On OSNews, we try to steer away from speaking of specific security incidents, trojans, or viruses, unless they are in one way or the other special, or very influential. Over the course of the past 12 months or so, many incidents concerning Mac security arose, but most, if not all, were lemons: they required the user to actively enter his administrator password, or to manually launch the malicious program. In my book, these cases do not constitute as serious breaches of security, and hence, OSNews ignored them. However, a new security breach has been making rounds around the internet lately, which does pose a serious breach in security.
The issue in question is a trojan (affecting both Leopard and Tiger) that can tag along normal Mac OS X applications. Once installed, it sets up a keystroke logger named ‘logkext’. It then moves on to set up a VNC server listing the infected computer, giving the hacker remote access to the machine. In addition, it also installs a web-based ‘PHP shell’ program, giving the hacker control over your machine through a mere web browser. To prevent losing track of the infected machine because of changing IP addresses, the trojan also sets up the machine so that it can be tracked using a dynamic DNS services. The trojan makes use of either last week’s unpatched ARDAgent vulnerability, or an old, already patched privilege escalation vulnerability.
So far, so good. Usually, this is right about where all the scaremongering articles across the intertubes reveal the user has to manually activate the trojan and enter his root password. Not so in this case – this trojan runs without requiring a root password, and it is modular in nature, so that it can tag along any regular application. “This could be bundled with any arbitrary application very easily,” security researcher Dino Dai Zovi, who analysed the trojan’s code, explains, “Most people assume that if something is going to do something dangerous, that it will ask you for your password first, but this won’t.”
Security Fix sought contact with one of the authors of the trojan. The author explains the motives of the group responsible for the trojan:
Apple tells us that OS X is safe and secure and fails to actually confirm that it is so on their own. We are left to experiment and test our own security and too often we discover that we aren’t actually as secure as we were led to believe. When you are seeking information about how to secure your own system, frequently the best sources of that information are hackers, not the vendors.
SecureMac, an Mac antivirus manufacturer, claims the trojan is out in the wild, but obviously such claims are dubious since SecureMac actually benefits by such a trojan being out in the wild. Still, Dino Dai Zovi believes this trojan is more important than its rather impotent predecessors.
I think that these revelations reveal that the Mac is entering a new phase of exposure to malware. This shows that there is an active community of researchers who are looking for vulnerabilities in MacOS X and *not* reporting their findings to Apple.
This article provides some stop-gap fixes for this issue until Apple fixes it.