And you thought you were safe from malware when you switched to a Mac. You may change your mind soon, especially now that Mac’s recent market share gains appear to contribute to the growing interest of malware authors in Macs. Security experts are warning now about a new Trojan horse released in the wild, targeting OS X Tiger and Leopard users. The malware can steal your passwords, avoid detection, log what you type and even take your picture.If the latest malware alert is any indication, Mac users may be forced to re-think their relaxed approach to online security. There is a new, dangerous form of a Trojan out there which already apparently is circulating in multiple variants that target OS X Tiger and Leopard users. Unlike previous malware attempts that often were proof-of-concept releases, this beast can cause real damage, researchers from SecureMac and Intego are reporting.
AppleScript.THT comes either as a 3.1 MB application dubbed AStht_v06 or as a 60 KB compiled AppleScript script called ASthtv05. Once a user downloads and runs one of those executables, their system is infected.
When active, AppleScript.THT exploits a recently outlined Apple Remote Desktop Agent vulnerability. The malware runs with a root user and system-wide account with full privileges used by the operating system. It then adds itself to the System Login Items to launch the Trojan every time a Mac is restarted. It also moves itself into the /Library/Caches/ folder. Security researchers warn that the Trojan runs in the background and hides itself from a possible detection by turning off system logging and opening ports in the operating system’s software firewall mechanism.
You may have guessed that AppleScript.THT can communicate with the outside world and enables a malicious user to gain complete remote access to your Mac. It has been confirmed that such a user can use the Trojan nested in your system to steal system and user passwords, as well as various other passwords stored in the keychain. It can also log keystrokes of whatever you’re typing on a keyboard and send that data remotely to a malicious user.
AppleScript.THT can also turn on file sharing features to expose your files to the outside world. Additionally, it is able to take screenshots of your desktop and even take your pictures using Mac’s built-in iSight camera.
SecureMac and Intego said they have updated their virus definitions databases to detect and remove the Trojan.
Filed under: Mac | Tagged: AppleScript.THT, AppleScript.THT exploits, ASthtv05, AStht_v06, drive by virus for mac, mac exploit, mac malware, mac trojan, mac virus, malwear on a mac, os x malware, tiger malware, trojan for mac
[...] Read the rest of this great post here [...]
Hmm. Big worm? Compared to what? 110K+ Windows viruses, malware, spyware and bots spewing millions of emails directed from an Eastern European host? And you call one Mac Trojan a “big worm?”
And how would we download it? It just appears in our inbox and we stupidly open it up, type in our password without any thought as to what it might be? Maybe we download it from a website? What website? CNN? New York Times? Fox News? Where would we download it? I mean, if this is as disastrous as you say, please tell us where this Trojan lives so we can avoid it like the plague!
This is just another misinformed article hoping to make Mac security look like its Windows counterpart. As if we Mac users wake up one day and magically our Macs are being taken over through no fault of our own. I seriously think the Windows world expects every other computing platform to have viruses. The reality is they don’t. The bottom line is that just because someone created a Mac virus does not mean the Mac world is at risk. This is a needle in the haystack.
“I’ve seen things you people wouldn’t believe. Attack ships on fire off the shoulder of Orion. I watched C-beams glitter in the dark near the Tannhauser gate. All those moments will be lost in time”
Its still a worm Blad_rnr
[...] Weblog Google Sued for One Billion Dollars. Ouch!China still tops the league for infected sitesTheres a Big Worm in your Apple Mac Johann Burkard Use mod_expire in lighttpd for Cacheable ContentKramerspitz von [...]