Sign In
Register
Help
griffman - That's the kind of information that should have been contained in the article here. Thank you.
SecureMac discovers Trojan horse targeted at Mac OS X
MultiQuote
#16
Martian 
- Veteran
-
- Group: Members
- Posts: 1,568
- Joined: 27-September 01
Posted 20 June 2008 - 05:30 AM
griffman said:
As noted in the Intego notes, there is an easy (and free) workaround -- go to your Sharing System Preferences panel, and check the Remote Management box. In the new dialog that appears, don't enable anything, just click OK. The root exploit will now fail to run. No purchase required, and you should be protected until Apple patches this one.
-rob.
-rob.
I assume you then leave the Remote Management item checked. Is this correct? (Leaving it checked is almost counter intuitive).
#17
griffman
- Advanced Member
-
- Group: Moderators
- Posts: 8,605
- Joined: 09-January 01
Posted 20 June 2008 - 05:31 AM
Note that the solution Intego proposed hasn't been proven effective in 100% of all cases (though they haven't yet seen anything work, it's theoretically possible).
A sure fix, but one to implement only if you don't need to use 10.5's screen sharing, is to disable ARDAgent. Go to System -> Library -> CoreServices -> RemoteManagement, and zip up ARDAgent. Do not delete it, as you'll want to have it there for when (if?) Apple patches this hole.
If Apple does release a patch, unzip the file first, then run the patch. In the interim, though, you'll be completely safe -- but as noted, unable to use screen sharing.
-rob.
A sure fix, but one to implement only if you don't need to use 10.5's screen sharing, is to disable ARDAgent. Go to System -> Library -> CoreServices -> RemoteManagement, and zip up ARDAgent. Do not delete it, as you'll want to have it there for when (if?) Apple patches this hole.
If Apple does release a patch, unzip the file first, then run the patch. In the interim, though, you'll be completely safe -- but as noted, unable to use screen sharing.
-rob.
#18
griffman
- Advanced Member
-
- Group: Moderators
- Posts: 8,605
- Joined: 09-January 01
Posted 20 June 2008 - 05:32 AM
Yes, leave it checked (ie enabled). And yes, it seems counter-intuitive. But for whatever reason, if ARDAgent is already running, when you try to call it again to run the shell script, it just exits with an error.
-rob.
-rob.
#19
MorrisTheCat
- Member
-
- Group: Members
- Posts: 476
- Joined: 14-December 07
Posted 20 June 2008 - 06:34 AM
Rob, thanks for the information. I assume this Trojan then somehow enables Remote Management and institutes it's own permissions? I ask because I use ARD and have Remote Management enabled on my Mac, because I need to be able to remote control it over a VPN. However, I set specific privileges for only a single user account to have access, i.e, Allow access for: is set to "Only these users", instead of "All users", which is the default setting, oddly enough.
I wonder if this is sufficient protection. Not that I'm inclined to download anything from Limewire or other untrusted sites these days anyway.
I wonder if this is sufficient protection. Not that I'm inclined to download anything from Limewire or other untrusted sites these days anyway.
#21
griffman
- Advanced Member
-
- Group: Moderators
- Posts: 8,605
- Joined: 09-January 01
Posted 20 June 2008 - 07:30 AM
The settings for ARDAgent don't matter at all -- the exploit doesn't care who's been authorized for what. It's literally as simple as this in Terminal:
osascript -e 'tell app "ARDAgent" to do shell script "whoami"';
Replace "whoami" with whatever shell script you want to run as root, and it runs. That is, unless you've enabled Remote Management, which seems to effectively break this trick as if ARDAgent is already running, the above command will throw an error. Someone has told me that it's still technically possible to get this to work in that situation, but I've yet to see code that works. So the safest and simplest solution remains simply not running software from untrusted sources -- you can't be a victim of any hack that take advantage of this exploit unless you actively download and run a program of some sort.
