Note: This site will look much better in a browser that supports web standards, but it is accessible to any browser or Internet device.

It's a weblog! ... sort of.

Wednesday, December 12 2018

OS X Trojan development moves forward


As seen on Slashdot: Apple. It appears that the first IRC-bot style trojan has now been spotted in the wild. From the first comment posted on the MacInTouch page, it's clear that the bot is still early in its development cycle: currently it does a good job of taking over the system, adding backdoors, remote control software, a keystroke monitor, and steals passwords and serial #s, putting them in a hidden public share.

However, it currently requires Admin/root level access to install itself (it runs as a startup script) and doesn't appear to include any means of spreading/hacking into other systems on its own, nor does it include IRC support, although that's clearly "planned." Some posts note that this was probably targeted at the OS X disk URI vulnerabilities, (reported here and here) which would have allowed for the installation of this script. Still, it's clear that this isn't much of a threat today, but it is interesting to see the first known OS X IRC-bot Trojan in development. Bottom line: nothing to worry about now, but it is a signal that OS X is now a target.

Fortunately, the design of OS X makes it pretty hard to attack, as the secunia page for OS X shows; 37 advisories for 2003-2004, only 3 of which would allow remote compromise (and 2 of the 3 were closely related). In addition, unlike Windows 2000 or XP, you can take the default configuration of any version of OS X, unpatched, and directly connect to the internet without having to worry about your system getting hacked. Currently (this month), the average lifetime of a Windows system is about 15-20 minutes, making documents like SANS Windows XP: Surviving the First Day necessary.

PS I'd also like to point out that running john (john the ripper) as the script does is not such a great idea, as it will max out your cpu use, making the trojan easier to spot.

posted by Loki on Sat, 23 Oct 2004 14:03:04 -0500