Intego Security Memo: OSX.Trojan.PokerStealer Trojan Horse
June 2008 by Intego Security Alert
Attempts to Take Control of Macs
Exploit: OSX.Trojan.PokerStealer
Discovered: June 20, 2008
Risk: Low
Description: A Trojan horse has been found in the wild masquerading as program for
Mac OS X called “PokerGame”. The Trojan in question is a shell script encapsulated in
an application, and is distributed in a 65 KB Zip archive; unzipped, it is 180 KB.
The Trojan horse, when run, activates ssh on the Mac on which it is running, then sends
the user name and password hash, along with the IP address of the Mac, to a server. It
asks for an administrator’s password after displaying a dialog saying, “A corrupt
preference file has been detected and must be repaired.” Entering the administrator’s
password enables the program to accomplish its tasks. After gaining ssh access to a
Mac, malicious users can attempt to take control of them, delete files, damage the
operating system, or much more.
Intego VirusBarrier X4 and X5 with virus definitions dated June 20, 2008 protect
against this Trojan horse. Intego recommends that users never download and install
software from untrusted sources or questionable web sites.