Trojans exploit Mac OS X ARDAgent flaw

Building on the Trojan released last week, a group of hackers appear to be targeting the Mac OS X platform with more variations.

Last Thursday, Mac antivirus vendors Intego and SecureMac reported a serious vulnerability within the Apple Remote Desktop Agent (ARDAgent). It is part of the remote-management component of Mac OS X 10.4 and 10.5 and is owned by root. Thus, the ARDAgent executable runs this malicious code as root without requiring a password.

The Washington Post's Brian Krebs reported on Monday the presence of a hacker forum devoted to the development of Trojans around this vulnerability. The particular user forum at MacShadows.com has since been removed. Krebs nonetheless managed to obtain screenshots from the forum before it was erased, and also a copy of the Mac Trojan template.

Buried within the template was an e-mail from one of the Trojan's authors, "Andrew."

"Apple tells us that OS X is safe and secure and fails to actually confirm that it is so on their own. We are left to experiment and test our own security and too often we discover that we aren't actually as secure as we were led to believe," Andrew said in an e-mail to the Post.

Despite their existence, there is no evidence these Trojans are circulating widely on the Internet.

Apple's policy remains not to talk about security vulnerabilities and therefore the company has not commented on the ARDAgent issue.

[Vegaman_Dan]

PENGUINISTO? We need your help to explain about these non-existant exploits.

[William Schnippert]

I'm no security expert. Howerver it was my understanding that default installs of OSX leave the root account disabled. So if root is disabled how does this malware run as root?

[ballmerisanape]

Good point. Root and Admin are very different things. If this does indeed allow root access even though it has not been enabled.. this is a bigger deal than was previously reported. Admin access can only affect a user account... not the system.. root can do anything.

[penguin_hfx]

It would most likely be running with suid bit set. So if the running daemon is owned by root, it would get root privilages. Locking root account in the shadow file only disables login as user root. But sudo su can get you a root prompt with a regular account if you are in sudoers list in /etc. Normally an admin group gets full privilages using that and the first account that the mac user created would most likely belong to the group. So if there is a flaw in a daemon with suid bit set or running as root that allows privilage escalation, it is a theoretically a big risk. (Though it depends on ways to exploit it practically) Implementing full mandatory access controls for running daemons is a way to sandbox them so that an exploit won't be able to get privilages beyond what is explicitly allowed on the access control rule set. There have been numerous exploits like these for all platforms over the years. I have seen solaris boxes hacked using a vulnerability with dtlogin that allows privilage escalation to root. So disabling of root account by default doesn't prevent someone in the admin group from becoming root via sudo. Also as i mentioned before if the daemon is running with suid bit set and owned by root, disabling root login has no bearing on ability to get root privilages via an exploit that allows privilage escalation.

[amandachuck]

ARDA runs as root but must be enabled by the user first. While Apple should patch the flaw, considering how the Trojan would get onto the machine (user actively downloads it or actively opens an application they are not confident of), and then the way it works (ARDA must be enabled), it's not going to invade a lot of computers. Yet.

[ballmerisanape]

I can make an applescript in 2 minutes that will delete your home folder when you reboot. All you have to do is download it on purpose, and enter your admin password when prompted. <br /><br />It's your decision. This is basically nothing more... there are tons of bad things that you can do to the mac os when someone is willing to give up their admin password. <br /><br />No OS maker can protect against a naive computer user. That said, there will be a fix for this in a week, if it indeed takes advantage of a system "flaw". <br /><br />Virus count is still 0.

[amandachuck]

No, but it sounds as if you can run the script without a password because ARDA is root even if the user is admin or better. So, in theory, you could attach the applescript to a word file and rework the icon and information to make the user think it's just a file.<br /><br />But still I think OSX checks for executable code in the file and warns the user that they have downloaded an executable file before opening it. The real question is: "how many users know what that means?" They might think that Joe Schmoe sent them the word file newsletter, so it's safe, and not even understand that OSX is warning them it's an application?

