Mac Trojan in the Wild: Tempest in a Teapot

SecureMac and Intego are separately reporting the existence of a new security threat for Mac, claiming the existence of multiple variants of a new Trojan horse in the wild that affects Mac OS X 10.4 and 10.5.

The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items.

On the evening of the 13th, an unknown user posted an external link to a file on MacRumors Forums claiming to be the latest Leopard Mac OS X 10.5 screenshots. The file was named "latestpics.tgz"

The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but is actually a compiled Unix executable in disguise. An initial disassembly (from original discussion thread) reveals evidence that the application is virus-like or was designed to give that impression. Routines listed include:

_infect:
_infectApps:
_installHooks:
_copySelf:

The exact consequences of the application are unclear, but users who originally executed the application have noted that it appeared to self propogate:

If anyone remembers last night, when lasthope spread that picture that opened in terminal. I just turned on my other computer and it said it had an incoming file, from my computer, which was the latest pics file. Any help. I have already secure deleted it off of my harddrive, but how do i know that it will not come back.

Andrew Welch, who had done some of the initial disassembly, is posting updates to this thread.

You cannot be infected by this unless you do all of the following:

1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file

2) Double-click on the file to decompress it

3) Double-click on the resulting file to "open" it

...and then for non-Admin users, it fails to infect most applications.

You cannot simply "catch" the virus. Even if someone does send you the "latestpics.tgz" file, you cannot be infected unless you unarchive the file, and then open it.

A few important points

-- This should probably be classified as a Trojan, not a virus, because it doesn't self-propagate externally (though it could arguably be called a very non-virulent virus)

-- It does not exploit any security holes; rather it uses "social engineering" to get the user to launch it on their system

-- If you're not running as an admin user, it will silently fail to infect most applications

-- It doesn't actually do anything other than attempt to propagate itself via iChat, and then only via Bonjour! (aka "Rendezvous) -- it does not sent itself over the Internet, rather just to your local Bonjour user list

-- It has a bug in the code that prevents it from working as intended, which has the side-effect of preventing infected applications from launching

-- It's not particularly sophisticated

--I'd really be tempted to call this thing a non-event; it's poorly written, can't spread beyond your local network, is unlikely to infect anything on most machines, and needs user interaction to do anything at all--