readers should be concerned.
        • Re: (Score:3, Informative)

          Thats a stretch, the APIs are completely different, as are most of the system services, the way the kernel works. In fact, most of it is different.

    • ARDAgent on Tiger (Score:3, Insightful)

      by goombah99 ( 560566 )

      I've tried the ARDAagent on dozens of different people's computers now and it only worked on Leopard not on Tiger.

      Has anyone seen this work on Tiger? If so what's the configuration where it actually works.

      It also does not work on most Leopard computers as things like Fast User switching, or having remote desktop turned on (yes on) cause it to fail.

      Now as for trojans. Well what can you say. All computers are vulnerable to trojans. The poker game would run on linux too.

      in the case of the poker game downl

      • Re: (Score:3, Insightful)

        by Sancho ( 17056 ) *

        Has anyone seen this work on Tiger? If so what's the configuration where it actually works.

        My wife's notebook runs Tiger, and the exploit worked there. The same set of configurations for which it works on Leopard seem to work on Tiger, too:

        User must be logged into the desktop environment (not just logged in through SSH). You must not have used Fast User Switching to log in. ARDAgent must not be running.

        All computers are vulnerable to trojans. The poker game would run on linux too.

        Yup. Of course, the main reason that Mac-using Slashdotters point to for why OS X is more secure than Windows is that you aren't running as administrator. Seriously, go look at any OS X/Appl

  • by Anonymous Coward on Wednesday June 25, 2008 @02:47AM (#23930633)

    The second relies on social engineering: it's a poker game that requests the user's password, claiming to have detected a 'corrupt preference file.' It then takes control of the computer.
    Worst. Trojan. Ever.

    Hey guys, I've got a great new idea for a worm, I'm gonna start a e-mail chain letter that tells people they'll have bad 7 years bad luck if they don't forward the e-mail to 10 friends and send me their root passwords, IP address and their bank account and credit card numbers. It's sure to be a smashing success!
    • by hdparm ( 575302 )

      Are you trying to prove the concept, or something?

    • Agreed.

      I received a 'proof of concept trojan' in Mac Mail a few days ago. It was an email telling me my university account was being updated and I should reply with my username and password to confirm it was still active.

      Fortunately I received a 'patch' shortly after in the form of another confirming my suspicions that the first one was a hoax.

      Honest question; aside from advertising for some security company and 'Macs aren't teh 100%%%%% sekure!1' flamebait, what purpose does this article serve?

    • Re: (Score:3, Insightful)

      by rwiggers ( 1206310 )
      Unfortunately I think it will be a huge success. People do the dumbest thing all the time. Otherwise I wouldn't see every now and then a no-news in the journal about some lottery-ticket scam and the police saying its quite common. Just in case a lottery-ticket scam isn't common in your area: Someone approaches the victim saying that has won the lottery, but for some bogus and nonsense reason can't draw the prize, so the need to exchange the ticket with the victim for a fraction of the prize...
    • by Steauengeglase ( 512315 ) on Wednesday June 25, 2008 @07:11AM (#23932541)

      Just like a Mac fan. Complain that 3rd party Trojans aren't good enough for them.

    • Worst. Trojan. Ever.

      Oh come on. That has to be the coolest trojan ever. I almost want to give it my password!

  • by frictionless man ( 1140157 ) on Wednesday June 25, 2008 @02:48AM (#23930643)
    Hi Slashdot User!

    We have detected your Slashdot account preferences have been corrupted.

    To fix this, please post your user id and password in response to this message, and one of our customer service operatives will fix your account and recover posting privileges as soon as possible.

    Yours Sincerely, Trojan
    • Re: (Score:3, Funny)

      by i'm lost ( 1247580 )

      I need my preferences fixed. My password is 12345.

    • by Anonymous Coward on Wednesday June 25, 2008 @03:10AM (#23930801)

      User Id: Anonymous Coward
      Password is blank.

      I hope you fix my preferences soon, my karma never seems to go up, no matter how much I get modded up.

    • by JohnBailey ( 1092697 ) on Wednesday June 25, 2008 @03:27AM (#23930909)
      Wow.. thanks for the heads up.. my password is "********"
    • Well, my password is the prime factorization of my user id concatenated from small to large to one string.