-rob.
osascript -e 'tell app "ARDAgent" to do shell script "whoami"';
Replace "whoami" with whatever shell script you want to run as root, and it runs. That is, unless you've enabled Remote Management, which seems to effectively break this trick as if ARDAgent is already running, the above command will throw an error. Someone has told me that it's still technically possible to get this to work in that situation, but I've yet to see code that works. So the safest and simplest solution remains simply not running software from untrusted sources -- you can't be a victim of any hack that take advantage of this exploit unless you actively download and run a program of some sort.
-rob.
#22
griffman
- Advanced Member
-
- Group: Moderators
- Posts: 8,605
- Joined: 09-January 01
Posted 20 June 2008 - 07:32 AM
If you don't check any of the features, then anyone who does connect wouldn't be able to do anything anyway. On my machine, at least, it seems that box defaults to "only selected users" with my username shown.
-rob.
-rob.
#23
MacTechAspen
- Member
-
- Group: Members
- Posts: 393
- Joined: 15-October 04
Posted 20 June 2008 - 07:39 AM
Zensunni, are you sure you don't work for a security company? There are plenty of independent sources for testing the efficacy of malware, and not one of them is the DMV or my Mayor. How about Macworld? Or how about gee I don't know, Cert. A company that stands to make a profit off of a report is suspect. I am a professional wine critic, if I worked for a winery would you want to read my reports?
Anyone can test this minor piece of malware - find a copy and send it to me, I will be happy to (sorry I am not dumb enough to have Limewire installed or to accept iChat invitations from strangers). If you are not connected to the internet it seems pretty simple to keep this bad boy under control.
To say that only security companies have the labs and skills to run tests on an AppleScript is at least disingenuous.
Anyone can test this minor piece of malware - find a copy and send it to me, I will be happy to (sorry I am not dumb enough to have Limewire installed or to accept iChat invitations from strangers). If you are not connected to the internet it seems pretty simple to keep this bad boy under control.
To say that only security companies have the labs and skills to run tests on an AppleScript is at least disingenuous.
#24
MacTechAspen
- Member
-
- Group: Members
- Posts: 393
- Joined: 15-October 04
Posted 20 June 2008 - 07:42 AM
griffman said:
The security exposure was found yesterday by Intego, another maker of Mac security products -- here's their announcement on the matter. The exposure is real; I've tested it, and it's indeed trivial to run any shell script as root without user permission (and no, the root account doesn't need to be enabled).
As noted in the Intego notes, there is an easy (and free) workaround -- go to your Sharing System Preferences panel, and check the Remote Management box. In the new dialog that appears, don't enable anything, just click OK. The root exploit will now fail to run. No purchase required, and you should be protected until Apple patches this one.
As noted in the Intego notes, there is an easy (and free) workaround -- go to your Sharing System Preferences panel, and check the Remote Management box. In the new dialog that appears, don't enable anything, just click OK. The root exploit will now fail to run. No purchase required, and you should be protected until Apple patches this one.
Thank you, That was exactly the type if information I was after.
#25
zensunni
- Member
-
- Group: Members
- Posts: 264
- Joined: 11-September 04
Posted 20 June 2008 - 07:45 AM
DonSmith said:
Sounds like he indeed knows what a Trojan is.. You have to download it on purpose, unlike a Virus, which can infect without your intervention. Now, you have to be TRICKED into downloading the Trojan (hence its name), but download on purpose you must. -Yoda
I think you might want to reread what he posted. He seemed to think it was a pretty sad trojan because you have to download it and run it when, by definition, that's exactly what a trojan is.
#26
MacTechAspen
- Member
-
- Group: Members
- Posts: 393
- Joined: 15-October 04
Posted 20 June 2008 - 07:49 AM
[quote name='zensunni']
>
A Trojan horse implies malware hidden in an innocuous file. Changing the name of a file when it is clearly an AppleScript and not whatever the name is my just barely qualify under the broadest terms, but it is not the same as a file who has malware hidden among otherwise unsuspicious code. This may be picayune, but it points out that there is no need for attitude towards someone with a valid point.