[ballmerisanape]

Yep, OSX always warns you when you download an executable file.. and tells you it is an application when you first open it. Unfortunately, people will open it anyway....the same people who click on links in their email and then enter their credit cards for "age verification".... Most Mac users are have used Windows before, and are all too familiar with these types of exploits.. and as a result... are a little more tech savy than the average computer user.

[Perry_Clease]

"Joe Schmoe sent them the word file newsletter"<br /><br />Oh God! I can visualize it now, all 24 pt Bold Arial, photos with more artifacts than the Valley of the Kings, widows and orphans, dog and cats living together. :)

[open-mind]

I don't like the way this article seems to flip-flop between discussing vulnerabilities and exploits. Sure last week's trojan was an exploit, but you had to download it, run it, and type your password for it to work. Every platform has this "vulnerability".<br /><br><br><br /> The ARDAgent vulnerability mentioned is completely different, since it hasn't been exploited yet. And to exploit it AFAIK, you need to activate and allow remote desktop control, but *not* turn on Remote Management. The Intego link states this: "There are cases where this exploit does not work. If a user has turned on Remote Management in the Sharing pane of System Preferences under Mac OS X 10.5, or if a user has installed Apple Remote Desktop client under Mac OS X 10.4 or earlier and has activated this setting in the Sharing preferences, the exploit will not function. "<br /><br><br><br />I'm not sure how likely it would be to have ARDAgent active with the Remote Management off. It would be nice if the article explained this. It's hard to know who to believe. Clearly Apple wants OS X to be perceived as secure, however the new media and Intego are motivated to exaggerate any such issues when they can.

[dbakerstl]

Well I think many are missing the point - Even though root LOGON is disabled by default, processes on OSx can still run as a super user. The ARDAgent has a sticky bit set so it runs as the "owner" of the file. The root account still exists, you just cant log into it :)<br /><br />This is a serious flaw and its my understanding that you dont need to enable ARD for you to be effected by this flaw, the applescript launches ARDAgent, and this has escelated privledges. You can remove the ARDAgent file and then you would be safe :)<br /><br />But because of the nature of this attack, just like many PC trojans you can easily embed this Applescript in an application setup program. - IE you go on IRC, or download a torrent of some poker software or something, and BAM, you get poker, and your system gets hacked. Once the script is ran, it can open ports in your firewall, change any config file, modify your Netinfo DB, etc. And you would have no idea. Tons of mac users do not run Antivirus, and tons more are not "power" users and would not know that something was going wrong with their system.<br /><br />Anyone who does not think this is serious should get a reality check. This is how everything started with PC users - its not the power users that are at risk, its the kids that click on things, and older adults that have no idea what they are doing...

[ballmerisanape]

Poker games don't need your password. Most mac users know this, as the majority of Mac applications are "portable" and don't need access to system files to run. You don't get warnings and password prompts every 10 minutes like on windows.. so when Os X asks you for your password.. you know something needs a high level of access/permission. But, like you said.. there will always be people that don't think.

[dbakerstl]

Well I dont think you understand that, there is no prompt for a password that is the whole issue. You can have an unprivledged script attack a flaw in ARDAgent, and thus giving it ROOT priv. <br />There would be no password prompt, all you need to do is run the script, and that could be embeded in an installer script, or a fake installer for a popular application(s) Photshopt, etc... That a user D/Ls from a torrent, or IRC. Or are you going to now tell me that NO mac user downloads illegal software.... heh

[NikEst]

It's not really that serious until it becomes distributed. They'd have to start sneaking it around now for it to get anywhere. They're right, it'll be patched pretty soon. No need for these doomsday propositions.<br /><br />I wonder why this trojan made so much news? Oh, wait, that's right, it's one of a very small handful that affects OS X. That must be why we don't here about the dozens of viruses and trojans released for Windows every day, too many to be newsworthy anymore.

[digbychicken]

wow again cnet is reporting this flaw it must be serious but again the hot fix isn't reported<br /><br />log in as as user with admin credentials go to /System » Library » CoreServices » RemoteManagement<br /><br />right click ARDAgent select compress "ARDAgent" then delete ARDAgent empty trash<br /><br />sorted