First Trojan Based on ARDAgent Root Exploit

Secure Mac are reporting that they have found a trojan designed to take advantage of the ARDAgent root exploit that I posted about previously.

The Trojan dubbed “AppleScript.THT” allows the remote attacker full access to the system, steals usernames and passwords, hides by turning off system logging, opening firewall ports and can also be used to install key logging software, take pictures using the inbuilt iSight and to enable file sharing.

The Trojan come as either a compiled AppleScript titled ASthtv05 or as a disc image called ASthtv_06. In both cases, the files have to be downloaded and executed by the user. At the moment, the Trojan does not take advantage of any other Mac vulnerabilities to automatically infect new machines – but that’s probably only a matter of time.

Secure Mac are advising Mac users to use MacScan to protect themselves against the threat. Or you could just stop the ARDAgent service from running scripts as root.