Note: This article was written for, and first published on, the International Mac Podcast blog.

It’s being reported this week that there is a Trojan Horse in the wild that’s targeted at Mac OS X (both Tiger and Leopard). This is quite a nasty beast which basically gives the attacker total control of your computer. This gives them access to all your files and allows for them to snoop on everything you do and hence collect sensitive data like banking details and credit card numbers. If you run Mac OS X this should concern you. However, there is no need to panic and lose sight of the realities of the situation. This is not a virus or a worm, it’s a Trojan. What’s the difference? Viruses and Worms spread from machine to machine, often without any need for any interaction on the user’s part, Trojans on the other hand have to be installed by the user. They work by pretending to be a legitimate program which an un-suspecting user then installs. They get their name because in many ways they are the digital equivalent of the wooden horse of Troy.

[tags]security, Trojan, OS X, Apple[/tags]

The take-home message here is simple, do not install ANYTHING that does not come from a trusted source EVER. At the moment this particular Trojan is spreading on hacker sites. Expect to see it making it’s way around the seedier underbelly of the internet fairly rapidly. If Windows Trojans are any sort of a guide, expect to see this Trojan masquerading as a video codec you’ll need to view a free explicit video, or as a program to great around DRM on some pirated application or game.

Unfortunately this Trojan has some extra sting in it’s tail because it is exploiting a particularly nasty flaw in the Apple Remote Desktop software that makes up part of OS X. Malware doesn’t need root access to cause you serious headaches, but it can cause even more trouble when it does. This flaw allows the Trojan, or indeed any program or person, easy administrative access to your computer without the need for a password and without any sort of prompt asking for permission. Officially this is known as a Privilege escalation vulnerability and unfortunately they are not uncommon. However, this particular one is particularly worrying because of just how fundamental the mistake Apple made to cause it. Basically, Apple just flunked Unix security 101 on this one. If they can make elementary mistakes like this it makes you wonder just how many ticking time bombs there are in OS X.

On Unix-based operating systems like OS X programs usually run as the user who launches them. When you launch a program is it runs as you and has the same rights you do. Sometimes it is necessary to allow users to run a program as the user who owns the program rather than the user who launches it. This is does using a special flag called the SUID bit, and is usually used to allow users to start trusted programs as the administrative user, or root in Unix terminology. The user root can do ANYTHING and much of the core OS runs as root. Any program that is SUID root needs to be meticulously secured. Every care needs to be taken because if you make even a small mistake you will have produced a privilege escalation vulnerability.

The fewer SUID root programs there are in your OS the better, but you’ll always need some. One such program in OS X is ARDAgent which is part of Apple’s Remote Desktop software. This program accepts AppleScript instructions, including the AppleScript instruction to execute a command. Since it is SUID root that command will be run with full administrative rights! There you have it, until Apple plug this hole, all you have to do to get full administrative access on a Mac without needing a password is to issue a simple AppleScript command. You can try it for yourself on the Terminal. There is a simple terminal command, whoami, which just prints out the username that the command is running as. If you type that directly into a Terminal and hit return you’ll see it print out your username. If you issue the same command by getting Apple Script to ask ARDAgent to run it for you you’ll see that it runs as root. Try if for yourself, just enter the following into the Terminal:

osascript -e 'tell app "ARDAgent" to do shell script "whoami"';

You’ll see it prints out root. You have just gained root access on your Mac without having to enter a password! To run any command as root just insert it into the above example in the place of the whoami command.

The bottom line is that OS X users can no longer afford to be complacent about their security. The bad guys are after Mac users too, and Apple make massive security gaffs just like anyone else. Remember, every program you run can do anything you can. It can delete all your files, set programs to launch each time you log in, and run in the background un-seen. You don’t have to do any hacking what so ever to steal people’s credit card details, you just have to trick them into installing your program.