There seems to be a trojan out for the Mac. See New MacOS X trojan/virus alert, developing…. There’s some interesting tidbits:
6a) If your uid = 0 (you’re root), it creates /Library/InputManagers/ , deletes any existing “apphook” bundle in that folder, and copies “apphook” from /tmp to that folder
6b) If your uid != 0 (you’re not root), it creates ~/Library/InputManagers/ , deletes any existing “apphook” bundle in that folder, and copies “apphook” from /tmp to that folder
7) When any application is launched, MacOS X loads the newly installed “apphook” Input Manager automatically into its address space
First thought: It’s not attacking that nice, secure, BSD Unix base, but the Apple-designed parallel bits that help make the Mac so beautiful, usable, and extensible.
[Update: Second thought: there’s a lot of Mac-specific code here. Its not simply a port of a UNIX trojan.]
[2nd Update: The wording above implies a contrast between secure and usable; I meant only to acknowledge Apple’s longstanding focus on making a polished product.]