Mac OS X Trojan reported in the wild

On Thursday, security vendor SecureMac reported seeing new variants of AppleScript.THT Trojan horse in the wild affecting users of Mac OS X 10.4 and 10.5.

The new variations exploit a vulnerability within the Apple Remote Desktop Agent, and can avoid detection by opening ports in the firewall and turning off system logging. The new Trojans can log keystrokes, take screen shots, take pictures with the Apple iSight camera, and enable file sharing, according to SecureMac.

The Trojans are using an AppleScript called ASthtv05 and/or may be bundled as an application. You must download and execute the file for your Mac OS X system to become infected.

SecureMac makes the MacScan, antispyware security software for Mac OSX.

[thoughtbrain]

<a class="jive-link-external" href="http://www.clamxav.com/" target="_newWindow">http://www.clamxav.com/</a> ClamXav is a free virus checker for Mac OS X, updated daily..

[catbutt5]

Yeah, I once saw Bigfoot too. He was at the porn site where all of the Anti-virus makers are trying unsuccessfully to create and release some Mac malware.

[catch23]

The biggest security problem in computers is vendors and users not taking threats seriously. <br />So you just keep saying that. Someone will be along at some point to kick over your machine.

[Penguinisto]

taking threats seriously is one thing. pointing at convoluted trojans and crying "wolf! wolf!" OTOH is sheer idiocy.

[iertry]

Take pictures with isight camera! That's extremely worrying. Any suggestions on how we can avoid this? Is this a 'proper' virus or one of the silly ones that requires you to be stupid and download it and install it etc like previous mac viruses.<br /><br />Hope theres a fix for this soon.

[Dalkorian]

Terminology update for Iertry: viruses infect your machine without interaction, just like a virus in the real world makes you sick without you doing anything unusual (except for contacting a sick person of course.) A trojan horse is as it's name implies, it's a malicious program that masquerades as something else (a codec or other program). Just like the trojan horse of old, you have to install a trojan horse yourself, but you're "tricked" into doing it. This vulnerability is a trojan horse and not a virus, meaning yes you have to go infect yourself like previous mac vulnerabilities. I don't think there has been a "mac virus" for OSX (there were some for OS9) because it's really hard to do (linux has the same protection), unlike winblows. Trojan horses are relatively easy to do in any OS (winblows, OSX, Linux or whatever else), the "trick" is to fool the user into installing it ("you need this codec to view this video file", or maybe "this is the funnest thing to put on your computer!"). Once you violate the security at the chair behind the keyboard, you pwned the machine. Period.

[jag0]

You can always tell how much of an elitist ****** someone is by how many times they use terms like "Winblows" or "Windoze"

[aka_tripleB]

Thank God, I and 91% of the world are safe from Trojan horses because Dalkorian didn't mention it in his post.

[Vegaman_Dan]

This hole is currently now being exploited by multiple malware applications including poker games, online trading, ebay trackers, etc. Looks like the kids are quick in getting it included in a lot of places. It can come through any file sent to you. Currently the best advice that people have been given is to avoid opening files from the Internet. Unfortunately there are currently no means to scan files downloaded to determine if they contain this malicious code as virus scanners and such simply aren't available for the Mac in this manner. I expect the problem, which is a serious hole in OS X by exposing the root account without any effort will be addressed quickly by Apple. Right now, anything you can do in the root account is now possible by anyone else that wants to write the exploit for it. It's all about gift wrapping that trojan. Expect it to be fixed fast.

[frantaylor]

A bit of electrical tape over the camera lens works well.

[dbargen]

I wouldn't call something you have to purposefully click to download, click to verify download , and then authenticate to install before it operates virus or trojan. It would be hard to even call it malware! There is no way to accidentally initiate this program. <br /><br />Sorry folks, there still aren't any real viruses/trojans, etc. out there for OS X. Move along.

[giyad]

It comes bundled in an application, you would be installing it without knowing. But obviously if you are installing something you would probably download it from a trusted vendor so yes it still doesn't count, but I wouldn't be surprised if a virus/trojan came about pretty soon.

[jag0]

Ummm how do you think (ignorant) people get some viruses on their PCs? They download, verify and install software that they are "fooled" into thinking is actually useful.

