For years, one of the more compelling arguments in the debate between PC and Mac users held that Macs are more secure. With hackers worldwide dreaming up viruses and Trojan horse programs designed to crash hard drives and compromise personal data, Microsoft and security software manufacturers struggled to keep PC users safe by constantly releasing software updates and security patches for Windows operating systems.
Mac users surfed happily along the Internet’s boundless realms, content in the knowledge that Apple’s tiny OS market share was little incentive for hackers and malicious social engineers. As the universe of Mac users continues to grow, however, that sense of security may begin to prove false.
Jim Dalrymple writes for Macworld.com that SecureMac claims to have discovered a Trojan horse “in the wild” targeting OS X 10.4 and 10.5 users. Granted, you must willingly download the program, install it on your Mac and provide your keychain password for it to take effect, but the folks at SecureMac perceive a change in the security landscape nonetheless.
In a Security Alert labeled “critical,” the company describes multiple variants of a compiled AppleScript, called ASthtv05 (60 KB), and an application bundle called AStht_v06 (3.1 MB) that theoretically allows a malicious user complete remote access to the system, with the ability to transmit system and user passwords, and avoid detection by opening ports in the firewall and turning off system logging. Additionally, the company said this Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing.
Another security software developer, Intego confirms the critical nature of the stealth root access Trojan, and posted a separate, low-risk notice of a Trojan horse masquerading as a program for Mac OS X called “PokerGame”. The Trojan in question is a shell script encapsulated in an application, and is distributed in a 65 KB Zip archive; unzipped, it is 180 KB.
Running PokerGame.app activates ssh, then sends the user name and password hash, along with the IP address of the Mac on which it is running, to a server. It asks for an administrator’s password after displaying a dialog saying, “A corrupt preference file has been detected and must be repaired.” After gaining ssh access to a Mac, malicious users can attempt to take control of them, delete files, damage the operating system, and more.
Comments on the Macworld piece point to the fact that these kinds of security threats should only affect the most unaware users who might be duped into installing unknown software on their machines, and willingly providing their administrative passwords. Not a few of them express skepticism regarding SecureMac and Intego’s financial incentive for discovering and reporting on these Trojan horses “in the wild.”
As Apple’s desktop OS market share continues to grow, however, and the tens of millions of iPhone’s mobile OS targets hit the market, the lure for hackers and malicious program developers gets larger, increasing the likelihood of security turbulence for Mac users on the road ahead.