Stephen Withers
Tuesday, 24 June 2008 07:55
Opinion and Analysis
Page 2 of 3
More information has been revealed about the Asth/Hovdy Trojan, and it seems it does not rely on Apple Remote Desktop to do its dirty deeds.
According to Sophos, the Trojan carries out several undesirable actions to both mask its presence and allow external manipulation of the system it is running on.
These include disabling system logging and deleting system log files, disabling third-party security software and system updates, and opening certain firewall ports.
If it finds itself running on a system without Apple Remote Desktop software (it only became a standard part of the operating system in version 10.5), it installs a third-party VNC server to provide equivalent functionality.
The Trojan also installs PHP if necessary; starts PHPShell, ARD or VNC, and ssh; and grabs password hashes that could be cracked to gain access to other systems.
Variations of Astht/Hodvy may also install a keystroke logger, activate the iSight camera, capture the contents of the Mac's screen, and turn on file sharing.
The Trojan attempts to use a privilege escalation vulnerability in Apple Remote Desktop.
The underlying issue appears to be that Apple Remote Desktop runs as root in order to perform system update function, and it also supports AppleScript to allow remote management tasks to be automated.
Can anything be done about that? See
page 3.