[Dalkorian]

My goodness it's funny how winblows has confused this issue. This isn't hard people, there is a very distinct difference between a virus and a trojan horse. Trojan horses are installed by the user, who was tricked into installing it (maybe it's masqueraded a video codec, or a game, or a machine performance scanner - either way the user installed it thinking it wasn't malware). Viruses install themselves without user interaction, you just "pass them" on the internet and you're infected (like a virus in the real world, the only thing you did to catch that last cold was to come into close proximity to someone else who was sick). Winblows is good at getting infected with viruses because it has swiss cheese afterthought security - any 12 year old script kiddy can pwn a winblows box in short order. It's been done. Many times before. OSX and Linux might be capable of being infected with viruses, but it's orders of magnitude harder to do (think of a team of programmers working for a month, instead of a punk pushing keys for an hour or two). Listen carefully - so far there is no such thing as an OSX virus (note that there were viruses for OS9, which wasn't anywhere near as popular as OSX is so that idiotic "market share" argument is bunk). There have been a few trojans written for the platform (this article is about the newest one), but no one has written a virus for OSX. Yet. It might happen someday and the only "safe" assumption is that it *WILL*, but OSX and Linux users both have no need so far for the extreme paranoia that winblows users must posses to be safe on the internet. Period.

[Thomas, David]

If it tricks you into installing it, masquerading as something else, it is a trojan.

[Vegaman_Dan]

Strangely enough, if you did this on a Windows system, people would be quick to say that it's a virus. Should we expect Macintosh users to have a double standard?

[pcbear]

I saw a new Anti Virus come out for Mac OS X the other day called iAntivirus. It is free and looks pretty good. Don't know about ClamxAV

[Kev Orng]

Honestly, before I trust an anti-virus vendor trying to scare me into buying their product, I'd count on the kids and the developers and code monkeys who hang around at Macrumours and TUAW to not only detect a real threat weeks before I have to worry about it, but also to post a full tutorial on how to avoid/remove it. <br /><br />That would probably go something like "don't agree to install X" but if you do, "drag X to trash" followed by "secure empty trash"<br /><br />The point being, of course, that the only bad thing that could theoretically infect a Mac is a Trojan, and the only way it can get on there is if you choose to install it, and even if you do, it does not insinuate itself into the registry like in Windows, so you can delete it easily.<br /><br />You'd have to do some pretty fancy footwork to convince me to install something I didn't ask for.

[jag0]

"You'd have to do some pretty fancy footwork to convince me to install something I didn't ask for." &lt;-- It exists and it does happen. I cleaned out a "Spyware" program from a cousins computer that was actually full fledged spyware, malware and trojan all rolled into an impressive package. It was both scary and impressive at the same time.

[Kev Orng]

@jag0<br />You're right, of course, that it does happen. But I'm not your cousin! :-)

[Dalkorian]

"The point being, of course, that the only bad thing that could theoretically infect a Mac is a Trojan, and the only way it can get on there is if you choose to install it ..." So far, you're perfectly safe with that assumption. You should note that it IS an assumption though, as nothing in the world is perfectly anything. It might be possible to write an OSX virus, given enough resources (think of a team of programmers, attacking the OS for months looking for a way in ...). It hasn't happened yet though, in part (mostly? completely??) because it would be exceedingly difficult to do. But to go so far as to claim it's theoretically impossible is a little naive.

[DrtyDogg]

@Dalkorian. Also creating a "virus" by your definition, for the mac would be a waste of time, trying to just attack 4% of the worlds computers, protected or not would result in very little gain for malware writers, while hitting an easier target at 90+ percent results in a impressive gains. Also with the smaller market share a trojan is easier to execute as only Mac users will download the package(whatever it is hidden as) and not be wasted on Windows users.

[frantaylor]

DrtyDogg, your data is obsolete. Macs are now almost 8% of the market. That's tens of millions of machines. Plenty of justification for malware.

[amandachuck]

A trojan always requires user intervention, right? That's why it's a trojan (you have to welcome it in, thinking it is something else).<br /><br />When you download an app for a Mac, it asks if you want to run it and tells you when you downloaded it. Also, if it tries to propagate, each user who gets a copy will be told it has been downloaded and to be sure you know where it came from.<br /><br />Unless it can attach itself to other programs and hide, it is only a threat to people who purposely download it.

