The Macintosh platform is again under attack by malicious code writers. This time, it's a Trojan horse that could compromise machines running Mac OS X 10.4 or 10.5.
Antivirus firm SecureMac claims to have discovered multiple variants of a Trojan horse being distributed from a hacker Web site. The site hosts a discussion on distributing the Trojan horse through iChat and Limewire.
The Trojan, distributed as either a compiled AppleScript called ASthtv05 or as an application bundle called AStht_v06, exploits a recently discovered vulnerability with the Apple Remote Desktop agent. The ARD allows the Trojan to run as root.
According to SecureMac, the Trojan runs hidden on a Mac and allows a malicious user complete remote access. The Trojan can transmit system and user passwords, and avoid detection by opening ports in the firewall and turning off system logging. The AppleScript version, SecureMac reported, can also log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing.
Fortifying a Mac
While it's true that hackers and malware authors target Macs far less frequently than Microsoft Windows PCs, that doesn't mean Mac users can disregard common sense in securing their computers, according to Carole Theriault, senior security consultant at Sophos.
"In the last 12 months we have seen growing evidence that cybercriminals -- although still focusing in the main on the Microsoft platform -- have shown an increase in interest in seeing if there is an opportunity to hack into Mac computers for financial gain," Theriault noted.
Although the problem is much smaller than on Windows, she added, Mac users would be wise to run an antivirus program, keep up with security patches, and exercise care about which programs they install.
The Threat Behind the Threat
Sophos has labeled the new Trojan "OSX/Hovdy-A." According to its monitoring service, the prevalence is low but the danger is critical. In addition to opening ports in firewalls and starting the ARD, the Trojan will also attempt to install itself in the Library/Caches folder and perform several tasks, including deleting system log files, starting PHPShell and Web server, disabling system updates, and disabling third-party security software.
Like many Windows attacks, this Mac Trojan relies on the user giving it permission to install. Using social-engineering techniques, the Trojan could be given disguises as varied as a game, a video, or a handy new utility.
"Sadly, many Mac users are just as willing as their Windows-based cousins to install a program without careful thought as to safety," Theriault said. "We are not witnessing a large-scale attack by this Trojan, but it is worrying to see yet more hackers turning their malevolent gaze to the Mac platform."