Dastardly duo of Mac OS X Trojan threats on the loose in the wild

Stephen Withers
Monday, 23 June 2008 07:26

Opinion and Analysis

Mac users beware: a dastardly duo of Trojans is seeking to suck secrets from your computers, and both have been spotted in the wild. With a little help from an incautious user both Trojans are capable of getting around the Mac's defences and executing code with administrator or root privileges.

Purple prose aside, the first Trojan is called PokerGame and pretends to be a card game. However, it's real purpose is to take over the computer it is running on.

Having fooled the user into running the malware in the first place, PokerGame then attempts to trick the user for a second time, claiming that an admin password is needed to repair a corrupt preference file.

Think about it: you're running a program for the first time, which means it will create a preference file rather than reading an existing one. Secondly, application preference files are customarily stored within the user's own home folder, where admin rights are not needed.

PokerGame starts the ssh (secure shell) service and sends your IP address, username and password hash to a server.

While knowledge of the hash doesn't immediately allow an attacker to break into the computer, dictionary-based methods can find the corresponding password in a surprisingly short period of time if it is a normal word.

Once the password has been cracked, the bad guys can use ssh to log into the target Mac and do pretty much what they like, including copying or deleting files, or encrypting documents and then holding them to ransom.

So what's the other new Trojan? Find out on page 2.