[Dalkorian]

Well, bingo. This is why trojan horses will always be a threat of sorts for all platforms. If you can breach the security between the chair and the keyboard, you have the keys to the kingdom and can do anything. It's surprisingly refreshing to see someone on this blog who actually understands the article. I don't know of a good way to protect yourself from a well written trojan horse on any platform (except the obvious "solutions" of not being an idiot and having AV software installed, but AV software only protects you from KNOWN malware so it's still possible to get infected with something like this before the AV guys figure it out - meaning there is still a window of vulnerability if you're willing to assume that people will be idiots at times. Example, how careful are you when you surf the web after a night of heavy drinking?).

[Igiveup2]

"....AV software only protects you from KNOWN malware so it's still possible to get infected with something like this before the AV guys figure it out...." AV software that relies entirely on a signature database is pretty seriously behind the curve these days. The only AV softwares worth having include a realtime heuristic scanner against zero day threats.

[Vegaman_Dan]

Social engineering completely blows this argument out of the water these days. What would the average Mac user do when they get a message on the screen to update iTunes? Or any other application on the system? Will they be wary enough to realize that this sort of dialogue box wouldn't normally come up by visiting a web site? <br /><br />Click.<br /><br />BOOM. You're infected. A clever person can make that dialogue box say anything that is necessary to fool a person into clicking it- up to and including swapping the YES/NO button functionality regardless of text being displayed. <br /><br />Yes, the technically saavy person will recognize it for what it is- but those same people aren't the ones that fall for phishing schemes every day. It's those ignorant people (through not fault of their own, mind you- they have been taught that Macs simply work without any effort on the end user's part) that some malicious group will target. Get the machines infected, create a botnet and sell it to others. And those same people will never know they have a problem or even know that they should check for a problem because they have been brainwashed to let others do the thinking for them. Those are the people I worry about. People posting and reading comments here won't be an issue. Mary Smith's parents who were given a Mac are the ones I am concerned about.

[AnthonyNYC]

But that is just it, it hides in other applications, so you say ok to load something else and get the hidden trojen along with it, otherwise no one would ever choose yes to instal a trogen. Trogens are always hidden in other application, hence the name trogen, like the Trogen horse, with hidden soldiers inside.

[amandachuck]

No it doesn't. It may be "bundled as an application" but that is in reference to an AppleScript being able to be a standalone application should you choose. Now, can they name it "Adobe Photoshop" and give it the photoshop icon? Sure, but if you download Photoshop from anywhere but Adobe, that's a risk you take. That's not the same thing as embedding itself in a valid application. That's a WORM, not a trojan.

[Vegaman_Dan]

This file can come from any source now. It's showing up as part of a poker application, ebay tracker, and even as spam mail. Since Mac users have been taught to trust everything online because they are invulnerable, I expect that they will indeed click blindly on any file sent to them. One of the exploits (poker) disables being detected and hides itself quite well. There's no real way to tell if you are or are not infected at this time. It's only a few hours old so I expect there will be some instructions soon from Apple to fix this. They can't afford to ignore it as the numbers of infections is climbing quickly and zero protection available.

[Penguinisto]

This would still require you to load the thing from an untrusted source. Any malware can be added to any program - no one is arguing otherwise. BUT... if you don't trust the source (e.g. trusted sources such as Versiontracker for OSX freeware, etc), then you don't simply download and install the thing. Therein lies the rub: With OSX, you're going to be evaluating what you're getting before you install the thing (at least if you have more than two working neurons in your head...) Incidentally, Vegaman_Dan is (IMHO) astroturfing (again), spreading all the FUD he can muster (yes Dan, "Fear, Uncertainty and Doubt"). As long as the web doesn't allow automatic execution of AppleScript (unlike, say, ActiveX), no problems.

[celticbrewer]

-Unless it can attach itself to other programs and hide, it is only a threat to people who purposely download it. When you download an app for a Mac, it asks if you want to run it <br /><br />Isn't that how the majority of viruses and trojans get spread? Don't ALL OSes (or more correctly, the browser) prompt you if you want to run it or not? "Hey look, if I run this, I get to chat free with some naked girl- awesome!" *click* Or files are infected that come from people you trust, but who themselves are not smart enough to avoid viruses. A threat is a threat and just because you have a mac doesn't mean you're immune.

