How to Protect Yourself From The New Mac OS X Trojans

On 26-Jun-2008, at 09:46, Kevin van Haaren wrote:

> --On June 25, 2008 2:04:14 PM -0700 "LewisGmail" <gkremegmail.com>
> wrote:
>
>> $ osascript -e 'tell app "ARDAgent" to do shell script "whoami"'
>> 23:47: execution error: ARDAgent got an error: "whoami"
>> doesn't understand the do shell script message. (-1708)
>
>
> Run it twice in a row. I got this error the 1st time, and got the
> "root"
> response the 2nd time (and everytime i ran it after that)


I ran it ten times. Same error every time.

Wonder what I'm doing wrong...

On 26-Jun-2008, at 09:46, Curtis Wilcox wrote:
> Somewhere I read that having Remote Management enabled could,
> ironically, prevent it from working.


Ah.. well, that could be. I do have Remote Management enabled, for
one specific user, and I have certain options enabled. Basically
everything is checked but "Show when being Observed".

At 14:04 -0700 UTC, on 2008-06-25, LewisGmail wrote:

> On 25-Jun-2008, at 04:28, Richard Connamacher wrote:
>> My-Mac:~ rich$ osascript -e 'tell app "ARDAgent" to do
>> shell script "whoami"'
>>
>> root
>
> I don't get it:
>
> $ osascript -e 'tell app "ARDAgent" to do shell script "whoami"'
> 23:47: execution error: ARDAgent got an error: "whoami" doesnâ*™t
> understand the do shell script message. (-1708)

I get the same result under 10.4.11, in a freshly created account, no matter
whether that has Admin rights or not. ARD is disabled on this system. (It
may have been enabled at some in the past time though.)


--
Sander Tekelenburg, <http://www.euronet.nl/~tekelenb/>

I took the option of compressing the ARDAgent file and then deleting it as recommended. But I note that there are still many occurrences of the file sitting in all the Time Machine back ups. Is it possible for these to be compromised - should they (can they) be deleted? Sorry if it's a naive question but I'm relatively new to Macs.

Thanks

G3 Pismo, OSX 10.3.9 There's a file "ArdAgent" directly under CoreServices. Is 10.3.9 vulnerable to the problem? Is simply compressing and removing the file appropriate? (It's read-only)

It looks unfortunately like this is NOT a problem only with ARDagent, but with AppleScript itself and many other applications. Check the links below:

http://rixstep.com/1/20080626,00.shtml http://rixstep.com/2/20080627,00.shtml

It is geeky, but not too difficult to understand.

Avoid using "Repair Permissions" unless you are prepared to redo the remedy after you use it. (I recommend the ACP-package. It is one of the best bargains you can find. And no, I am not connected to Rixstep in any way, other than being a customer.)

If the real problem is with Applescript, why not temporarily remove Applescript (by zipping and putting it aside)? When I want to run a script I could then put Applescript back in.

I've been getting some interesting reports since publishing the
article that people on Tiger (10.4.11) are unable to simply delete
ARDAgent.

One reader managed to delete the binary from within the package, but
this seems to be a consistent problem.

Have any of you on 10.4.11 been able to delete ARDAgent?

On 7/3/08 7:10 AM, "Apta" <aptamac.com> wrote:

> If the real problem is with Applescript, why not temporarily remove
> Applescript (by zipping and putting it aside)? When I want to run a script I
> could then put Applescript back in.

Um...because it doesn't work that way, and AppleScript is just a language to
script interapplication communication. You take *that* out, and huge chunks
of things stop working.

--
John C. Welch Writer/Analyst
Bynkii.com Mac and other opinions
jwelchbynkii.com

On Thu, 3 Jul 2008, Apta wrote:

> If the real problem is with Applescript, why not temporarily remove
> Applescript (by zipping and putting it aside)? When I want to run a
> script I could then put Applescript back in.

I'm not sure if that would be sufficient.

Applescript is, as I understand it, pretty deeply embedded in the OS.

The AppleScript Utility application is just an interface to this much
broader framework. If you got rid of it, [a] you might still be able to
run the Utility from, say, a .dmg, a USB/Firewire drive, over the
network, etc; [b] you'd still have /usr/bin/osascript on the command
line, and [c] the system itself might still be able to act on scripts.

It's not a bad idea, but I think the problem is broader than that.

--
Chris Devers

No problem here - PBG4 1.5, 10.4.11. I followed your article's
instructions, copied the app., then deleted the original, it went
away. Unless it comes back on restart (which may not happen for months).

Also worked the same way on an Intel Mini with 10.5...

Roger Henriques
listsrhen.com

At 11:41 AM -0700 6/26/08, Rich Mogull wrote:

>That's a strange response- you might have something else going on with
>your system.
>
>Still- as recommended in the article you should remove ARDAgent just
>to be safe. Repairing permissions will undo the chmod/permissions
>change, making you vulnerable again. I've gone ahead and updated the
>article to reflect the new advice.

Rich:

And a friendly reminder to all that if you have removed ARDAgent in
Leopard, running the 10.5.4 update will restore it.

Once I found it, it was quite easy to compress and delete in
Finder--as long as I entered admin password to do that.

--Jim

On Jul 5, 2008, at 6:01 AM, Roger Henriques wrote:

> No problem here - PBG4 1.5, 10.4.11. I followed your article's
> instructions, copied the app., then deleted the original, it went
> away. Unless it comes back on restart (which may not happen for
> months).