  • Lame (Score:5, Funny)

    by grusin ( 1112113 ) on Wednesday June 25, 2008 @02:49AM (#23930651)
    On windows they do that without asking for password
  • Apple spin (Score:4, Funny)

    by Centurix ( 249778 ) <centurix@gmPERIODail.com minus punct> on Wednesday June 25, 2008 @02:51AM (#23930681) Homepage

    iTrojan, custom trojan, personally designed by Steve Jobs' evil twin Rodney Jobs, the UI would be beautiful, white, sterile. Mass infection through Starbucks WiFi.

  • Yawn (Score:5, Insightful)

    by rsmith-mac ( 639075 ) on Wednesday June 25, 2008 @02:56AM (#23930717)

    We go through this about twice a year with the same results every time. "Someone" releases a trojan, presumably as proof that Mac OS X has security holes. Then everyone gets whipped in a frenzy and ultimately no one is infected by the damn thing in the first place. Mac OS X does have its holes (some of which are quite unreasonable), but trying to scare the users (in to buying anti-virus software, perhaps?) gets tiring after a while. No one has yet to do anything that matters with these trojans and security vulnerabilities, the real troublemakers continue to target Windows.

    Mac OS X's day will definitely come at some point, but if people keep crying wolf every time someone whips up a theoretical and entirely implausible situation, no one is going to believe the security community once some black-hat does finally decide to attack the Macs.

    • Re: (Score:3, Insightful)

      by tibman ( 623933 )

      The poker game trojan sounds pretty lame too. The program must be downloaded and run first which pops open a quasi-phishing "error: type your password here to fix" message. Infection vectors seem key to how fast these things spread. Having a file mac users have to manually download first is slow/weak and i doubt the downloaded file would be manually copied to another machine and run.

      • by Sycraft-fu ( 314770 ) on Wednesday June 25, 2008 @03:48AM (#23931043)

        I swear, some people go out of their way to infect their machines. The one that stands out in my mind the most was a virus for Windows a number of years ago. Came as an attachment in a message that said "Hi I send you the file in order to have your advice." So never mind the bad grammar and such, but before campus got hit we got wind of the thing and sent out an e-mail message to all users saying "Don't open this shit it's bad news." One of the users called in saying she was having problems with e-mail, we came and looked. The "problem" was that she wasn't an admin and so, thankfully, couldn't run the damn virus.

        Or somewhat more recently we had a virus that slipped by our e-mail scanner. It did so by sending itself in encrypted zip files, and then putting the decryption key in the message. That meant you had to open the mail, save the zip, open the zip, enter the code, extract the executable, and run it. Two users did just that and got infected.

        So while it seems armature to do a "Download this then enter your password," kind of trojan, that shit works waaaay more than you'd think.

        • Somebody I know forwarded me a message saying something like There is a virus on your system. To remove it search for the file COMMAND.COM and delete it..

          Shortly after that I got a panicky phone call. Apparently they didn't have a working system any more.
        • Comment removed based on user account deletion
    • Re: (Score:3, Insightful)

      by Simon (S2) ( 600188 )

      I completely agree with you, and I too think that Mac OS X's day will definitely come at some point, and that will be the time Mac has a bit more market share. At the time being it just doesn't make sense to write a large scale virus/spambot/trojan for the mac platform.
      But anyway, just to know that a Trojan is "possible" on the mac should make the mac users aware that if someone targets their machine they are just as vulnerable as a windows user (executing untrusted code locally is just bad on any platform)

      • by flnca ( 1022891 )
        Mac viruses already make up a significant percentage of spam mail in my mailboxes (.hpx files and other fun stuff). To be blind to such threats is simply irresponsible, methinks.
    • Re: (Score:2, Insightful)

      by mentaldingo ( 967181 )

      I think the point of TFA was to show that these things aren't theoretical and "implausible". Security isn't just about viruses: even if your so-called "troublemaker" virus-writers mostly target Windows machines, if there is a bounty on your Mac, it would be easy for someone to root it (in fact, some parts of the hack would be easier than on windows!).

    • by flnca ( 1022891 )

      once some black-hat does finally decide to attack the Macs

      Unfortunately, there are already hundreds of Mac viruses. I have some super-spammed e-mail accounts, that get hundreds of infected e-mails per day, and more often than not, viruses come with ".hpx" extensions and other MacOS file extensions. Ignoring these threats could have severe consequences for a Mac user, if they would click on such file.

