Mac OS X Trojan reported in the wild
At least two Mac-focused security firms warned late this week of a Trojan horse that takes advantage of flaws in remote management software in Mac OS X to run code on the affected computer.
As with most Mac flaws, the user must first download and open the file in order for it to take effect. Once it is opened, the Trojan — dubbed “AppleScript.THT” — adds itself to the login process and can perform a variety of functions, including keystroke logging.
It can also take pictures with the iSight camera and screenshots and turn on file sharing, security firm SecureMac said. Intego, the other firm to highlight the issue, said the Trojan could be used to run arbitrary code.
A flaw within the Apple Remote Desktop Agent is the source of the problem, which exists in both Mac OS X 10.4 and 10.5. It is potentially very dangerous due to the fact that it could be run with root privileges.
SecureMac reports that it is being distributed from a site frequented by malicious users, and files containing the Trojan were being sent through both iChat and Limewire. Bundled within an AppleScript, the files containing it have the names “ASthtv05” and “ASthtv06.”
Any user running either 10.4 or 10.5 are said to be at risk, and currently the only interim solution being advertised is to only download files from trusted sources until the problem is fixed.
Users of either company’s security products, MacScan 2.5.2 (with the 2008011 definitions update) or VirusBarrier X5 (with the June 19 definitions) would be protected from the Trojan, the company said.
Either way, this latest security threat is evidence that Mac users will need to be ever more vigilant. “As Apple’s market share continues to grow, so will security research and hack attempts against OS X,” SecureMac president Nicholas Raba said.