Two in-the-wild trojans target Mac OS X
The first -- and more dangerous -- is a rare, in-the-wild Mac trojan that is impacting versions 10.4 and 10.5 of Apple's operating system, a security firm announced on Thursday.
The trojan is exploiting a vulnerability, also reported Thursday, that permits malicious programs to execute code as a root, or most privileged, user, Mac security vendor Intego said in an alert.
The flaw is caused by the fact that ARDAgent (Apple Remote Desktop), when running malicious AppleScripts, a Mac programming language, loads programs as root, without the need for a password.
According to SecureMac, a Mac security firm, the trojan is currently being distributed through a hacker website, but there are plans to deliver exploits through applications such as iChat or LimeWire.
"The trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging," said an advisory from SecureMac.
The trojan also is able to log keystrokes, take pictures and screenshots, and enable file sharing.
Both SecureMac and Intego advised users to not download software from untrusted sources.
Joel Esler, a handler with the SANS Internet Storm Center, told SCMagazineUS.com on Friday that there have been previous Mac trojans in the wild, but all have required a password to run.
"You don't have to say, 'OK, I allow you to run,' with this one," he said. "You just double-click on it and execute it."
Still, he said users should not worry.
"All of the Mac trojans that have come out have been pretty weak," Esler said. "Apple has a six percent market share of desktop computing. When you attack somebody that has a six percent market share, most of that six percent is going to know about the trojan when it comes out."
Intego on Friday reported another Mac trojan that disguises itself as a poker application. The trojan seeks secure shell access to the machine, after which malicious users attempt to take control of them.
An Apple spokeswoman could not be reached for comment.