MacInTouch Reader Reports

Trojan Horses, AppleScript and Related Issues

  1. "MacOS 8.5 Tips and Tricks" Trojan
  2. Scary Experience
  3. Back Orifice
  4. Apple Network Assistant
  5. AppleScript security issues
  6. Hotline Servers

Scary Experience

Subject: Scary young programmer...
Date: Sun, 30 Aug 1998 03:05:14 -0800
From: [MacInTouch reader]
To: MacInTouch

Hey there,

I just spent the last 2 hours demoing an app with some kid that approached me on a hotline server.

The kid was in Alaska and he was 15 years old. He had written an application that was two parts. He wrote it in RealBasic. He called it Chatthing.

The two parts of the app are the client and the server. When the client application is opened and the server admin obtains the IP address of the client, a chat window appears on both participants computers. The window is fully functional as any chat window like those seen in AOL instant messenger or ICQ, or Hotline, etc...

The Admin/Server runner has the ability to post Admin messages on the client computer(s). So, sounds pretty normal. BUT then the admin types into chat... watch this!

The next thing I know, Simpletext has been launched and I am staring at a new blank simpletext document! Then another application is launched - Final Draft!

I warned the kid that I had gotten his traceroute info and address, and phone number while I downloaded his "client" application. It turned out that he had full control over my computer as far as launching, quitting, deleting, and making files invisible, etc. He was a nice kid, so he didn't do anything bad. He informed me that there are to file transfer capabilities included in his little app as of yet, but that he would probably have them by tomorrow.

We fantasized about the possible uses of this new application. He said he was planning on converting it into an invisible extension that would be installed onto unsuspecting people's macs and launched in the background. He wanted to make it so that it would transmit a "victim's" IP address to him upon connection to the internet, then he would have control over their computer. I asked him to perform certain tasks and he created a folder, opened many documents, made my entire disk invisible, then made it reappear, deleted a demo file, and switched me between applications. It reminded me of Timbuktu or VNC, but it seems more powerful due to it's seamless/invisible integration into your GUI, etc. He could theoretically, with file transfer capabilities, collect people's internet prefs (containing passwords and usernames and ISPs) steal quicken documents containing banking information, etc. He looked through my entire computer's contents as you could do in a Unix or any text based directory system (dos, Unix). It was not super impressive, and he behaved himself, but the potential for this type of application need not be explained. I don't know it this situation is similar to what occurred with ICQ and it's security issues in the past, but whatever the case, this app (very clean) could end up being quite significant to the mac community, either in a positive or negative manner.

I was confident enough in my experience and familiarity with using and repairing macs (and my full backup) to let the kid loose to do whatever he wanted, with a fair and stern warning that I knew his ISP, phone number and address if he tried anything vicious. I'm no hotshot, but I thought that this thing was worth mentioning to you at MacInTouch, my favorite website in the world!

[...] I hope nobody panics and chases him down as some sort of criminal. He thought his app could be used by software companies to possibly monitor piracy - I told him that would be illegal. As a commercial/shareware/good natured application, it seems that it could be quite effective.

I feel I am getting redundant. I'm tired.

Thanks for everything at MacInTouch over the past four years! Keep up the good work!

Let's pray this kid doesn't turn this thing into a virus.

[...]

Date: Tue, 01 Sep 1998 11:13:19 +0100
From: Abrey Myers
To: notes@macintouch.com, abrey@aol.com
Subject: "Scary Young Programmer" Trojan Horse program

Dear Ric Ford:

There are positive and negative benefits to the young programmer's software. One benefit that occurred to me after reading your postings is if the young man slightly reworks the program, he could market it to be a shareware alternative to Timbuktu. If the chat screen is used as a primary interface to communicate between host and client, and the rest of the program allows the same access capabilities as the commercial software does, then I think the young man is on to something.

