If the latest malware alert is any indication, Mac users may be forced to re-think their relaxed approach to online security. There is a new, dangerous form of a Trojan out there which already apparently is circulating in multiple variants that target OS X Tiger and Leopard users. Unlike previous malware attempts that often were proof-of-concept releases, this beast can cause real damage, researchers from SecureMac and Intego are reporting.
AppleScript.THT comes either as a 3.1 MB application dubbed AStht_v06 or as a 60 KB compiled AppleScript script called ASthtv05. Once a user downloads and runs one of those executables, their system is infected.
When active, AppleScript.THT exploits a recently outlined Apple Remote Desktop Agent vulnerability. The malware runs with a root user and system-wide account with full privileges used by the operating system. It then adds itself to the System Login Items to launch the Trojan every time a Mac is restarted. It also moves itself into the /Library/Caches/ folder. Security researchers warn that the Trojan runs in the background and hides itself from a possible detection by turning off system logging and opening ports in the operating system’s software firewall mechanism.
You may have guessed that AppleScript.THT can communicate with the outside world and enables a malicious user to gain complete remote access to your Mac. It has been confirmed that such a user can use the Trojan nested in your system to steal system and user passwords, as well as various other passwords stored in the keychain. It can also log keystrokes of whatever you’re typing on a keyboard and send that data remotely to a malicious user.
AppleScript.THT can also turn on file sharing features to expose your files to the outside world. Additionally, it is able to take screenshots of your desktop and even take your pictures using Mac’s built-in iSight camera.
SecureMac and Intego said they have updated their virus definitions databases to detect and remove the Trojan.