The issue in question is a trojan (affecting both Leopard and Tiger) that can tag along normal Mac OS X applications. Once installed, it sets up a keystroke logger named 'logkext'. It then moves on to set up a VNC server listing the infected computer, giving the hacker remote access to the machine. In addition, it also installs a web-based 'PHP shell' program, giving the hacker control over your machine through a mere web browser. To prevent losing track of the infected machine because of changing IP addresses, the trojan also sets up the machine so that it can be tracked using a dynamic DNS services. The trojan makes use of either last week's unpatched ARDAgent vulnerability, or an old, already patched privilege escalation vulnerability.
So far, so good. Usually, this is right about where all the scaremongering articles across the intertubes reveal the user has to manually activate the trojan and enter his root password. Not so in this case - this trojan runs without requiring a root password, and it is modular in nature, so that it can tag along any regular application. "This could be bundled with any arbitrary application very easily," security researcher Dino Dai Zovi, who analysed the trojan's code, explains, "Most people assume that if something is going to do something dangerous, that it will ask you for your password first, but this won't."
Security Fix sought contact with one of the authors of the trojan. The author explains the motives of the group responsible for the trojan:
SecureMac, an Mac antivirus manufacturer, claims the trojan is out in the wild, but obviously such claims are dubious since SecureMac actually benefits by such a trojan being out in the wild. Still, Dino Dai Zovi believes this trojan is more important than its rather impotent predecessors.
This article provides some stop-gap fixes for this issue until Apple fixes it.