      Someone could say "yeah ... but MacOS X is a Unix system, so the threat would be limited to the current user", but one should remember that MacOS X has a heavily

      • by JPRelph ( 519032 )
        Any viruses with a .hqx extension are likely to be Mac OS 9 and below viruses (ie Classic) that literally won't run at all on current Macs. There were viruses for Classic Mac OS but I'm unaware of any "real" viruses (ie not trojans or the few proof of concepts) for OS X. Certainly nothing that could be classed as a significant threat, not saying that there aren't issues with OS X (it always amazed me that InputManagers were never really targetted), just that there hasn't really been any seriously weaponis
    • Re: (Score:2, Insightful)

      by INT_QRK ( 1043164 )
      Your allusion to anti-virus software calls to mind a serious question that's been on my mind for some time. Since computer security software (anti-virus, anti-spyware, HIDS, NIDS, etc.) is relied upon by not only to protect consumers, but industry, government, and virtually every other institution of our society, how is it not considered Critical Infrastructure, subject to government monitoring, regulation, testing, or standards of conduct and performance? I'm curious, because installing such products seems
    • Re:Yawn (Score:5, Insightful)

      by Aram Fingal ( 576822 ) on Wednesday June 25, 2008 @09:39AM (#23934687)
      I have been one of the first to point out the same thing in each of these past cases but this is different. We have a scriptable application setuid to root. That's an obvious vulnerability on a sliver platter. What was Apple thinking?
      • Re: (Score:3, Informative)

        by NtroP ( 649992 )

        I have been one of the first to point out the same thing in each of these past cases but this is different. We have a scriptable application setuid to root. That's an obvious vulnerability on a sliver platter. What was Apple thinking?

        The application in question is NOT suid on my system (Yes, I looked inside the .app too). I think it's likely that a third-party app or framework, like MacPorts or something, is responsible for making the change - "fix permissions" should take care of it - I don't think this is Apple's fault.

  • Grrr... (Score:5, Insightful)

    by mallardtheduck ( 760315 ) <stuartbrockman@ h o t m a i l .com> on Wednesday June 25, 2008 @03:12AM (#23930817)

    The ARDAgent vulnerability is pretty serious and stupid, but social engineering is not OS specific. The "poker game" could just as easily be implemented on Windows or Linux.

    There is nothing that any OS can do to prevent trojans. (At least not without seriously limiting the functionality of legitimate programs.)

    Slashdot's own summarry of the ARDAgent vulnerability included a "proof-of-concept" it is trivially easy to exploit and should be fixed ASAP.

    There is no news here.

    • by TheLink ( 130905 )

      Sandboxing could help.

      https://bugs.launchpad.net/ubuntu/+bug/156693 [launchpad.net]

      • Re: (Score:3, Interesting)

        However, once you have convinced the user to download and attempt to run the program, it is a short step to getting them to approve administrator access.

        By "seriously limiting the functionality of legitimate programs" I was referring to systems such as Bitfrost [laptop.org] which, while providing strong protection against Trojans, also makes certain classes of application almost impossible to implement (i.e. a mass Flickr uploader or an FTP client).

        • by TheLink ( 130905 )
          My proposal has programs claiming what class of access they want (e.g. I need screen saver access), the user approving it and the O/S enforcing it (and optionally remembering the user's choice).

          Screensavers don't normally need network access or access to your personal documents or access to your webcam or microphone.

          So even if a "screensaver" is lying about being a screensaver, the damage it can do is limited to what a normal screensaver can do.

          Vista has sandboxing but it fails because it prompts so much th
    • social engineering is not OS specific.

      To some extent, it actually is. Social engineering depends on the characteristics of the users being targeted, which includes their technical ability as well as how they choose to set up their environments.

      What makes an OS like Windows more vulnerable than a Linux OS (say) is both the larger and more diverse user population, which increases the likelihood of catching the right kind of (gullible) user, and also the strong standardization in Windows which guarante

    • by Tom ( 822 )

      There is nothing that any OS can do to prevent trojans. (At least not without seriously limiting the functionality of legitimate programs.)

      Nonsense. Of course there are things you can do. None of them are easy, or entirely without inconvenience, but there are.

