...from: http://www.intego.com/news/ism0803.asp

INTEGO SECURITY MEMO - June 20, 2008 OSX.Trojan.PokerStealer Trojan Horse Attempts to Take Control of Macs

Exploit: OSX.Trojan.PokerStealer

Discovered: June 20, 2008

Risk: Low

Description: A Trojan horse has been found in the wild masquerading as program for Mac OS X called “PokerGame”. The Trojan in question is a shell script encapsulated in an application, and is distributed in a 65 KB Zip archive; unzipped, it is 180 KB.

The Trojan horse, when run, activates ssh on the Mac on which it is running, then sends the user name and password hash, along with the IP address of the Mac, to a server. It asks for an administrator’s password after displaying a dialog saying, “A corrupt preference file has been detected and must be repaired.” Entering the administrator’s password enables the program to accomplish its tasks. After gaining ssh access to a Mac, malicious users can attempt to take control of them, delete files, damage the operating system, or much more.

Intego VirusBarrier X4 and X5 with virus definitions dated June 20, 2008 protect against this Trojan horse. Intego recommends that users never download and install software from untrusted sources or questionable web sites.

= - = - = - = - = - = - =

INTEGO SECURITY ALERT - June 19, 2008 Apple Remote Desktop Vulnerability Allows Malicious Programs to Execute Code as Root

Exploit: ARDAgent root privilege escalation

Discovered: June 19, 2008

Risk: Critical

Description: A vulnerability has been discovered that allows malicious programs to execute code as root when run locally, or via a remote connection, on computers running Mac OS X 10.4 and 10.5. This vulnerability takes advantage of the fact that ARDAgent, a part of the Remote Management component of Mac OS X 10.4 and 10.5, has a setuid bit set. Any user running such an executable gains the privileges of the user who owns that executable. In this case, ARDAgent is owned by root, so running code via the ARDAgent executable runs this code as root, without requiring a password. The exploit in question depends on ARDAgent’s ability to run AppleScripts, which may, in turn, include shell script commands.

When an application enables a root privilege escalation of this type, any malicious code that is run may have devastating effects. These may range from deleting all the files on the Mac (regardless of who owns them) to more pernicious attacks such as changing system settings, and even setting up periodic tasks to perform them repeatedly. Any application could use this vulnerability to obtain root privileges without users ever needing to enter passwords. Users could run malicious programs that they download from the Internet or receive from friends or colleagues, and, if the program exploits this vulnerability, simply launching it once would be sufficient for damage to be done.

There are cases where this exploit does not work. If a user has turned on Remote Management in the Sharing pane of System Preferences under Mac OS X 10.5, or if a user has installed Apple Remote Desktop client under Mac OS X 10.4 or earlier and has activated this setting in the Sharing preferences, the exploit will not function. Most users, however, will not have this service turned on; generally only those users who want to observe or control other computers on their network will turn this on to do so. Note that Mac OS X 10.5’s Screen Sharing function has no effect on this vulnerability.

This exploit can be triggered by any type of user account: standard user, administrator, or even a guest account. Therefore, a guest logged in using Mac OS X 10.5’s Guest Account feature has the ability to download an application and unwittingly run malicious code with no security warning.