[Macworld]

Post your comments for SecureMac discovers Trojan horse targeted at Mac OS X here

[chevyorange]

I can recommend MacScan. Haven't had anything found that is trouble on either of my 10.5 Systems but it is fast and neat.

[soslack]

Haha, so you first have to actually download it AND open it afterwards? Some trojan- this goes for ANY script people write on ANY platform...sigh

[garyi]

Although a bit dodgy in that it will do something unexpected can it really be called a trojan horse?
If you have to download it and run it, presumably entering your password.
And also do you need to have fully apple remote desktop or just the already installed bits?
I am not being complacent I expect OSX to get targeted soon, this one just seems a bit lame.

[MacTechAspen]

I would love to see someone other than a company with financial interest at stake (i.e. someone that doesn't sell virus blocking software) to give this thing a decent test, there are a lot of unanswered questions.

Besides the whole "if you use Limewire or take iChat files from strangers you deserve it" argument I would like to know:

Do you have to have Root user enabled?
It claims to be a trojan horse, but is it really hiding behind another file, or is it just a misnamed AppleScript file? The article suggests it may not be either.
What warnings do you have to ignore before installing this thing?
It claims to log keystrokes and send passwords, so what ports does it do this on?
Do you have to have those ports open to start with, or does this open them?
If it is sending data to an IP can that IP be traced back?
Do you really need to buy virus software to turn it off (granted it would be useful for catching that it exists), can't you just disable it from the startup items and throw it away?
Has it been found in the wild by someone other than this security company?

A malicious script file has always been possible on the Mac as well as any other system. This isn't earth shattering news. Taking basic precautions is as important as ever. There are many questions about this script, but the biggest one in my mind remains: Doesn't a security company's FUD amount to a malicious attack on its own? At the very least it seems to be a form of phishing. The greatest danger I see here is being tricked into buying pretty useless software.

[ajhoughton]

soslack said:

Haha, so you first have to actually download it AND open it afterwards? Some trojan- this goes for ANY script people write on ANY platform...sigh

garyi said:

Although a bit dodgy in that it will do something unexpected can it really be called a trojan horse?

Yes, it's a Trojan horse.

The name is a reference to a giant wooden horse that the Greeks used to sneak warriors inside the walls of the city of Troy when it became apparent that their assault on the city was not working.

The entire point is that the Trojans thought it a gift and brought it inside their walls themselves.

Likewise, in computing terms, any program that the user is convinced (somehow) to download and execute on the basis that it is something other than what it claims to be is a Trojan horse. That's what the phrase means.

See en.wikipedia.org/wiki/Trojan[uhorse[/u](computing)]

Quote

If you have to download it and run it, presumably entering your password.

If you can be persuaded to download and execute something from a dubious source, you can probably also be persuaded to enter your password.

[DonSmith]

We all know what a Trojan Horse is, but there's no basis for calling this app a "Trojan Horse" from information contained in the above article. We're never told that the app disguises itself as something else that would entice downloading. Can you build an app to allow remote control and one that sends keystrokes and passwords? Sure. But can you sneak it by Mac users? Only if it can get by the installation process, the "Do you want to open this file downloaded from the Internet?" warning, and entering the password for root authorization. Sounds to me like a proof of concept program created to sell protection not unlike how the Mob sells its "protection". They create the threat and then extort money not to follow up on it.

[ajhoughton]

DonSmith said:

We all know what a Trojan Horse is, but there's no basis for calling this app a "Trojan Horse" from information contained in the above article. We're never told that the app disguises itself as something else that would entice downloading.

While you're right that the information in the article itself isn't definitive, given that it's being distributed via Limewire, one would assume that it isn't listed as "Download this to have your computer pwned by some silly script kiddie". More likely it's listed as free porn or a copy of some pirated software or something.

Quote

Can you build an app to allow remote control and one that sends keystrokes and passwords? Sure. But can you sneak it by Mac users? Only if it can get by the installation process, the "Do you want to open this file downloaded from the Internet?" warning, and entering the password for root authorization.

I haven't looked into this in any detail, but my guess is that the flaw here allows the program to circumvent the authentication mechanism by getting ARDAgent to run Applescript code as root.

I might add that it's interesting that someone mentioned a similar potential security flaw on the cocoa-dev mailing list recently when someone else asked about running Cocoa apps with root privileges. My guess is that that's where whoever wrote this got the idea from.

[zensunni]

soslack said:

Haha, so you first have to actually download it AND open it afterwards? Some trojan- this goes for ANY script people write on ANY platform...sigh

LOL. You don't actually know what a trojan is, do you?

[zensunni]

It's only a matter of time before Macs get hit big-time. Macolytes can continue with their heads stuck in a hole in the ground while it's long past time that the rest of us who haven't already installed anti-virus do so now. There are quite a few free packages, too, your wallet isn't an excuse.

[zensunni]

MacTechAspen said:

I would love to see someone other than a company with financial interest at stake (i.e. someone that doesn't sell virus blocking software) to give this thing a decent test, there are a lot of unanswered questions.

I love statements like this. What, would you be happier for a report from your DMV? Or mayor? Or Superfresh?

Sure, security companies are out to make money. But they're also the ones with proper laboratories and skills to run these tests and report on them.

How about this--why don't you get ahold of the trojan, test it, and report back to us?

[DonSmith]

Sounds like he indeed knows what a Trojan is.. You have to download it on purpose, unlike a Virus, which can infect without your intervention. Now, you have to be TRICKED into downloading the Trojan (hence its name), but download on purpose you must. -Yoda

[residentchiphead]

As soon as I read the headline I knew that SecureMac was going to try and sell me something.
They didn't let me down.

[griffman]

The security exposure was found yesterday by Intego, another maker of Mac security products -- here's their announcement on the matter. The exposure is real; I've tested it, and it's indeed trivial to run any shell script as root without user permission (and no, the root account doesn't need to be enabled).

As noted in the Intego notes, there is an easy (and free) workaround -- go to your Sharing System Preferences panel, and check the Remote Management box. In the new dialog that appears, don't enable anything, just click OK. The root exploit will now fail to run. No purchase required, and you should be protected until Apple patches this one.

-rob.