[Kev Orng]

I am familiar, of course, with the theory that Macs have such a small market share, ergo, virus writers don't bother with them. But I don't think that's right. Fact of the matter is, me and my fellow Mac users are so damn cocky about being virus proof, that virus writers by all rights should be working overtime just to take us down a peg. C'mon, I know you coders out there are just beside yourself in frustration that you can't zap that smarmy Justin Long with some kind of crippling CPU tumour. You're just dying to yell "Virus-free this, *****!" as you send the command that will give you the power to make him cluck like a chicken while PC stands there staring with his mouth open! :-)

[Igiveup2]

The days of viruses and worms as script kiddie stunts are over. Current malware is written with an economic incentive. I can think of four things that would increase the probability of malware targeting the Mac platform: 1) increased number of Macs online = larger target, 2) wealthier user base = higher potential return per penetration, for certain types of malware, 3) changed security structure of Windows makes Windows-targeted attacks more difficult than before, although large numbers of XP machines will be in use for some years, and 4) a very complacent user base that believes its system is immune to malware, as illustrated by some of the responses to this article.

[Vegaman_Dan]

Do you honestly believe that if someone wrote a virus or trojen that targeted Mac users that the Mac Zealot would actually admit it or even acknowledge it? Or would you just try to dismiss the matter as unimportant or try hide their heads in the sand and hope it goes away before someone notices like the comments here are suggesting? It's curious to see the results.

[The_happy_switcher]

Shivver me timbers!

[Penguinisto]

Exactly - plus the marketshare argument falls flat for two additional reasons. First, 10% marketshare would predicate 10% virus/malware rates, right? Doesn't seem to hold for Macs, does it? Second, Apple's "small" marketshare comprises millions upon millions of computers... all of them running a fairly homogenous environment (OSX), with LOTS of apps common among them. In a world where forty thousand machines represent a titanic-sized botnet, the chance of getting hold of (potentially) millions of virgin machines with little-to-no competition from other malware writers? Pfft - that alone should tell you that anyone pushing the marketshare argument is damned ignorant at best, a flaming idiot at worst.

[kojacked]

If I had a choice to rob two banks and one had 10% of the world's wealth and the other had 90% of the world's wealth would I allocate a proportional amount of my crew to each bank or rob the bank with the most bounty? Peng you wouldn't make a great bank robber. I think you are better off sticking to your crayons...

[ArturoYee]

If it is in the wild - what are the statistics - any count of infected machines?

[Penguinisto]

I'm thinking "statistical zero", in spite of all the Fear, Uncertainty, and Doubt that the MSFT astroturf squad can muster. ;)

[Vegaman_Dan]

The exploits are multiple under different names with more coming currently. It's only a few hours old so I don't think there is any count yet really. I expect due to the severity of this one (root access without any restrictions simply by having an end user open any file that is masquerading as another) will be addressed very quickly by Apple. They haven't had anything this serious in a long time, so they should be quick to fix it. Give them some time to take care of it.

[The_happy_switcher]

That would have to actually begin the process of actually using facts. Why bother when FUD is easier and more fun?

[Vegaman_Dan]

I don't see this as a real issue. Announce the issue on a Friday afternoon, probably won't see anything about it until the tech news world starts up again on Monday.<br /><br />Remember, if you're on a Mac, you have nothing to worry about. Please take AppleRocks' advice and stick your head in the sand. Also, please run out into traffic - you're invulnerable, right?

[The_happy_switcher]

I saw bigfoot in the wild too.

[Rawnchie14]

andddd IT BEGINS...<br /><br />With great market share, come great viruses. Enjoy!

[The_happy_switcher]

"andddd" What's began your stuttering problem?

[Penguinisto]

If that's the best they can do, then I'm guessing "no worries". At all. ;)

[Rawnchie14]

LOL these comments are hilarity. You're like children being released into the big cruel world, "Don't talk to strangers now!"<br /><br />Mac users, LOL - having to actually think when you use your computers, OH NOES.

[The_happy_switcher]

I was a windows user for 17 years prior to switching. The problem was there was TOO much thinking about how virus/spyware was sneaking by my antivirus, antispyware no matter how good the software. I'll take peace of mind over over thinking/worrying any day.

[Vegaman_Dan]

AppleRocks1963: Congratulations on your conversion. Your peace of mind was just shattered. If you wish to continue denying reality, then that's up to you. I think there are some people in Russia and other countries counting on people like you for their next financial exploit. Looks like you're an easy mark.

[The_happy_switcher]

On the contrary, my peace of mind is constantly reaffirmed every time I read about the next Winblows exploit.