If "restart ... may not happen for months" you're carefully protecting
against this one thing and not doing Apple's security updates. That
seems unreasonable.

   --John

Not being a power user, I would much rather not mess with Terminal.

I tried to follow the instructions in the Tidbits article and copied the app to a folder named "Download", after logging in as admin. But I had an error message saying that one or more components of the app requires special permissions and could not be copied.

I made a compressed disk image out of the app without any problem and put it in "Download", but when I tried to copy the app back to the folder from the mounted disk image, same error message.

What exactly will happen if I ignore this error message?

I had no problem putting the app in the trash and restoring it form there back to the proper folder, so I have just left it in the trash. I seldom log in as admin and certainly do not intend to do any real work there anyway.

Ka Tai

On Jul 7, 2008, at 7:10 AM, John W Baxter wrote:

>
> On Jul 5, 2008, at 6:01 AM, Roger Henriques wrote:
>
>> No problem here - PBG4 1.5, 10.4.11. I followed your article's
>> instructions, copied the app., then deleted the original, it went
>> away. Unless it comes back on restart (which may not happen for
>> months).
>
> If "restart ... may not happen for months" you're carefully protecting
> against this one thing and not doing Apple's security updates. That
> seems unreasonable.

It's also not clear to me that all the attention paid to ARDAgent in
this thread is warranted:

g5% sudo find /System/ \( -perm +u+s -a -user root -a -perm +a+x \) | wc
      19 21 1596

There are 19 suid root and publicly executable programs in /System.
I'm not sure any of them can be exploited (besides ARDAgent), but the
number, and the fact that there's little if any documentation about
them, makes me uncomfortable. Of course, on any Linux box you'll find
similar programs, but at least on Linux there's documentation and you
can decide whether or not you 1) actually need it, and 2) whether or
not it actually needs to be suid root to perform its function.

>
>
> --John
>
>
>

On Jul 7, 2008, at 7:10 AM, John W Baxter wrote:

> On Jul 5, 2008, at 6:01 AM, Roger Henriques wrote:
>
>> No problem here - PBG4 1.5, 10.4.11. I followed your article's
>> instructions, copied the app., then deleted the original, it went
>> away. Unless it comes back on restart (which may not happen for
>> months).
>
> If "restart ... may not happen for months" you're carefully protecting
> against this one thing and not doing Apple's security updates. That
> seems unreasonable.

The G4 is rarely exposed to the outside world, and I like to wait
until this list (and others) have tested any updates before installing
on what is my primary work machine. Other than updates, it is rarely
restarted, and not to protect it from anything in particular.

Roger Henriques
listsrhen.com

There seems to be a simpler way of deactivating ARD, keeping an eye on it
and activating it if and when needed.

In the Sharing panel of System Preferences hilite Apple Remote Desktop.

A hidden option becomes visible on the side "Show status in menu bar",
with a dimmed button underneath (Access Privileges). The list of access
privileges options can be seen after unlocking the Sharing panel and
clicking upon this button.

Check "Show status in menu bar".

A dimmed icon (telescope) appears in the menu bar.

When the telescope is left clicked a drop down window opens with three
options.

Not active (dimmed)
Message to Administrator (dimmed)
Open Remote Desktop Preferences (Not dimmed)

In order to make changes hilite the last option.

The sharing panel window will open. Click open the lock
and relock the panel after making the desired changes.

Any unauthorised attempt to tamper with ARD makes the telescope icon
quiver.

The users with stand alone machines whether desktops or laptops
can leave all the Services in the Sharing panel unchecked. Lock the
panel and forget about it. And if they want to to keep an eye on
ARD they can have the dimmed telescope in the menu bar.

Are there any concrete instances of this exploit and has the malicious code
been sent to, say, clamav database?

Can someone help me with this. I first found info on this trojan and tried running a few terminal commands to fix it.

I would get the 18:19:Syntax Error:No User interaction allowed. (-1713) when i would run the osascript -e 'tell app "ARDAgent" to do shell script "Whoami"'

and i run the other suggestions on the coreservices/remotemanagement folder

$ sudo defaults write /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Info NSAppleScriptEnabled YES $ sudo plutil -convert xml1 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Info.plist $ sudo chmod 644 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Info.plist

so now i used just the standard finder to go to the coreservices folder. and i see a red negative symbol on the remotemanagement folder. And I do not have privileges to view this folder contents.

I am logged in as root. I am using OSX 10.3.9

can anyone tell me how to regain access to that remote management folder. I fear i am being exploited by this botnet setup. As I run a simple webserver using my old mac. And when i capture my TCPIP TCPDump packets, i see a message always stating in one of the packets, repeatedly. Saying my registry is corrupt and i should visit windowsregistryfix dot com to download a registry patch. So i am assuming my mac is sending out botneted popups to other computers.

I have otherwise locked down my mac in every other possible way. I am fairly mac savvy but really only a long term newby. MacOS7 to now, using.

any help with this would be greatly appreciated.

On Fri, Sep 5, 2008 at 8:36 AM, Mega Hertz <mysoundeditorsympatico.ca> wrote:
> So i am assuming my mac is sending out botneted popups to other computers.

Step 1 in this situation is to pull the Ethernet connection or turn
off the wireless (or both). Isolate the machine. Then fix it (which
may mean erasing the hard drive and starting over).

For those of us still using 10.3.9, would someone sum up the current best advice on avoiding, testing for, and if possible fixing this?

Is there any simple way to know the status of the machine by now?