The Trojan dubbed “AppleScript.THT” allows the remote attacker full access to the system, steals usernames and passwords, hides by turning off system logging, opening firewall ports and can also be used to install key logging software, take pictures using the inbuilt iSight and to enable file sharing.
The Trojan come as either a compiled AppleScript titled ASthtv05 or as a disc image called ASthtv_06. In both cases, the files have to be downloaded and executed by the user. At the moment, the Trojan does not take advantage of any other Mac vulnerabilities to automatically infect new machines – but that’s probably only a matter of time.
A serious security hole has been found in Mac OS X – both Leopard and Tiger are affected. The exploit allows someone with physical access to a Mac to run programs as the Root user.
The exploit uses the Apple Remote Desktop, (ARDAgent), application to execute a shell script. When the shell script is executed it is done so as Root. To test this, type the following command in Terminal:
osascript -e 'tell app "ARDAgent" to do shell script "whoami"'
This command works even if Remote Desktop Sharing is disabled and the Root user is disabled in the Directory Utility. However, it will only work if the user is logged into the computer. It will not work if Fast User Switching has been used.
As this is a brand new exploit there is no fix as of yet.