      You could, for example, get away from the "root == god" paradigm and add a user (or group) for more day-to-day admin tasks. Reserve the highest priviledge level for modifications to the core system, i.e. the OS and core tools. To install an additional screensaver shouldn't require those top-level priviledges. That way, you could alarm users very strongly when a tool requires top-level pr

      • But that won't stop a trojan from installing a spambot (since a normal user still needs permission to send emails) or stealing the user's data (since a normal user still needs access to their files and access to the internet).

        What's really needed is a change from the "any program can do anything that the user can do" paradigm. Unfortunately, this can't be done without restricting the functionality of legitimate programs.

  • by Anonymous Coward on Wednesday June 25, 2008 @03:18AM (#23930849)

    For crying out loud people, the poker game one is applicable to any system you want to code it on! What does this have to do with being a Mac OS X security hole? It would work on Linux, BSD, RandomOSMadeUpOnTheSpurOfTheMoment (Infinium labs).

  • FUDmeisters (Score:5, Insightful)

    by Werrismys ( 764601 ) on Wednesday June 25, 2008 @03:22AM (#23930873)
    It's F-Secure's business to cry wolf.
    • by Sycraft-fu ( 314770 ) on Wednesday June 25, 2008 @03:55AM (#23931083)

      More like warning that just because you live in a good neighbourhood, doesn't mean you should leave your door unlocked. Too many people who have Macs take the lax approach of "Well Macs don't get hacked so I don't have to worry." Ok well maybe they generally don't (though I've seen it happen due to immense user stupidity) but you should still assume that it can happen, and have security to prevent it.

      I'm all about proactive security, not reactive. Don't wait until something is a problem, identify weaknesses and fix that shit BEFORE someone exploits it. If nobody ever tries, ok great. However if someone does, you are glad you set up security.

      As I said it is the difference between living in a low crime neighbourhood and a high one. You live in a low crime neighbourhood and figure "Oh well there's no crime here, so I don't need to bother with a door lock or alarm." Ok, that's great right up until the criminals try, then you are screwed since you had no security. Well someone who lives in a high crime neighbourhood might have to put up with attempts more often but if they have their doors locked, windows barred, alarm on and so on it doesn't matter because their security stops it.

      Computers are the same way. Just because you run a platform that isn't targeted much, doesn't mean you should just ignore security. Hope for the best but prepare for the worst, then you are ready no matter what.

      It is like backups. Backups are a waste of time and money when your system has always been reliable... Right up until the moment when it isn't and you lose all your shit. You hope you never need the backups, and most won't computers are pretty reliable, but you make them anyways just in case. You prepare for the worst, even if it is unlikely, so that if it hits you aren't screwed.

      • What do you mean "Worry?" About what? Running crappy shareware?

        Trojans and phishing are pretty solidly entrenched in the minds of the Mac userbase with some sort of clue, and those without a clue are generally unaware that there's such a thing as F-Secure, and are unlikely to download dodgy shareware apps anyhow.

        I keep hearing alarm bells rung, and it always turns out to be much ado about nothing. The Mac uses a modern privilege escalation model, and Apple's taken some pains to make sure their systems come

  • A lot of websites are now suggesting changing the permissions on the ARDAgent to remove the SUID bit on it.

    This works until you repair the permissions (using disk utility which consults its database of permissions) and this puts it right back making you vulnerable again.

  • by ktappe ( 747125 ) on Wednesday June 25, 2008 @07:46AM (#23932945)

    we can expect that future trojans won't just politely request your password.
    Um....except that they won't have any choice. If they want to modify the filesystem, OS X won't let them unless they've obtained authority and that requires them doing so via the authentication system that asks for the user's password. The above fact IS the OS X security system doing its job. If a user chooses to subvert the system by entering their password whenever requested without asking any questions, then how is that OS X's fault? Do you hand your housekey to any random guy who walks up on the street? Then don't give your password to random software. I could tell before I even checked that this "story" was approved by kdawson.
  • These trojans are purely payload. The delivery mechanism is still social engineering... not remote execution. We know that "once you're penetrated you're ****ed", pointing out again the ways you can be ****ed is not news (for nerds or otherwise) nor stuff that matters.

    These are not the viruses you're looking for. Nothing to see here, move along.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...