# Calendar
June 2008
M T W T F S S
« May   Jul »
 1
2345678
9101112131415
16171819202122
23242526272829
30  
You are currently browsing the Stan’s List weblog archives for the day Sunday, June 22nd, 2008.
Info End -->
# Categories
# Browse
You are currently browsing the Stan’s List weblog archives for the day Sunday, June 22nd, 2008.
# Intego: PokerGame is a Trojan Horse | June 22nd, 2008

Intego Security Memo:

Exploit: OSX.Trojan.PokerStealer

Discovered: June 20, 2008

Risk: Low

Description: A Trojan horse has been found in the wild masquerading as program for Mac OS X called “PokerGame”. The Trojan in question is a shell script encapsulated in an application, and is distributed in a 65 KB Zip archive; unzipped, it is 180 KB.

The Trojan horse, when run, activates ssh on the Mac on which it is running, then sends the user name and password hash, along with the IP address of the Mac, to a server. It asks for an administrator’s password after displaying a dialog saying, “A corrupt preference file has been detected and must be repaired.” Entering the administrator’s password enables the program to accomplish its tasks. After gaining ssh access to a Mac, malicious users can attempt to take control of them, delete files, damage the operating system, or much more.

No Comments Yet | Security | Oodles | trackback
# Time to start installing an anti-virus software | June 22nd, 2008

Security Focus reports of multiple Mac Trojan horses in the wild. The attack is against Apple Remote Desktop and rooted through AppleScript: osascript -e ‘tell app “ARDAgent” to do shell script “whoami”‘; for anyone, unless the normal user switched to fast user switching.

As with all Trojan Horses, the possibility of success is totally in the hands of the user. In order to succeed, an email must induce you to click on a URL (web link) which takes you to a malicious webpage, or you web surf and find the malicious webpage. There you are further induced to download the Trojan Horse and then open the file once downloaded. As in phishing, the success rate is small, but it does not take but a few to make it worthwhile.

Nathan points to discussion on the subject on MacInTouch’s Security Reader Report.
http://www.macintouch.com/readerreports/security/index.html#d21jun2008

First, he wants to emphasis, due to the amount of user participation necessary, there is still no need for anti-virus software.

The Trojan Horse has the ability to do damage by escalating its security privilege to Root because a vulnerability in ARDAgent allows access to SetUID.

This workaround removes SetUID:

A viable fix right now is to remove SetUID from the ARDAgent executable. Run this from an administrator account:

sudo chmod -s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

This will cause a warning with Repair Permissions but will prevent the problem until Apple releases a fix.

Editorial: If everyone was as sharp as Nathan (compliment) then phishing would never work. Unfortunately, this is not true. I have anti-virus software as I sent and receive a ton of email, visit a number of web pages in search of information for this list. I do not want to inadvertently forward a virus or a trojan horse.

No Comments Yet | Security | Oodles | trackback