Threat Center Security News Unpatched Mac Flaw Grows into a Trojan?
Unpatched Mac Flaw Grows into a Trojan? Print E-mail
Written by Rebecca Mints   
Tuesday, 24 June 2008 10:38

Still watching one of the unpatched mac flaws a new Trojan is possibly released. A tool for exploiting an unpatched security hole in Mac OS X systems has been developed and until earlier today was being distributed through an online forum that caters to Mac hackers.


A few excerpts from Security Fix:

The new tool "Applescript Trojan horse template" created by hackers at, appears to be a collective and ongoing effort to create a package of malicious software that capitalizes on the ARDagent security hole first publicized last week. The vulnerability essentially allows any program to run on a Mac user's machine without first prompting the user to enter his or her user name and password.

The Macshadows user forum appears to have been wiped clean, both from the Web site and from Google's cache. However, Security Fix obtained screen shots of forum postings from the code's authors as shown below.

"This could be bundled with any arbitrary application very easily," Dai Zovi said of the Trojan template. "Most people assume that if something is going to do something dangerous, that it will ask you for your password first, but this won't."

Once installed, the Trojan drops a keystroke logger called "logkext" on the Mac user's system. It then sets up a virtual network computing (VNC) server listening on the victim's machine, which would provide an attacker remote access to the victim's computer.

The code also installs a Web-based "PHP shell" program that allows the attackers to remotely manipulate the infected machine using nothing more than a Web browser. That component of the Trojan also sets the victim's system so that it can be tracked using dynamic DNS services, which permit remote users to remain connected to a system even if its numeric Internet address changes over time.



WTW Threat Level