Trojan horse takes pictures of Mac users

Posted by Christian Zibreg

Chicago (IL) – And you thought you were safe from malware when you switched to a Mac. You may change your mind soon, especially now that Mac's recent market share gains appear to contribute to the growing interest of malware authors in Macs. Security experts are warning now about a new Trojan horse released in the wild, targeting OS X Tiger and Leopard users. The malware can steal your passwords, avoid detection, log what you type and even take your picture.

If the latest malware alert is any indication, Mac users may be forced to re-think their relaxed approach to online security. There is a new, dangerous form of a Trojan out there which already apparently is circulating in multiple variants that target OS X Tiger and Leopard users. Unlike previous malware attempts that often were proof-of-concept releases, this beast can cause real damage, researchers from SecureMac and Intego are reporting.

AppleScript.THT comes either as a 3.1 MB application dubbed AStht_v06 or as a 60 KB compiled AppleScript script called ASthtv05. Once a user downloads and runs one of those executables, their system is infected.

When active, AppleScript.THT exploits a recently outlined Apple Remote Desktop Agent vulnerability. The malware runs with a root user and system-wide account with full privileges used by the operating system. It then adds itself to the System Login Items to launch the Trojan every time a Mac is restarted. It also moves itself into the /Library/Caches/ folder. Security researchers warn that the Trojan runs in the background and hides itself from a possible detection by turning off system logging and opening ports in the operating system's software firewall mechanism.

You may have guessed that AppleScript.THT can communicate with the outside world and enables a malicious user to gain complete remote access to your Mac. It has been confirmed that such a user can use the Trojan nested in your system to steal system and user passwords, as well as various other passwords stored in the keychain. It can also log keystrokes of whatever you're typing on a keyboard and send that data remotely to a malicious user.

AppleScript.THT  can also turn on file sharing features to expose your files to the outside world. Additionally, it is able to take screenshots of your desktop and even take your pictures using Mac's built-in iSight camera.

SecureMac and Intego said they have updated their virus definitions databases to detect and remove the Trojan.