Trojans exploit Mac OS X ARDAgent flaw

Building on the Trojan released last week, a group of hackers appear to be targeting the Mac OS X platform with more variations.

Last Thursday, Mac antivirus vendors Intego and SecureMac reported a serious vulnerability within the Apple Remote Desktop Agent (ARDAgent). It is part of the remote-management component of Mac OS X 10.4 and 10.5 and is owned by root. Thus, the ARDAgent executable runs this malicious code as root without requiring a password.

The Washington Post's Brian Krebs reported on Monday the presence of a hacker forum devoted to the development of Trojans around this vulnerability. The particular user forum at MacShadows.com has since been removed. Krebs nonetheless managed to obtain screenshots from the forum before it was erased, and also a copy of the Mac Trojan template.

Buried within the template was an e-mail from one of the Trojan's authors, "Andrew."

"Apple tells us that OS X is safe and secure and fails to actually confirm that it is so on their own. We are left to experiment and test our own security and too often we discover that we aren't actually as secure as we were led to believe," Andrew said in an e-mail to the Post.

Despite their existence, there is no evidence these Trojans are circulating widely on the Internet.

Apple's policy remains not to talk about security vulnerabilities and therefore the company has not commented on the ARDAgent issue.

[Vegaman_Dan]

PENGUINISTO? We need your help to explain about these non-existant exploits.

[William Schnippert]

I'm no security expert. Howerver it was my understanding that default installs of OSX leave the root account disabled. So if root is disabled how does this malware run as root?

[amandachuck]

ARDA runs as root but must be enabled by the user first. While Apple should patch the flaw, considering how the Trojan would get onto the machine (user actively downloads it or actively opens an application they are not confident of), and then the way it works (ARDA must be enabled), it's not going to invade a lot of computers. Yet.

[ballmerisanape]

I can make an applescript in 2 minutes that will delete your home folder when you reboot. All you have to do is download it on purpose, and enter your admin password when prompted.

It's your decision. This is basically nothing more... there are tons of bad things that you can do to the mac os when someone is willing to give up their admin password.

No OS maker can protect against a naive computer user. That said, there will be a fix for this in a week, if it indeed takes advantage of a system "flaw".

Virus count is still 0.

[amandachuck]

No, but it sounds as if you can run the script without a password because ARDA is root even if the user is admin or better. So, in theory, you could attach the applescript to a word file and rework the icon and information to make the user think it's just a file.

But still I think OSX checks for executable code in the file and warns the user that they have downloaded an executable file before opening it. The real question is: "how many users know what that means?" They might think that Joe Schmoe sent them the word file newsletter, so it's safe, and not even understand that OSX is warning them it's an application?

[Perry_Clease]

"Joe Schmoe sent them the word file newsletter"

Oh God! I can visualize it now, all 24 pt Bold Arial, photos with more artifacts than the Valley of the Kings, widows and orphans, dog and cats living together.

[open-mind]

I don't like the way this article seems to flip-flop between discussing vulnerabilities and exploits. Sure last week's trojan was an exploit, but you had to download it, run it, and type your password for it to work. Every platform has this "vulnerability".



The ARDAgent vulnerability mentioned is completely different, since it hasn't been exploited yet. And to exploit it AFAIK, you need to activate and allow remote desktop control, but *not* turn on Remote Management. The Intego link states this: "There are cases where this exploit does not work. If a user has turned on Remote Management in the Sharing pane of System Preferences under Mac OS X 10.5, or if a user has installed Apple Remote Desktop client under Mac OS X 10.4 or earlier and has activated this setting in the Sharing preferences, the exploit will not function. "



I'm not sure how likely it would be to have ARDAgent active with the Remote Management off. It would be nice if the article explained this. It's hard to know who to believe. Clearly Apple wants OS X to be perceived as secure, however the new media and Intego are motivated to exaggerate any such issues when they can.

[dbakerstl]

Well I think many are missing the point - Even though root LOGON is disabled by default, processes on OSx can still run as a super user. The ARDAgent has a sticky bit set so it runs as the "owner" of the file. The root account still exists, you just cant log into it

This is a serious flaw and its my understanding that you dont need to enable ARD for you to be effected by this flaw, the applescript launches ARDAgent, and this has escelated privledges. You can remove the ARDAgent file and then you would be safe

But because of the nature of this attack, just like many PC trojans you can easily embed this Applescript in an application setup program. - IE you go on IRC, or download a torrent of some poker software or something, and BAM, you get poker, and your system gets hacked. Once the script is ran, it can open ports in your firewall, change any config file, modify your Netinfo DB, etc. And you would have no idea. Tons of mac users do not run Antivirus, and tons more are not "power" users and would not know that something was going wrong with their system.

Anyone who does not think this is serious should get a reality check. This is how everything started with PC users - its not the power users that are at risk, its the kids that click on things, and older adults that have no idea what they are doing...

[ballmerisanape]

Poker games don't need your password. Most mac users know this, as the majority of Mac applications are "portable" and don't need access to system files to run. You don't get warnings and password prompts every 10 minutes like on windows.. so when Os X asks you for your password.. you know something needs a high level of access/permission. But, like you said.. there will always be people that don't think.

[NikEst]

It's not really that serious until it becomes distributed. They'd have to start sneaking it around now for it to get anywhere. They're right, it'll be patched pretty soon. No need for these doomsday propositions.

I wonder why this trojan made so much news? Oh, wait, that's right, it's one of a very small handful that affects OS X. That must be why we don't here about the dozens of viruses and trojans released for Windows every day, too many to be newsworthy anymore.

[digbychicken]

wow again cnet is reporting this flaw it must be serious but again the hot fix isn't reported

log in as as user with admin credentials go to /System » Library » CoreServices » RemoteManagement

right click ARDAgent select compress "ARDAgent" then delete ARDAgent empty trash

sorted