Neowin News: "Rare mac trojan exploits apple vulnerability"
in [Mac Systems]
|
Prev: USB trackball "lockup"
Next: Neowin News
From: Juan I. Cahis on 25 Jun 2008 12:45 Dear friends, see: http://www.neowin.net/news/main/08/06/23/rare-mac-trojan-exploits-apple-vulnerability Any comment? Thanks Juan I. Cahis Santiago de Chile (South America) Note: Please forgive me for my bad English, I am trying to improve it!
From: billy on 25 Jun 2008 13:06 Juan I. Cahis <jiclbchSINBASURA(a)attglobal.net> writes: > Dear friends, see: > > http://www.neowin.net/news/main/08/06/23/rare-mac-trojan-exploits-apple-vulnerability > > Any comment? From yesterday's SANS newsletter - http://www.sans.org/newsletters/newsbites/newsbites.php?vol=10&issue=50 --Mac OS X Trojans Detected (June 20, 21 & 23, 2008) A recently detected Mac OS X Trojan horse program exploits a flaw in Apple Remote Desktop Agent (ARDAgent) to load itself as root and take control of vulnerable machines. The malware has numerous capabilities, including keystroke logging, opening ports in the firewall to evade detection, taking pictures with the built-in camera and turning on file sharing. Users can protect their systems by removing ARDAgent from its normal location and archiving it. A second Trojan affecting Macs pretends to be a poker application and tries to gain secure shell access to vulnerable machines. http://www.scmagazineus.com/Two-in-the-wild-trojans-target-Mac-OS-X/article/111551/ http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9101898&intsrc=hm_list http://www.theregister.co.uk/2008/06/23/mac_trojan/print.html I suggest reading the rest of this at the SANS link, above. And, if you're concerned about security, subscribing to this and their other newsletters (which are free) would be a good idea, too. Billy Y..
From: Claude V. Lucas on 25 Jun 2008 13:36 In article <g3ttv4$b3k$1(a)reader2.panix.com>, <billy(a)MIX.COM> wrote: >Juan I. Cahis <jiclbchSINBASURA(a)attglobal.net> writes: > >> Dear friends, see: >> >> http://www.neowin.net/news/main/08/06/23/rare-mac-trojan-exploits-apple-vulnerability >> >> Any comment? > >From yesterday's SANS newsletter - > >http://www.sans.org/newsletters/newsbites/newsbites.php?vol=10&issue=50 > > --Mac OS X Trojans Detected > (June 20, 21 & 23, 2008) > A recently detected Mac OS X Trojan horse program exploits a flaw in > Apple Remote Desktop Agent (ARDAgent) to load itself as root and take > control of vulnerable machines. The malware has numerous capabilities, > including keystroke logging, opening ports in the firewall to evade > detection, taking pictures with the built-in camera and turning on file > sharing. Users can protect their systems by removing ARDAgent from its > normal location and archiving it. A second Trojan affecting Macs > pretends to be a poker application and tries to gain secure shell access > to vulnerable machines. > http://www.scmagazineus.com/Two-in-the-wild-trojans-target-Mac-OS-X/article/111551/ > >http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9101898&intsrc=hm_list > http://www.theregister.co.uk/2008/06/23/mac_trojan/print.html > >I suggest reading the rest of this at the SANS link, above. And, if >you're concerned about security, subscribing to this and their other >newsletters (which are free) would be a good idea, too. > I saw this as well. I couldn't find Apple Remote Desktop Agent on my system, so I think that it's not part of the base OS but is something extra that one has to install separately. No? There's a handy little hint in that SANS newsletter on how to find SUID root programs that may be on your system. Enter find / -user 0 -perm -4000 into a Terminal window. I had to use sudo to allow find to search everywhere. It found a few. After you find them, then you need to figure out if they belongon your system or not.
From: Mike Rosenberg on 25 Jun 2008 13:52 Michelle Steiner <michelle(a)michelle.org> wrote: > > Any comment? > > 1. It's rare. > 2. It's a trojan, not a virus. You just reminded me of how much I'm going to miss Tim Russert's insightful analysis. <gd&r> -- I kill Google Groups posts. See http://improve-usenet.org for details. <http://designsbymike.net/shop/mac.cgi> Mac and geek T-shirts & gifts <http://designsbymike.net/shop/prius.cgi> Prius shirts/bumper stickers <http://designsbymike.net/shop/greet.cgi> Holiday cards with attitude
From: billy on 25 Jun 2008 14:14
Claude V. Lucas <claudel(a)sonic.net> writes: > I couldn't find Apple Remote Desktop Agent on my system, > so I think that it's not part of the base OS but is > something extra that one has to install separately. > > No? I'm not sure how widely deployed it is. When it is present, it lives here - /System/Library/CoreServices/RemoteManagement/ARDAgent.app Billy Y.. |