Jun
25
OS X Trojan in the Wild – The Time For Smugness is Over
Filed Under Computers & Tech, Security on June 25, 2008 at 8:36 pm
Note: This article was written for, and first published on, the International Mac Podcast blog.
It’s being reported this week that there is a Trojan Horse in the wild that’s targeted at Mac OS X (both Tiger and Leopard). This is quite a nasty beast which basically gives the attacker total control of your computer. This gives them access to all your files and allows for them to snoop on everything you do and hence collect sensitive data like banking details and credit card numbers. If you run Mac OS X this should concern you. However, there is no need to panic and lose sight of the realities of the situation. This is not a virus or a worm, it’s a Trojan. What’s the difference? Viruses and Worms spread from machine to machine, often without any need for any interaction on the user’s part, Trojans on the other hand have to be installed by the user. They work by pretending to be a legitimate program which an un-suspecting user then installs. They get their name because in many ways they are the digital equivalent of the wooden horse of Troy.
[tags]security, Trojan, OS X, Apple[/tags]
The take-home message here is simple, do not install ANYTHING that does not come from a trusted source EVER. At the moment this particular Trojan is spreading on hacker sites. Expect to see it making it’s way around the seedier underbelly of the internet fairly rapidly. If Windows Trojans are any sort of a guide, expect to see this Trojan masquerading as a video codec you’ll need to view a free explicit video, or as a program to great around DRM on some pirated application or game.
Unfortunately this Trojan has some extra sting in it’s tail because it is exploiting a particularly nasty flaw in the Apple Remote Desktop software that makes up part of OS X. Malware doesn’t need root access to cause you serious headaches, but it can cause even more trouble when it does. This flaw allows the Trojan, or indeed any program or person, easy administrative access to your computer without the need for a password and without any sort of prompt asking for permission. Officially this is known as a Privilege escalation vulnerability and unfortunately they are not uncommon. However, this particular one is particularly worrying because of just how fundamental the mistake Apple made to cause it. Basically, Apple just flunked Unix security 101 on this one. If they can make elementary mistakes like this it makes you wonder just how many ticking time bombs there are in OS X.
On Unix-based operating systems like OS X programs usually run as the user who launches them. When you launch a program is it runs as you and has the same rights you do. Sometimes it is necessary to allow users to run a program as the user who owns the program rather than the user who launches it. This is does using a special flag called the SUID bit, and is usually used to allow users to start trusted programs as the administrative user, or root
in Unix terminology. The user root can do ANYTHING and much of the core OS runs as root. Any program that is SUID root needs to be meticulously secured. Every care needs to be taken because if you make even a small mistake you will have produced a privilege escalation vulnerability.
The fewer SUID root programs there are in your OS the better, but you’ll always need some. One such program in OS X is ARDAgent
which is part of Apple’s Remote Desktop software. This program accepts AppleScript instructions, including the AppleScript instruction to execute a command. Since it is SUID root that command will be run with full administrative rights! There you have it, until Apple plug this hole, all you have to do to get full administrative access on a Mac without needing a password is to issue a simple AppleScript command. You can try it for yourself on the Terminal. There is a simple terminal command, whoami
, which just prints out the username that the command is running as. If you type that directly into a Terminal and hit return you’ll see it print out your username. If you issue the same command by getting Apple Script to ask ARDAgent to run it for you you’ll see that it runs as root. Try if for yourself, just enter the following into the Terminal:
osascript -e 'tell app "ARDAgent" to do shell script "whoami"';
You’ll see it prints out root
. You have just gained root access on your Mac without having to enter a password! To run any command as root just insert it into the above example in the place of the whoami command.
The bottom line is that OS X users can no longer afford to be complacent about their security. The bad guys are after Mac users too, and Apple make massive security gaffs just like anyone else. Remember, every program you run can do anything you can. It can delete all your files, set programs to launch each time you log in, and run in the background un-seen. You don’t have to do any hacking what so ever to steal people’s credit card details, you just have to trick them into installing your program.
Hey there. I’ve been waiting quite long for such thing to happen, but then there is no such thing as secure software. As I’ve recently stated on my blog in other context: The only 100% security you have is physically disconnect. So if you can’t deal with at most 80% security, you have to unplug your network cable. That’s a harsh reality for some and I had the feeling that particularily some of the mac users made the impression that they are not aware that their system is vulnerable. But both you and me already know that we always have to be cautious.
Apple has been making some mistakes in the past and this is obviously one of the more scary ones. It’s easy to fix though… just get ARDAgent inside a .zip and out of your way for now. Still, as you already stated, there are probably some time bombs ticking in the system. But then even in systems that are focused entirely on security, there are security vulnabilities… a programmer is only human and a software system is that complex that you can’t always pinpoint every possible attack vector.
As for apple, there are some Ideas around that could help with that. Stack Smashing Protection, AddressSpace Layout randomization (i. e. completely, not partially as in leopard), complete sandboxing of processes, etc … make it quite hard for attackers to exploit the hole in the grid they found. I just hope Os X is going to have them soon (latest in 10.6). But even then, you always have to be sure what you are installing.
Still, you always have to make sure that you know what you are doing if installing something, which isn’t always a good idea.
Hi,
I tried the terminal command:
osascript -e ‘tell app “ARDAgent” to do shell script “whoami”‘;
It didn’t respond.
π
Doug Hogg
I take it you did one of the tricks to disable ARDAgent then?
Bart.
Nope, I was just trying out the osascript command.
I tried it again and it came back with this response:
[DougsG4mac:~] admin% whoami
admin
[DougsG4mac:~] admin% osascript -e ‘tell app “ARDAgent” to do shell script “whoami”‘;
23:47: execution error: ARDAgent got an error: Connection is invalid. (-609)
[DougsG4mac:~] admin%
π
Doug Hogg
Hi Doug,
Do you perchance have remote administration enabled? Rather paradoxically if you have this service enabled you’re immune from this little vulnerability. Usually the answer is to turn buggy services off, here the solution is to turn it on!
Bart.