You think Mac users have their heads in the sand, and I say we are careful to recognize FUD as one of the greatest dangers to any platform. Malware is a real danger, but every time a security company cries wolf it only makes the real danger that much harder to recognize. This is a minor event with a simple solution that does not require name calling or undue concern. The number one most important defense against malware is vigilance.
>
soslack said:
> Haha, so you first have to actually download it AND open it afterwards? Some trojan- this goes for ANY script people write on ANY platform...sigh
LOL. You don't actually know what a trojan is, do you?
LOL. You don't actually know what a trojan is, do you?
A Trojan horse implies malware hidden in an innocuous file. Changing the name of a file when it is clearly an AppleScript and not whatever the name is my just barely qualify under the broadest terms, but it is not the same as a file who has malware hidden among otherwise unsuspicious code. This may be picayune, but it points out that there is no need for attitude towards someone with a valid point.
You think Mac users have their heads in the sand, and I say we are careful to recognize FUD as one of the greatest dangers to any platform. Malware is a real danger, but every time a security company cries wolf it only makes the real danger that much harder to recognize. This is a minor event with a simple solution that does not require name calling or undue concern. The number one most important defense against malware is vigilance.
#27
SPOOF
- Member
-
- Group: Members
- Posts: 224
- Joined: 09-June 04
Posted 20 June 2008 - 09:10 AM
In response to people questioning if this is a trojan:
Yes, it is. A trojan horse in the computer world is anything that does something hidden and unexpected, often malicious. While it can be argued that nobody should try to open that new video they just got when it has application information in it...many people will, and won't know the difference, despite Apple's warnings to them.
Trojans can generally be seen in real time, based on their file access. I have no doubt that many of the security companies will update their various software to scan for this trojan in the future. SubRosaSoft FileDefense protects your personal information from trojans and malware by watching all file access in this manner. The advantage to the real time scanning of SubRosaSoft FileDefense is that even unknown trojans will still be caught when they try to act, and the user will be informed, rather than having to wait for an update.
This root issue with Apple Remote Desktop was found a short while back, and has been discussed in many of the Mac IT discussions as well. This DOES affect everybody, not just those with the full Apple Remote Desktop installed. The interesting way to protect yourself? Turn ON Apple Remote Desktop in your sharing system preferences, even if you aren't going to use it, until Apple patches this. Without getting into the technical details, this prevents the app from being missused in this manner. Just make sure that your user accounts don't have access listed, and/or have secure passwords, and still nobody will be able to abuse ARD to control your system on you.
Full Disclosure: I used to be a Senior IT Consultant in Washington DC to many govt organizations for several years. I resigned from that position to take on my current job with SubRosaSoft.
Yes, it is. A trojan horse in the computer world is anything that does something hidden and unexpected, often malicious. While it can be argued that nobody should try to open that new video they just got when it has application information in it...many people will, and won't know the difference, despite Apple's warnings to them.
Trojans can generally be seen in real time, based on their file access. I have no doubt that many of the security companies will update their various software to scan for this trojan in the future. SubRosaSoft FileDefense protects your personal information from trojans and malware by watching all file access in this manner. The advantage to the real time scanning of SubRosaSoft FileDefense is that even unknown trojans will still be caught when they try to act, and the user will be informed, rather than having to wait for an update.
This root issue with Apple Remote Desktop was found a short while back, and has been discussed in many of the Mac IT discussions as well. This DOES affect everybody, not just those with the full Apple Remote Desktop installed. The interesting way to protect yourself? Turn ON Apple Remote Desktop in your sharing system preferences, even if you aren't going to use it, until Apple patches this. Without getting into the technical details, this prevents the app from being missused in this manner. Just make sure that your user accounts don't have access listed, and/or have secure passwords, and still nobody will be able to abuse ARD to control your system on you.
Full Disclosure: I used to be a Senior IT Consultant in Washington DC to many govt organizations for several years. I resigned from that position to take on my current job with SubRosaSoft.
