AppleScript.THT Trojan Horse - Mac OS X Trojan Horse

Site Information

	About this site
	Site Background
	Who runs the site
	Advertising
	Security Consulting
	Employment/Jobs
	Feedback Form

SecureMac Software

	MacScan
	PrivacyScan

Mac OS X Security

	Root Shell in 4 steps with setuid apps
	sudo buffer overflow exploit + fix
	Disable Single User Boot Mode
	Malevolence - Dumping Passwords
	nidump security
	Startup Security - Open Firmware Password Protection

Mac OS X Network Security

	OpenSSH for Mac OS X
	SAINT
	Secure FTP Wrapper
	Ettercap - sniffer interceptor logger
	Snort - Network Intrusion Detection System
	SSH Admin
	SSH Helper
	xnu - enable MAC Address spoofing

Mac OS X Virus

Virex for Mac OS X - Command Line Scanner

Mac OS X Firewalls

	BrickHouse Firewall Utility
	Firewalk Firewall Utility
	NetBarrier X

Mac OS X App Sec.

Timbuktu OS X Preview Security Advisory + Fix

Mac OS X Encryption

	LittleSecrets
	Crypt for Mac OS X
	GPGMail - PGP Functionality

Mac OS X DoS

Mac OS X CGI Flaw

SecureMac Library

	Data Loss Prevention & Recover
	Mac Cable Modem Security
	Mac Security Auditing
	Mac OS X Security Understanding
	Mac OS X Security Second Lessons
	Mac OS X Security Third Lesson
	Mac OS X Single User Mode Root Access
	Mac OS X Shareware Firewalls
	Mac OS X Secure Installation
	Cable & DSL Connections - Security Measures
	Better Safe than Sorry
	Apple.com Security Resources
	Marketing Macintosh Security Programs

AppleScript.THT Trojan Horse

New OS X Trojan Horse in the Wild

SecureMac Security Advisory
Discovery: June 19th, 2008

Updated: 6.23.08

Security Risk: Critical
SecureMac has discovered multiple variants of a new Trojan horse in the wild that affects Mac OS X 10.4 and 10.5. The Trojan horse is currently being distributed from a hacker website, where discussion has taken place on distributing the Trojan horse through iChat and Limewire. The source code for the Trojan horse has been distributed, indicating an increased probability of future variants of the Trojan horse.
The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing. The Trojan horse exploits a recently discovered vulnerability with the Apple Remote Desktop Agent, which allows it to run as root.
The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items.
Once installed, the Trojan horse turns on File Sharing, Web Sharing, and Remote Login. If the filename of the Trojan horse has not been changed, it can be located in the /Library/Caches folder under the name AStht_06.app.
Until a patch is issued for the Apple Remote Desktop Agent exploit, SecureMac classifies the security risk presented by this Trojan horse as high.
Protection: To protect your system against this threat, run MacScan 2.5.2 (MacScan is a product of SecureMac) with the latest Spyware Definitions update (2008011), dated June 19th, 2008. SecureMac recommends that users download files only from trusted sources and sites.
Additional removal instructions and resources will be posted once available.
Resources:
WashingtonPost analysis on AppleScript.THT Trojan Horse
About MacScan:  MacScan quickly detects, isolates and removes spyware from Macintosh computers using both real-time spyware definition updating and unique detection methods. The software also manages internet-related clutter on your computer. It is designed for Mac OS X version 10.2.4 and later, and is compatible with OS X 10.5 (Leopard). For more information, or to download a demo version of MacScan, visit http://macscan.securemac.com.
About SecureMac:  Since 1999, SecureMac.com has been at the forefront of Macintosh system security. The site not only features complete Macintosh Anti-Spyware and Antivirus solutions, but also operates as a clearinghouse for news, reviews and discussion of Apple computer security issues. Users from novice to the most advanced will find useful information at SecureMac that is designed to make their computer experience trouble free.

Security + OS

	AtEase
	DiskLock
	PowerBook Security Control Panel
	Empower Pro
	FileGuard
	FreeGuard
	FoolProof
	Deus Lock Master
	OnGuard
	Keys Off
	LockOut
	MacOS Algorithm
	Modem Security
	Password Key
	PGPuam
	PPF
	Shift Key Suite
	Stealth Signal
	SuperLock Lite
	SuperLock Pro
	Web-Confidential

Macintosh Viruses

	Agax 1.3
	Disinfectant
	Sophos Anti-Virus
	Norton AntiVirus Nav 7 Nav 6 Nav X
	Virex - Oct
	VirusBarrier - Netupdate
	vScan - Discontinued.

Mac Physical Security

SecurityWare

Macintosh Firewalls

	ContentBarrier
	DoorStop Firewall
	Firewall Q & A
	IPNetSentry
	NetBarrier
	Norton Personal Firewall

Mac Spyware & Privacy

	TypeRecorder
	Monitorer
	NetShred - Delete Files Safely

Network Security

	AppleTalk
	MacAnalysis
	Oyabun Tools
	WDTech RAE
	ToolDaemon

Application Security Issues

	America Online
	AIM - AOL Instant Messenger
	Back Orifice
	Eudora E-Mail Client
	Internet Configure
	IE 5.1, OE 5.1, Powerpoint, Excel Vulnerability
	MS Personal webServer
	NetBus
	Outlook Express 4.5 Password Flaw
	SubSeven
	Sub7ME Server

Resource Info

	ResEdit
	AppleShare Server Info

Mac OS Encryption

	Enigma
	EnScript
	FGP
	FileTwister
	ForgotIt?
	GenPass
	MacLockSmith
	My-Privacy
	My Secret
	PGPi
	PGPhone
	PGP Personal
	PGP Freeware
	PowerCrypt-dev
	Private File
	Quick Encrypt
	SubRosa Utilities
	Tresor

Deleting Files

	Burn 2.5
	Eraser Pro
	ShredIt

Backups

Tri-BACKUP

Apple Hardware

Apple LaserWriter

MacOS DoS

	GrouchySmurf
	Mac Attack