Two New Mac OSX Trojans

Kuala Lumpur, July 3, 2008 － F-Secure has reported that an Apple Remote Desktop Agent vulnerability recently surfaced. Now there's news of a trojan that can exploit the flaw.

The exploit tool, called "Applescript Trojan horse template" was crafted by forum participants of MacShadows.com. These guys appear to have been hobbyist hackers interested in testing the ARDAgent vulnerability. It doesn't appear to be in the wild at present. F-Secure Security Labs detects it as Backdoor.Mac.Hovdy.a.

Chia Wing Fei, Security Response Program Manager, F-Secure Security Labs said that, “ARDAgent runs Applescript with root privileges. So once the victim is tricked into installing Hovdy, no user passwords are required for it to do its thing, which is provide backdoor access to the attacker.”

Apart from this Trojan, the Labs has discovered another Mac OSX trojan last week called Trojan-PSW:OSX/PokerStealer.A.

PokerStealer.A heavily relies on social engineering. It comes with the filename PokerGame.app (180Kb). Once executed, it will prompt the user for a password.

Trojan-PSW:OSX/PokerStealer.A checks the provided password to see if it matches the username of the machine. If not, it will ask again. It needs the user's password to continue.

What happens behind the scenes is the following: it enables the SSH of the infected machine by running; it acquires the local IP address, subnet mask, private IP address of the router (domain), public IP address by querying via the Internet; it gets the version of OSX, recovers its hash and saves it to a file named "secret_file".

After all the necessary information has been gathered it then sends the information to a specific e-mail address with a subject of "Howdy" and the message details include username, password, and IP addresses.

With the e-mailed information, the attacker can perform routines from a remote location through SSH without the user knowing it and may even take control of the infected machine.

“The PokerStealer.A trojan appears to have been written by someone with more than just hobbyist level motivations. Its infection is limited by the password requirement,” he added.

The author of PokerStealer (motivated by profit) is going to seek out the hobbyist's "Applescript Trojan horse template" and will reduce the infection steps of PokerStealer.A to simply running an application named "PokerGame".

For more information, please visit F-Secure weblog: http://www.f-secure.com/weblog