Flaw in Apple Remote Desktop exploited via trojan

Source: Ars Technica

A security flaw in ARDAgent, a component of Apple Remote Desktop, was publicized yesterday by security firm Intego, and now, Mac-centric security firm SecureMac is reporting that a trojan that exploits the flaw is currently in the wild.

The flaw, mentioned as early as Tuesday of this week on Slashdot, is due to ARDAgent running as root, which allows it to run commands evoked via AppleScript as root. The trojan, available as both a compiled AppleScript and an application bundle, can allow a remote user complete control of your machine and can easily run undetected by open firewall ports and turning off logging.

Read more: http://arstechnica.com/journals/apple.ars/2008/06/20/flaw-in-apple-remote-desktop-exploited-via-trojan

---

Hmmm... I thought Apple was immune to this sort of thing?

Also, the MicroSoft monoculture made Windows viruses much more attractive since so many more machines could be affected.

Apple DOES have much better security than Windows (bias alert: I helped write some of it), but it's far from hack-proof.

Pretty cool. ...and I was being a bit sarcastic there. ;-)

Jay

They were the toughest, most satisfying years of my engineering career.

Both of the operating systems are fairly solid in terms of security. It's when you start adding in software that is not part of the core OS where you run into trouble.

Many of my friends work in the IT security business, and they all have a much harder time locking down Windows installations than they do Linux or Mac.

if you're careful about what you allow to access 'root' on your computer you're safe.
Anything that asks you for your password to the system should be suspect.
Only download from reliable sources when installing software. Never allow javascript access to 'root'.
A script to remove Apple Remote Desktop from your computer follows.
You should only do this if you do not use and never plan to use Apple Remote Desktop:

## Remove old components
rm -rf "/Applications/Remote Desktop.app"
rm -rf "/System/Library/CoreServices/ARD Agent.app"
rm -rf "/System/Library/CoreServices/RemoteManagement"
rm -rf "/Library/Receipts/RemoteDesktop"*

## Remove preferences
rm -rf "/Users/{place ADMIN USER NAME here}/Library/Preferences/com.apple.RemoteDesktop.plist"
rm -rf "/Library/Preferences/com.apple.ARDAgent.plist"
rm -rf "/Library/Preferences/com.apple.RemoteDesktop.plist"
rm -rf "/Library/Preferences/com.apple.RemoteManagement.plist"

## Remove local database
rm -rf "/var/db/RemoteManagement"


edited for sp.

Either turn Remote Desktop 'ON' (it's called Remote Management on Leopard) which actually enables a bunch of extra security protocols (ARDAgent no longer responds to 'do script' after that)

OR

Make ARDAgent unexecutable like this in Terminal:
sudo chmod -R 000 /System/Library/CoreServices/RemoteManagement/ARDAgent.app

It mentions these in the article linked in the OP.

Exploit: OSX.Trojan.PokerStealer

Discovered: June 20, 2008

Risk: Low

Description: A Trojan horse has been found in the wild masquerading as program for Mac OS X called “PokerGame”. The Trojan in question is a shell script encapsulated in an application, and is distributed in a 65 KB Zip archive; unzipped, it is 180 KB.

The Trojan horse, when run, activates ssh on the Mac on which it is running, then sends the user name and password hash, along with the IP address of the Mac, to a server. It asks for an administrator’s password after displaying a dialog saying, “A corrupt preference file has been detected and must be repaired.” Entering the administrator’s password enables the program to accomplish its tasks. After gaining ssh access to a Mac, malicious users can attempt to take control of them, delete files, damage the operating system, or much more.

Intego VirusBarrier X4 and X5 with virus definitions dated June 20, 2008 protect against this Trojan horse. Intego recommends that users never download and install software from untrusted sources or questionable web sites.

More Info

AppleScript.THT Trojan Horse - Secure Mac

SecureMac has discovered multiple variants of a new Trojan horse in the wild that affects Mac OS X 10.4 and 10.5. The Trojan horse is currently being distributed from a hacker website, where discussion has taken place on distributing the Trojan horse through iChat and Limewire.

The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing. The Trojan horse exploits a recently discovered vulnerability with the Apple Remote Desktop Agent, which allows it to run as root.

The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items.

Protection: To protect your system against this threat, run MacScan 2.5.2 (MacScan is a product of SecureMac) with the latest Spyware Definitions update (2008011), dated June 19th, 2008. SecureMac recommends that users download files only from trusted sources and sites.

Additional removal instructions and resources will be posted once available.

ought to resign to a job of shoveling elephant manure in the zoo instead.

This certainly is not the first one for Apple. But hell, Windooze is like a sieve. Give me OS X anytime.

The one job in my lifetime that I should have stayed at was working in our zoo. Had I stayed I would have eventually been in charge of the zoo in my small city. I've shoveled monkey shit, bear shit, and deer shit, so I wouldn't have minded elephant manure. Leaving that job was one of the biggest mistakes I ever made.

Try again at bashing the BEST OS EVER.

Posted from my iPhone.