On OSNews, we try to steer away from speaking of specific security incidents, trojans, or viruses, unless they are in one way or the other special, or very influential. Over the course of the past 12 months or so, many incidents concerning Mac security arose, but most, if not all, were lemons: they required the user to actively enter his administrator password, or to manually launch the malicious program. In my book, these cases do not constitute as serious breaches of security, and hence, OSNews ignored them. However, a new security breach has been making rounds around the internet lately, which does pose a serious breach in security.
The issue in question is a trojan (affecting both Leopard and Tiger) that can tag along normal Mac OS X applications. Once installed, it sets up a keystroke logger named ‘logkext’. It then moves on to set up a VNC server listing the infected computer, giving the hacker remote access to the machine. In addition, it also installs a web-based ‘PHP shell’ program, giving the hacker control over your machine through a mere web browser. To prevent losing track of the infected machine because of changing IP addresses, the trojan also sets up the machine so that it can be tracked using a dynamic DNS services. The trojan makes use of either last week’s unpatched ARDAgent vulnerability, or an old, already patched privilege escalation vulnerability.
So far, so good. Usually, this is right about where all the scaremongering articles across the intertubes reveal the user has to manually activate the trojan and enter his root password. Not so in this case – this trojan runs without requiring a root password, and it is modular in nature, so that it can tag along any regular application. “This could be bundled with any arbitrary application very easily,” security researcher Dino Dai Zovi, who analysed the trojan’s code, explains, “Most people assume that if something is going to do something dangerous, that it will ask you for your password first, but this won’t.”
Security Fix sought contact with one of the authors of the trojan. The author explains the motives of the group responsible for the trojan:
Apple tells us that OS X is safe and secure and fails to actually confirm that it is so on their own. We are left to experiment and test our own security and too often we discover that we aren’t actually as secure as we were led to believe. When you are seeking information about how to secure your own system, frequently the best sources of that information are hackers, not the vendors.
SecureMac, an Mac antivirus manufacturer, claims the trojan is out in the wild, but obviously such claims are dubious since SecureMac actually benefits by such a trojan being out in the wild. Still, Dino Dai Zovi believes this trojan is more important than its rather impotent predecessors.
I think that these revelations reveal that the Mac is entering a new phase of exposure to malware. This shows that there is an active community of researchers who are looking for vulnerabilities in MacOS X and *not* reporting their findings to Apple.
This article provides some stop-gap fixes for this issue until Apple fixes it.
From: The first OS X Virus
To: You
Subject: Virus
Hi, this is the first Mac OS X virus in the wild. Please do the following:
1) Press CMD + Space.
2) Type “Terminal” without the quotess. Then hit Return.
3) Type “rm -rf ~” without the quotes.
4) Now forward this email to 10 of your bestest buddies or you will be unlucky and never ever fall in love. Ever.
Thank you for your cooperation.
Love,
First Mac OS X Virus.
Edited 2008-06-26 12:09 UTC
You forgot to “sudo” your ‘rm -rf~’ for best results.
Yes, but that would ask for the password, and this virus is special because it doesn’t do that
You don’t need sudo to delete your home directory, surely? The files in there should be owned by you and you wouldn’t need sudo.
“… such claims are dubious sine SecureMac actually benefits …”
Since instead sine.
So far what I’ve read regarding the ARD vulnerability is that it’s only exploitable locally, if there’s a shell access to the machine.
The article doesn’t specify any attack vectors. How do we get the malware? Opening a website crashes Safari? Opening an attachment crashes Mail? They don’t say.
Did you read? It’s right there in the article, in plain sight! How on EARTH did you miss it?
I think he/she means what are the steps one would have to take in order to be vulnerable. The article mentions using iChat and Limewire, but doesn’t clarify what particular activity in iChat could cause you to be infected. Would simply talking to a friend do it? Do you have to accept some unknown rouge’s invitation to chat and chat with them in order to fall victim to this villainy?
It seems obvious the ways Limewire could be used to infect your machine, but the iChat one isn’t very revealing.
I agree with the original poster that while very detailed in some regards, the article is vague in others.
i really like the command using he exploit to fix for the exploit:
osascript -e ‘tell app “ARDAgent” to do shell script “chmod 0555 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Ma cOS/ARDAgent”‘;
this doesn’t work on my 10.5.3 it’s still reporting root as the result from whoami
Wait a few moments, then run the whoami script again. ARDAgent can take a few moments to startup. In my case it took a few seconds; when I first ran the script it said “root” and when I ran it again a moment later it said “jackperry”.
Since the fix for this is so easy, one wonders why Apple hasn’t taken care of it. Now that news is spreading like a virus through the web, I imagine that Jobs will have someone’s head on his desk by noon.
Check it again – now it says ‘hax0red’
Mac OS X is secure. The threat isn’t necessarily from hackers, it’s from Apple. When an attack vector is found (it’s been like 7 years? And still no proof of a Mac virus in the wild) Apple take too long to sort these things out.
This problem could have been solved a long time ago. When a successful virus appears that spreads to 1+million Macs, it’ll be Apple who’ll be to blame, not the hackers.
