Dastardly duo of Mac OS X Trojan threats on the loose in the wild

Stephen Withers
Monday, 23 June 2008 08:26

Opinion and Analysis

The other Trojan is known as Astht, short for AppleScriptTHT. The problem here is that the Apple Remote Desktop software (part of Mac OS X) can be tricked into executing code as root.

This works by telling ARDAgent to run an AppleScript that contains a shell script. Since ARDAgent runs as root, the shell script does too, so there's nothing to limit what it can do.

At least two variations of Astht have been detected in the wild. Their capabilities include keystroke logging, activating the iSight camera, taking screen shots, and turning on file sharing.

Symantec and other security vendors have issued advisories about Astht without describing its purported function.

An unofficial workaround to protect against Astht is to remove setuid from ARDAgent (eg,
sudo chmod -s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
), although this could interfere with legitimate use of Apple Remote Desktop for remote system administration.

Although these threats are Trojans and therefore rely on users running them (as opposed to nastier forms of malware that exploit software vulnerabilities to get their hooks into systems without user involvement),
they show that Mac OS X is getting more attention from the malware merchants. Sensible users will take these developments as a wake-up call, and review their security practices.