|Home » Industry Watch (» The Technological » Hall of Monkeys » Heroes Banquet)
You're Toast, Dude?
Follow the money.
The news of a security hole in Apple's remote management module is unsettling but it's no cause for panic. There are reports this exploit is already 'in the wild' but when reading them remember to 'follow the money'.
SecureMac have already given the exploit a name. In best McAfee/Symantec/F-Secure fashion they've named it the 'AppleScript.THT Trojan Horse'.
Reading their description of this 'trojan' you'd think it was frighteningly powerful.
The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system...
... can transmit system and user passwords...
Wow. It can do that too? Both system and user passwords?
... can avoid detection by opening ports in the firewall and turning off system logging...
Oh how does it do all these things? But we're just warming up here, folks.
Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing.
It's gotta be the End of the World™. How can one piece of devious software do all that? Saving the least for last:
The Trojan horse exploits a recently discovered vulnerability with the Apple Remote Desktop Agent, which allows it to run as root.
Ah. In other words... It can do anything!
What you're looking at, no more and no less, is merely an itemisation of the potentially scariest things root could do.
For your convenience SecureMac have published a 'PDF advisory' which is identical to their HTML page on the subject.
Thanks for that.
Intego have an actual picture of a true to life trojan based on the same hole. Actually it's not a screenshot of the application itself but of its info sheet. Better than nothing perhaps.
And there's more detail here - yet no way of knowing if this is the same critter those good folks at SecureMac had in mind.
The Trojan horse, when run, activates ssh on the Mac on which it is running, then sends the user name and password hash, along with the IP address of the Mac, to a server. It asks for an administrator's password after displaying a dialog saying, "A corrupt preference file has been detected and must be repaired." Entering the administrator's password enables the program to accomplish its tasks. After gaining ssh access to a Mac, malicious users can attempt to take control of them, delete files, damage the operating system, or much more.
Sounds mighty nasty! But why's it asking for a password when #1) it's already got root; and #2) already passed the password data onto the mothership? Something's not right.
Intego VirusBarrier X4 and X5 with virus definitions dated June 20, 2008 protect against this Trojan horse.
Ah. About time you got around to that.
Intego recommends that users never download and install software from untrusted sources or questionable web sites.
Yeah right, Intego. Thanks for that!
Cult of Mac
A lie repeated often enough will end up as truth. It's not a conspiracy - it's just people listening to their own voices.
Lonnie Lazar writes a scary piece entitled 'Barbarians at the Gate'. That's a title destined to curdle your blood. Barbarians? Wander over to the Mac hack sites and look who's writing what about this. They're mostly clueless and admit it. Barbarians? More like school kids out for the summer.
Lazar tries from the outset to put the fear of malware into the reader.
Mac users surfed happily along the Internet's boundless realms, content in the knowledge that Apple's tiny OS market share was little incentive for hackers and malicious social engineers.
Yes, LL, having a miniscule market share is always good. Things are always more secure if nobody's trying to break in. But there's an endemic difference between a standalone system like Windows and an essentially 'Unix' system like Apple's. Glossing over this is precisely what all the clueless Windows pundits do. Don't give too much away about your lack of cred in this area.
From this point onward it looks like LL's in the tank for SecureMac, basically repeating the lie. The article even quotes another article by Jim Dalrymple who as we all know is an expert at creating online hype.
Things calm down after a while - but you've hopefully swallowed the sinker.
Comments on the Macworld piece point to the fact that these kinds of security threats should only affect the most unaware users who might be duped into installing unknown software on their machines, and willingly providing their administrative passwords. Not a few of them express skepticism regarding SecureMac and Intego's financial incentive for discovering and reporting on these Trojan horses 'in the wild'.
Ah. Isn't that awfully cynical?
The Road Ahead
As Apple's desktop OS market share continues to grow, however, and the tens of millions of iPhone's mobile OS targets hit the market, the lure for hackers and malicious program developers gets larger, increasing the likelihood of security turbulence for Mac users on the road ahead.
Yes. Security turbulence. Good choice of word. And things will be turbulent as long as the OS vendor continue to cut corners around Unix security and let flawed and untested code out the door.
But news flash: the sky is not falling. Repeat: it's not falling.
Learning Curve: A Suggestion
Industry Watch: You're Root, Dude!
Industry Watch: You're Toast, Dude?
Learning Curve: The First Real Malware?
Learning Curve: Apple Redefine 'Epic FAIL'?
Industry Watch: It's Not New It Starts with 10.2
Apple Developer Connection: AppleScript Overview
Industry Watch: Huge, Crazy, Ridiculous OS X Security Hole
Apple Developer Connection: Apple Events Programming Guide