The Channel Wire

June 23, 2008

Two Mac viruses were discovered over the weekend. SecureMac and Intego Security reported that Trojans in the wild have the potential to cause serious damage to Mac desktops. One comes wrapped in a poker application and the second, and more nefarious, takes advantage of the ARDAgent.

The ARDAgent allows the virus to execute code as root when it is run on a machine. The ARDAgent virus has the setuid bit. According to Intego, "Users running such an executable [allows the virus to] gain the privileges of the user who owns that executable." In this case, ARDAgent is owned by root, allowing the virus to run code without first entering a password.

ARDAgent can be invoked to execute shell commands through AppleScript.

The second Trojan Mac users need to be aware of comes in the form of a poker game download. The exploit is masquerading as a poker game application that users can download, according to Intego. Called 'Poker Game,' the Trojan requires users to download the application and then run it before it becomes active.

According to Intego, "The Trojan in question is a shell script encapsulated in an application, and is distributed in a 65 KB Zip archive; unzipped, it is 180 KB."

Once downloaded and run, the virus activates the SSH and sends the user name and password to a server. From there, hackers can access the user's machine, deleting files, modifying the OS or worse.

According to SecureMac, the Trojan horse "affects Mac OS X 10.4 and 10.5. AppleScript.THT Trojan Horse runs hidden on the system and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging."

As an added nasty benefit, the Trojan is also able to log keystrokes, activate the Apple iSight Camera and turn on file sharing. The virus affects Mac OS x 10.4 and 10.5.