[Penguinisto]

Oh? considering that an easy majority of IT security pros use a Mac, your statement is rather ignorant... ;)

[Perry_Clease]

See the note about this trojan at <a class="jive-link-external" href="http://www.intego.com/news/ism0802.asp" target="_newWindow">http://www.intego.com/news/ism0802.asp</a><br /><br />There is a quick, and easy preventive measure using the Remote Management feature in the Sharing preferences.

[amandachuck]

There is an even quicker solution.<br /><br />Never launch a program you didn't install yourself.

[Vegaman_Dan]

I think the new story is mistaken. It's been made very clear time and time again that there has *never* been a virus for OS X *ever*. You can read through the various message boards and see endless amounts of people telling you this so it must be true. There is *no* reason to take *any* security precautions if you are using a Mac. Do *not* enable any firewall or use AV products. There is no reason or purpose for doing so. Infecting a Mac is impossible. It doesn't happen. There are no known exploits in the wild. You're simply wrong. What's that? Say again? Sorry, I had my fingers stuck so deep in my ears I couldn't hear you. You'll have to speak up. Lalalaalalalaalalalaala I can't hear you! THERE ARE NO MAC VIRUSES! LALALALALALALALALALA! (and off in reality the rest of the world sits back and laughs at the self righteous people who actually believe this)

[The_happy_switcher]

Someone skipped their meds today.

[Vegaman_Dan]

No meds- I just read through the comments already here and assembled them into one complete message. The self denial by Mac Zealots is quite funny. The problem with sticking your head in the sand is that you never see it coming until it hits you... and even now those same people will still argue there isn't any problem... or that it's actually a 'feature' instead. It reminds me greatly of the tanks rolling into Baghdad with their PR head denying it. Oh well, you reap what you sow. Do not taunt happy fun Mac.

[The_happy_switcher]

We can't see most asteroids coming towards earth, either, should we be worried about those too?

[Vegaman_Dan]

RE Asteroids: Yes, as a matter of fact there are scientists working on this very issue. They aren't following your example of ignoring the problem and hoping it will go away. Excellent example that you have provided. Thank you for the analogy.

[Penguinisto]

Heh - it's not a virus, genius... it's a trojan. Having fun spreading FUD at full amperage there, Dan?

[Vegaman_Dan]

It's a trojan, you're correct. I made that common mistake. Thank you for pointing that out.<br /><br />The issue still exists though and no matter how much you try to deny the reality, it exists there in the wild and is actively causing problems. Now is not the time for you to stick your head in the sand. You can call that FUD if you wish, but others will call it reality.

[Penguinisto]

Yep the "issue" still exists... for anyone dumb enough to hit some obscure website, download some obscure app, launch it, give it root-privilege access... Seriously - I can write a "trojan" equivalent for all versions of OSX, Linux, and UNIX right now: "sudo rm -rf / " Oh noes! They're all now JUST AS VULNERABLE AS WINDOWS!! Run to the hills! Run ! RUUUUUN! .... heh. Whatever, Dan. ;)

[kojacked]

Peng, there are plenty of dumb people out there. Just look in the mirror.

[The_happy_switcher]

I'm still waiting for the problem to be identified/proven.

[Seaspray0]

Of course the story must be mistaken. You've been told time and time again that there are no mac viruses. Download, open, and install anything you like.

[Penguinisto]

So show us one. Outside of labs and academia, there have been none for OSX.

[Vegaman_Dan]

Penguinisto- Did you read the news today? Did you actually read the story that you are commenting to? It's in the wild now- that's the entire point of the story. Go look on Slashdot, MacRumors, Appleinsider, etc. Heck, even look at Apple's own forums. I'm not sure why you are trying to deny reality, but that's up to you. The Reality Distorion field is strong within you apparently if it affects your ability to even remember the very new story you are commenting on.

[Penguinisto]

So where's the Mac __virus__, Dan? All I see is some dumb trojan.

[irfan_bugmenot]

The original forum thread in which the dastardly Trojan was developed...<br />"Remote Login Trojan"<br /><a class="jive-link-external" href="http://www.macshadows.com/forums/index.php?showtopic=8640&#38;hl=" target="_newWindow">http://www.macshadows.com/forums/index.php?showtopic=8640&#38;hl=</a>

[MrMe003]

really do you really think that some program can access your camera.<br /><br />this cannot be happened.. screenshots and keyboard logging is normal but access a webcam isnt.. that isnt dosnt work from the same application helpers or DLL(how to tell windows users) so dont panic.