Daily cyber threats and internet security news: network security, online safety and latest security alerts
June 22nd, 2008

Trojan In The Wild Exploits Recently Disovered Bug In Mac OS X Remote Management

Security researchers from SecureMac has discovered multiple variants of a new Trojan horse in the wild that affects Mac OS X 10.4 and 10.5. The Trojan horse is currently being distributed from a hacker website, where discussion has taken place on distributing the Trojan horse through iChat, Apple’s instant messaging and video chat software, and Limewire.

SecureMac, a Mac-specific anti-virus vendor, researchers discovered the Trojan in June 19. The Trojan, AppleScript.THT, was classified as a “critical” threat. SecureMac’s warning came one day after an anonymous reader disclosed a few details of the ARDAgent vulnerability on, and on the same day that rival security vendor Intego provided more information about the bug.

The malware exploits a recently publicized vulnerability in the Apple Remote Desktop Agent (ARDAgent), part of Tiger’s and Leopard’s Remote Management component. Composed as a compiled AppleScript, or in another variant, script bundled into an application, the Trojan leverages the ARDAgent bug to gain full control of the victimized Mac.

The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing.

The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items.

Like any Trojan horse, AppleScript.THT does not spread on its own but relies on user interaction, such as downloading and launching, to infect a machine. Trojans can also be silently introduced on a computer if it’s injected after a successful attack using another vulnerability, such as a browser bug.

Users can protect themselves by removing ARDAgent from its normal location, which is System/Library/CoreServices/RemoteManagement, and archiving the application. MacScan 2.5.2 (a software by SecureMac) can also protect your system against this threat if you got the latest Spyware Definitions update (2008011), dated June 19th. SecureMac recommends that users download files only from trusted sources and sites.

Share this item with others:

More on CyberInsecure:
  • Apple QuickTime Multiple Remote Vulnerabilities
  • Vulnerabilities Of Non Executable File Formats In The Wild
  • Mac OS X Malware Found In Pirated Apple iWork 09
  • Apple Users Targeted By Smut-punting Video Codec Malware
  • Hackers Might Exploit Apple’s iCal Memory Corruption Vulnerability

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Trojan In The Wild Exploits Recently Disovered Bug In Mac OS X Remote Management

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.