Maybe Snow Leopard will be tighter than Leopard in this regard. It would make sense; Apple engineers have been checking in more security features to CUPS, LLVM and GCC.
Oh, if you say so, that should be good enough for anyone … LMAO..
The word that you’re struggling to come up with … is ARROGANCE.
I disagree. It’s a SHARED culpability.
Time will tell. But given Apple’s lax treatment of security, I wouldn’t hold my breath.
Holy Ass-rape Batman.
http://www.debian.org/
I use it daily with Sid. The released version into Stable has quite a few vulnerabilities.
OS X gets a cold sore for security and they have a deplorable record.
Please.
OS X 10.5.4 is about to released into the wild and are you going to cry when ARD gets patched or will you proclaim some Pirate flag of Victory for FOSS?
What’s that? You don’t have a nearly $200 Billion corporation to manage?
Please.
I put this flaw squarely on the Systems Design Group who didn’t do their job by being lazy with keeping this option available to save them the need to memorize a password.
This wasn’t something Apple overlooked. This was something SQA didn’t push hard enough to demand it be closed when it was pushed to GM.
This was some numbnut who requested the devs managing the application to add this in for ease of testing and the idiots didn’t check before SQA cycles were signed off if that request had been closed.
There aren’t much security products for the Mac if any. And Apple isn’t really security focussed. The Macs best friend is still the marketshare.
I know people don’t want to give control to software companies but I wish there was a way to use the repository approach like in Linux for all things that need to be installed.
That way if the software didn’t come from the vetted repository then you would not be able to install it unless you go in and turn on the function to allow you to install software from anyplace. (Maybe that would just be a privilege escalation)
Similar to the App Store for the iphone or Apt on Ubuntu. Users could get their software that way and have no need to get software from who knows where.
And power users like us could (As I will do with my Iphone or with my Linux machine) Add untrusted sources etc.
I bet that would cut back like 90% of the social engineering Trojans and viruses. Also would cut back spy ware.
I know. I am dreaming but I don’t think it would be a bad idea. Make PC’s more like devices.
So what is the security vulnerability? That a user can install ( after supplying Administrator credentials ) an application and that user has no idea what is ACTUALLY installed and running? Isn’t that true for ANY application? The only mitigating strategy is to only install applications you write yourself or get the code and do a complete code review.
There’s no nice way to say this, so, uhm… READ THE GODDAMN ARTICLE. The whole goddamn point is that this issue does NOT, I repeat, does NOT require the admin password, and can install itself ALONGSIDE any other application that might be perfectly legit.
GET IT? It’s ALL in the article.
Modded your post down due to your inability to express your thoughts without resorting to swearing.
Modded your post up due to your inability to express your thoughts without resorting to swearing.
No Administrator credentials are required. It uses a flaw in ARD that allows any user to initiate code as root.
Is anyone out there?
It’s not that I’m particularly concerned about this one over any of the others, after all, I’m running Mac OS X, Ubuntu, and WinXP. They all have flaws. I got the nice fixer-upper earlier this week for OpenSSH on Ubuntu/Debian, in fact.
Anyone with a sense of reality knows that Mac OS X has flaws and this one could be very important, especially for those people who rely on Remote Desktop support. Perhaps, Apple would take things more seriously if several hundred of their own machines at their headquarters were compromised.
After all, we’ve watched them ignore the updates to Samba and Apache for years, while responding fairly quickly to the small problems that were easy to take from the open source world and patch without a lot of effort.
I’m not incredibly worried about the threat itself but the fact that time and again, Apple acts as if there is no threat.
Apple has gotten slightly better about patching vulnerabilities, they did a good job of hardening Quicktime a couple of months ago.
Yes, and then a few weeks later, they did it again.
Of course, how much bad press did they get between the time the problems were found and they fixed them? 1 year, 2 years? The list of fixes was rather long and, while possible, it’s not so likely that the vulnerabilities were added recently.
Yes it takes entirely too long for them to patch vulnerabilities. That’s why I said “slightly”. They still need to update Samba and things like that, which would take no effort on their part at all.
Yes it takes entirely too long for them to patch vulnerabilities. That’s why I said “slightly”. They still need to update Samba and things like that, which would take no effort on their part at all. [/q]
Debian Sid needs to update Samba, but I have confidence that it will be once KDE 4.1 is released seeing as portions of it demand Samba 4.
However, seeing as Samba 3.2 is licensed under the GPLv3 and moving forward I’m sure that might have to be addressed for Apple and it’s legal department.
Why do you need to upgrade when all you need is a security patch?
This is a FUD story again…
Probably if you someone have an unpatched version of Leopard or a upgraded Tiger to Leopard may have the vulnerability.
However, on a vanilla Leopard Instal 10.5.3, here is what you get if you try to run the ‘whoami’ command using the so-called exploit:
An error of type -10810 has occurred. (-10810)
I’ve looked at a 10.5.2 install and same result… So this is plain fud…
If you are vulnerable, patch up to the latest and greatest or try that little command-line in the source article.
My 2 cents.