Drive-by downloads danger from new Mac Trojan: Symantec

Stephen Withers
Tuesday, 24 June 2008 07:55

Opinion and Analysis

At least three unofficial fixes have been suggested. The idea that starting the Remote Management service (via the Sharing system preference) would provide protection was short lived, as it is too easy for an exploit to disable remote management and then restart it.

Removing the setuid bit for ARDAgent does block the exploit, but stops Remote Management working. This is therefore a simple way of avoiding the problem for machines that are never remotely administered (which is probably the majority of Macs in homes and small businesses).

Kou Man Tong, a Hong Kong based software developer, has suggested disabling AppleScript support in ARDAgent by editing its plist (property list).

He claims this prevents the exploit from working whether or not Remote Management is active, but without interfering with the normal use of Apple Remote Desktop for remote administration. However, the legitimate use of AppleScripts via Remote Management would also be blocked.

But if the privilege escalation exploit fails, the Trojan poses as a software update and asks the user to provide administrative login credentials, Sophos senior technology consultant Sean Richmond told iTWire.

So while cautious and sophisticated Mac users will no doubt feel as secure as they did before the discovery of the latest Trojans, those who manage computers used by colleagues or family members who take a more cavalier attitude to browsing and downloading may think again about the need for security software that can detect such malware.