Abrey Myers
abrey@aol.com

Back Orifice

Date: Tue, 01 Sep 1998 09:43:56 -0500
To: news@macintouch.com
From: jj jjobe@dist80.ridgenet.org
Subject: Back Orifice

I read an article on today's MacIntouch about a kid who had made an app that could take over a user's computer. A similar app is freely downloaded from the Cult of the Dead Cow's website and www.rootshell.com It is called Back Orifice. It is a trojan app that can be easily sneaked onto an unsuspecting user's computer. After it is installed it gives the remote user total control over the computer running the server app. It is a major threat to Windows 95/98. There is not a version for the Mac at this time. Since the installed component does not show up in the list of running apps, it can be named anything and doesn't have to end with .exe, and can transmit receive on any assignable port it is very hard to trace. I am the net admin for a k-8 district and have fears that students will be installing Back Orifice onto machines and remotely messing with them from other parts of the building. Some of the cute capabilities it provides are the abilities to freeze, or restart a computer while someone else is using it.

John J.

Date: Tue, 01 Sep 1998 10:24:35 -0400
From: Matthew Patton matthew.patton@ra.pae.osd.mil
To: notes@macintouch.com
Subject: Trojan Horse via Hotline

Let me guess. It's a reworked version of BackOrifice originally authored by the Cult of the Dead Cow guys and intended for windoze weenies. Looks like we have a Macintosh version. Very cool! Needless to say, you probably want to turn off those nifty features in your email/web clients like Javascript, ActiveX, automatic attachment launch etc. BO is available in many forms now and getting lusers to trojan their machine is disgustingly simple.

From: "Jeff A. Harrell"
Date: Tue, 1 Sep 1998 11:22:39 -0500
To: notes@macintouch.com
Subject: Trojan Horse

I read with interest your feature about the trojanhorse-style client/server program, but was disappointed to hear it described by a couple of readers as a Macintosh version of BackOrifice.

BackOrifice is designed to exploit some very specific features of Windows 95/98, the most infamous of which is the Registry. The chinks exploited by that program don't exist in MacOS.

While the trojanhorse-style application for the Macintosh and BackOrifice may appear to do similar things, they aren't the same program, and certainly work in entirely different ways.

<obligatory Unix comment>

I do, however, find it interesting that developments like this program, and BackOrifice, finally bring functionality to Macintosh and Windows systems that Unix users have enjoyed for years: seamless remote access, administration, and use. The difference is that, literally decades ago, the Unix community dealt as best they could with the security issues involved.

</obligatory Unix comment>

Apple Network Assistant

To: notes@macintouch.com
From: Ben_Compton@prewitt.com (Ben Compton)
Date: Mon, 31 Aug 1998 23:48:45 -0800
Subject: Trojan Horse

What is described as the "Trojan Horse" sounds very much like Apple Network Assistant. With just an init functioning on the client machine full control is given to the network administrator. It would seem that making the init invisible with a demo copy of Apple Network Assistant would be pretty easy.

This message originated from Prewitt Consulting, your Oregon Computer VAR. See us at www.prewitt.com Call us at (503) 223-3976

AppleScript

Date: Wed, 2 Sep 1998 06:17:59 +0800
To: notes@macintouch.com
From: Tee Yen Ng
Subject: Trojan Horse via Hotline

A similar program to this is "ScriptDaemon" (freeware by Peter N. Lewis). It allows AppleScript commands to be sent to port 23, and executed. So copying files, making them invisible, and retrieving text from files (and more!) would be easily doable.

yen
---
tyen@earthling.net
http://tyen.home.ml.org/

Subject: "Scary Young Programmer" -- related info
Date: Tue, 1 Sep 98 11:46:15 -0600
From: Peter Meilstrup
To: notes@macintouch.com

This is very similar to a security flaw I discovered that has existed since the scriptable Finder in Mac OS 7.5. If you are on an AppleTalk network and have granted Program Linking access to anyone in your network, that person can very easily gain access to any file on your computer, change your network access privileges, and basically do anything to your system that AppleScript is capable of. The scriptable Finder has one of the best AppleScript implementations of any program, and since it is not an application per se, you can't go to its Get Info window and turn off program linking access.

[...] this flaw has persisted in every version of system software from 7.5 through 8.1.

