Drag a Horse to Water -- but keep him off your Mac:
Major computer security service providers announced today the second major Trojan
Horse to hit Apple's Mac OS X -- a computing platform often cited as
invulnerable to the types of attacks that plague Microsoft's Windows operating
System.
Unlike the previous Trojan that raised Mac users' heartbeats and caused en masse cries of "I told you so" from Windows users, the threat never materialized and the Trojan was never seen on computers in the wild.
Not so with Astht (aka Hovdy), said a senior manager at Symantec, the makers of Norton Antivirus for Macintosh. In a quote reported by IT News, the official stated Astht is indeed in the wild. Later, however, another Symantec senior staffer admitted that no known exploits have actually yet occurred.
While most security experts acknowledge the threat level is low and, along with the fact that the source code for Astht is also in the wild (along with templates hackers use to create variants of the Trojan), it is very likely an official security patch from Apple will be forthcoming, thereby eliminating the threat.
What is Astht and what dangers does it present:
The Trojan exploits a major security hole in Apple
Remote Desktop Agent -- software built in to Mac OS X (Tiger and Leopard
-- 10.4 and 10.5 respectively) that enables remote management of a user's
computer. Most IT firms use Apple Remote Desktop (ARD) to administer their
clients' servers and workstations. The exploit also affects Leopard's Screen
Sharing feature.
By targeting the flaw in ARD Agent, Astht gains root access to the user's computer, giving it complete access to all files and processes. And, combined with its so-called drive-by download technique that masks downloads of additional malicious files -- sometimes from trusted Websites -- Astht has the ability to adapt to further compromise the user's system.
The ARDAgent-based Trojan uses privilege escalation to turn various services, such as Personal File Sharing, Remote Management, SSH and even thrid-party Antivirus programs, on and off. There are reports it may control built-in iSight cameras to surreptitiously grab shots of you, the user. More alarming perhaps, are reports that variants of the Trojan contain key logging applications that record your every keystroke.
For a more detailed look at how the Trojan unleashes its nasty payload upon the unsuspecting, please visit TidBITS.
How to combat Astht:
While we wait for an official solution from Apple, there are ways in which
we can avoid coming in contact with Astht.
- First and foremost DO NOT EVER download files from the Internet, especially from untrusted or unknown sources. For any file to be installed you must authenticate with your Administrator password. Do not do so if you are not intending to install an application or program.
- In order for Astht to be a threat, it must find a way onto your computer. Make sure to close the door on it thereby denying it entry.
- Next, consider the purchase of an antivirus package for your Mac. One such package we use at Techmuscle is Symantec's Norton Antivirus for Macintosh v. 11. You can find it here.
- Finally, consider turning off all remote management functions. (You will need Administrator access in order to perform these steps. If you are a Standard user, please ask Techmuscle or your in-house IT director for help.)
- To turn of remote management, please follow these steps provided
by The Unofficial Apple weblog (TUAW).
Visit http://www.tuaw.com/ardfix/ for
a step-by-step, illustrated guide.
For advanced users:
This Terminal hackery is provided by MacFixIt.com but may prevent use of
remote management and screen sharing features:
Running the following command to remove the setting of user/group ID upon
execution will prevent the execution of commands as root:
◦ sudo chmod -s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
How
to get LA MACTECH support:
Our
new Web-based Trouble Ticket Support System alerts us to your support
issues immediately and keeps track of your request from start to
finish. You can even upload screen shots of alerts you receive,
just by clicking a button.
For more information about Macintosh security please contact Techmuscle by visiting LA MACTECH.
In
our next issue of iFAQ's:
- Tasty Green Morsels
- 10.5.4 Update
- Snow Leopard (aka Mac OS 10.6)