AppleScript.THT Trojan Horse
From SecureMac
SecureMac has discovered multiple variants of a new Trojan horse in the wild that affects Mac OS X 10.4 and 10.5. The Trojan horse is currently being distributed from a hacker website, where discussion has taken place on distributing the Trojan horse through iChat and Limewire.
The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing. The Trojan horse exploits a recently discovered vulnerability with the Apple Remote Desktop Agent, which allows it to run as root.
The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items.
ID10T Error
Notice the key phrase:
"The user must download and open the Trojan horse in order to become infected."
So you must download and run an applescript from a hacker website...
ID10T error - Replace user.
Two questions linger, however:
1) Since this trojan exploits a vulnerability in Remote Desktop Agent, does that mean that you would have to have Remote Desktop client installed on your mac?
2) Isn't it just the least bit fishy that the only defense they list happens to be running their software? How about don't download applescripts from hacker sites!?