X

Trojans exploit Mac OS X ARDAgent flaw

A group of hackers are working to create a collection of exploits a vulnerability within Mac OS X 10.4 and 10.5.

Robert Vamosi Former Editor
As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.
See full bio
Robert Vamosi

Building on the Trojan released last week, a group of hackers appear to be targeting the Mac OS X platform with more variations.

Last Thursday, Mac antivirus vendors Intego and SecureMac reported a serious vulnerability within the Apple Remote Desktop Agent (ARDAgent). It is part of the remote-management component of Mac OS X 10.4 and 10.5 and is owned by root. Thus, the ARDAgent executable runs this malicious code as root without requiring a password.

The Washington Post's Brian Krebs reported on Monday the presence of a hacker forum devoted to the development of Trojans around this vulnerability. The particular user forum at MacShadows.com has since been removed. Krebs nonetheless managed to obtain screenshots from the forum before it was erased, and also a copy of the Mac Trojan template.

Buried within the template was an e-mail from one of the Trojan's authors, "Andrew."

"Apple tells us that OS X is safe and secure and fails to actually confirm that it is so on their own. We are left to experiment and test our own security and too often we discover that we aren't actually as secure as we were led to believe," Andrew said in an e-mail to the Post.

Despite their existence, there is no evidence these Trojans are circulating widely on the Internet.

Apple's policy remains not to talk about security vulnerabilities and therefore the company has not commented on the ARDAgent issue.