Peter Meilstrup
saruman@blackrockmac.com

Date: Tue, 8 Sep 1998 09:25:27 -0400 (EDT)
From: Richard Sarkis rsarkis@mlsonline.com
To: notes@macintouch.com
Subject: Re: "Scary Young Programmer" -- related info

This "flaw" is not really a flaw as you may think, it's a feature. With many features comes the need for responsible use and setup. I use program linking to manage programs, including the finder in our office. To prevent program linking you just need to:

1. Shut off "Program Linking" in the "Sharing" (7.X) or "File Sharing" (8.0) control panels.

OR

2. Set the appropriate permissions for users in the Users and Groups control panel to prevent or allow users to use program linking, or better yet, just shut off program linking for guests. The finder will try to authenticate users attempting to program link if you have program linking for guests disabled, providing some sort of security if you need program linking on.

Rich
rsarkis@mlsonline.com
Administrator, MLS Online

Mac OS 8.5 Tips and Tricks Trojan

Date: Tue, 08 Sep 1998 13:14:39 -0500
To: news@macintouch.com
From: Trevor Stenson stensotr@email.uc.edu
Subject: macos8.5 tips and tricks

Dear MacInTouch,

I would like to confirm the presence of a file called macos 8.5 tips and tricks. Being the curious sort, I downloaded the file from a hotline server to find out about the latest and greatest OS. I scanned the file and it was virus free, but it turned out to be a trojan horse disguised as a self-contained text app (from documentmaker I believe). When launched it seemed to throw some stuff in the trash and delete it. It was an actuality an applescript file. I haven't looked extensively to figure out what if anything it actually deleted, but it sure scared the wits out of me. Surfing hotline can be a lot of fun, but I think I try and get my news from reliable sources only now.

Cheers,

Trevor H. Stenson 

X-Originating-IP: [207.36.8.217]
From: "A Nonymous" <formeraol@hotmail.com>
To: ricfordz@macintouch.com, notes@macintouch.com, news@macintouch.com
Subject: Re: Trojan Horse (READ, VERY IMPORTANT!)
Date: Tue, 08 Sep 1998 13:44:40 PDT

Reguarding the Hotline Trojan Horse news on MacInTouch, I am the one who 
wrote it.  I never ment it to be spread around this much.  It may your 
Finder and System File, no matter what version they are.  You can avoid 
being infected by it by simply turning off AppleScript.  I disguised it 
as an Application, text, and a DocMaker file.  They were originally 
called Mac OS 8.1 Tricks and Tips and Hotline Server Speedup.  It was 
written to get even with a Hotline Admin (who I won't mention) who 
really screwed me over.  Like I said, I am sorry if I have caused anyone 
any problem with this instead of my intended target.

Truthfully,
A former AOL member

Hotline Servers

Date: Tue, 08 Sep 1998 14:27:00 -0400
From: "Jacques R. Blier" jrblier@arborescence.com
Organization: Arborescence.com
To: notes@macintouch.com
Subject: Hotline Server (USE AT YOUR OWN RISKS)

Hi:

Any user of Hotline should use it at is HIS OWN RISKS.

The way files propagate from one Hotline server to the next is so fast and in so a chaotic way, that any user should not expect any security with the files downloaded. Hotline servers are known to propagate warez files as well as all the latest viruses (virii), xxx and all kind of other junk. Some hot files may take only a few hours to be disseminated to a lot of Hotline servers.

One must be very cautious when browsing Hotline server.

Since a lot of files on Hotline are not verified before being available for download, these files should all be considered with extreme precautions.

On a regular web server like the Info-Mac archives, all the files are being examined before being released for distribution. This is not the case on Hotline.

I've already met many virii, trojan, and other kind of stuff on Hotline. All those files would not spread on regular web pages.

Furthermore, we can consider the Hotline servers as a virtual battleground, many of the trojan files are targeted to those who 'leach' (stole) ligit files. While some use Hotline to capture warez, there are those against warez who program these little trojans.

Since Hotline servers are more and more popular, we must expect a lot more of those Hotline trojans files.

EXTREME CAUTION IS ADVISE ON HOTLINE. Those who are stung by a Hotline critter should not cry.

Thanks,

- Jacques



click for more info