Re: Neowin News: "Rare mac trojan exploits apple vulnerability"

In article <g3ttv4$b3k$1@xxxxxxxxxxxxxxxxx>, <billy@xxxxxxx> wrote:
Juan I. Cahis <jiclbchSINBASURA@xxxxxxxxxxxxx> writes:

Dear friends, see:

http://www.neowin.net/news/main/08/06/23/rare-mac-trojan-exploits-apple-vulnerability

Any comment?

From yesterday's SANS newsletter -

http://www.sans.org/newsletters/newsbites/newsbites.php?vol=10&issue=50

--Mac OS X Trojans Detected
(June 20, 21 & 23, 2008)
A recently detected Mac OS X Trojan horse program exploits a flaw in
Apple Remote Desktop Agent (ARDAgent) to load itself as root and take
control of vulnerable machines. The malware has numerous capabilities,
including keystroke logging, opening ports in the firewall to evade
detection, taking pictures with the built-in camera and turning on file
sharing. Users can protect their systems by removing ARDAgent from its
normal location and archiving it. A second Trojan affecting Macs
pretends to be a poker application and tries to gain secure shell access
to vulnerable machines.
http://www.scmagazineus.com/Two-in-the-wild-trojans-target-Mac-OS-X/article/111551/

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9101898&intsrc=hm_list
http://www.theregister.co.uk/2008/06/23/mac_trojan/print.html

I suggest reading the rest of this at the SANS link, above. And, if
you're concerned about security, subscribing to this and their other
newsletters (which are free) would be a good idea, too.


I saw this as well.

I couldn't find Apple Remote Desktop Agent on my system,
so I think that it's not part of the base OS but is
something extra that one has to install separately.

No?

There's a handy little hint in that SANS newsletter
on how to find SUID root programs that may be on your
system.

Enter

find / -user 0 -perm -4000

into a Terminal window. I had to use sudo to allow
find to search everywhere. It found a few. After
you find them, then you need to figure out if they
belongon your system or not.
.