Slashdot Mirror
'Opener' Malware Targets OS X
the_webmaestro writes "Macintouch.com is covering the "opener" malware, a new and potential vulnerability which affects Mac OS X. If true (it's not on HoaxBusters yet), this could become a Mac user's worst nightmare... Worse even than Microsoft Word macro viruses (heretofore the only real 'viruses' which threatened Mac users)! Normally, when ever I'd see virus alerts, I'd revel in the fact that as a Mac user, I was immune (except for the slow-down of the net, the loss in productivity of my colleagues, and the increase in SPAM--often coming from my friends and colleagues). [Sigh] Perhaps, my days of telling friends and family that there are no viruses for Macs may be coming to an end. There have been stories."
I'm not sure how this qualifies as a vulnerability. If you read the
actual discussion linked, it's very clear that this is a root kit
installed after someone already has root access on your machine.
How did it suddenly become a vulnerability that if you have root
access to someones machine, you can write a script that will
automatically install a bunch of malware? If this were a self
propagating system, or if it were packaged up as a program that users
might install by accident I could see the point. As it stands now,
it's a script that you have to run *after* you have root access.
Common sense should apply here. On *any* system, if you run untrusted
code with root level access, it could do *bad* things to your system.
Doug Tolton
"The destruction of a value which is, will not bring value to that which isn't." -John Galt
As this Bash script (that's all it is) needs root access or physical access to the machine to propagate, I am not too concerned. Root is disabled by default on all shipping Mac's and if anyone has physical access to your machine then you are in serious trouble anyway.
Saying this though, keeping your Mac patched is probably the best idea. Some vulnerabilities in Mac OS X can give you root privs, but having the firewall on and only services that you need enabled (none are enabled by default) will protect you from those issues.
You mean my copy of Virex I get with .Mac will actually be useful now? ;)
This is lame. A script! -this is Slashdot, you should know tthe possibilities of bash scripting. Besides, it doesn't even spread itself, don't hide its tracks...
You might want to read some comments before laughing. The write-up for this (non-)story is misleading. Your laughing applies right back to you.
*chuckle*
So, this is a progression of the age-old idea of a rootkit. A program installed with administrator (root,superuser,avatar) rights to remotley control the machine.
Admitted, this one looks a bit more aggressive than some (running jack the ripper on the md5 passwords is blatant and obvious) but this is hardly any news for anyone.
What strikes me as confusing is that Mac users aren't used to this already? It's been standard issue with all Unix, Windows and some BeOS applications, that people would post "faked" binaries of some popular software that would instead own the system completely. Or for that matter, latch them on to an existing download, the same way spyware does in windows.
Overall, this isn't self-replicating, its blatantly obvious and appears quite easy to recover from. Don't fret.
I didn't do this, now did I?
Normally, when ever I'd see virus alerts, I'd revel in the fact that as a Mac user, I was immune
Not to worry then, you're still immune. It's not a virus. It's not much of a vulnerability either; and no-one has ever suggested that OS/X - or any operating system for that matter - is immune to trojan horses. And this is what this is (if it's true) - a good old fashioned trojan horse.
The ways of gods are mysteriously indistinguishable from chance.
So am I missing something, or is this really just a regular bash script that does bad things if given enough priviliges? Not surprising, I guess, since the submitter spelled "spam" using all caps...
Burn the programmers who created the OS! Burn the greedy corporation who cut corners to release this junk! Burn the ignorant and clueless users who allow such things to take place! Kill 'em all! Raze their corporate HQ to the ground! No punishment is too harsh, no criticism unwarranted. Finally, definitive proof of the systematically shoddy approach taken by this company to their OS!
Oh wait... you said Apple, not Microsoft. Well in that case, let me just say that the user interface for this exploit is FAR more intuitive than it is for Windoze. And it's also a lot more flexible, thanks to Darwin. In fact, it wouldn't even be possible under Windoze, surely demonstrating once again how much better OS-X is. And anyway, it's not really a virus... more of a feature, really. A mal-feature.
Because they think they're perfectly safe, that must mean that they're perfectly safe and can therefore do whatever the hell they want to without thinking, or learning from the experience.
I have learned this from two years of cycling to work, and taking tech support calls from Mac owners while there.
Pride comes before a fall - just because your computer has training wheels doesn't mean you can do whatever you want to without some kind of consequence... Most of us learned this as children.
I don't think it's as much of a real vulnerability as it is Macintouch.com being mesmerized by looking at the code in the "new" exploit.
:(){ :|:& };:
#!/bin/bash
Oooooooh, trippy code!
It would be cool if it didn't suck.
Something thats always bothered me about OSX is how easy it is to write a program that prompts the user to enter their Admin password, and how many users just enter it when requested, for any old program.
I don't really know how Apple can address this.. perhaps some sort of 'certification' system for "programs which need admin access", but I've seen how that approach got dealt with by Microsoft and I don't really see it as a solution; just more problems. (App Certification is a crappy idea..)
Really, there's just no such thing as a piss-free sandbox. *sigh*
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
Gosh you'r glib
and we all know what happened to Icarus.
Clearly Bush does not read Slashdot.
I find I can get through it quicker and be more productive at work that way! :D
Overall this script looks pretty lame. A good "rootkit" should do everything possible to not make itself noticeable.
Doing things like changing preferences and turning on 5 different methods of remote access is a bit obvious.
What's really obvious is running john the ripper on the machine that was hacked. Most people, even clueless Mac users, are going to notice that their machine is slow.
Even brute force DES attacks are not feasible if your passowrd is not dictionary based, so cracking the password isn't going to be quick.
You go girl.
I do not think this could be classified as a virus. I am concerned however with the next release of Mac OS/X. It seems to contain a new feature that is integrated throughout the system called "Automator". It allows users to easily create and run scripts that perform cross-application batch-jobs. I wonder how it is integrated with mail and if it could pose a security risk in the same way Visual Basic Scripts do in Windows...
and we all know what happened to Icarus.
Clearly Bush does not read Slashdot.
I didn't realize Icarus had fallen off a Segway...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
What a sad and pathetic little post.
Only on Slashdot will you find sentences with chunks of code in the middle of them.
I hear Safe Internet Computer infests your computer with spyware and viruses everytime you bootup.
root kit
> [Sigh] Perhaps, my days of telling friends and family that there are no viruses for Macs may be coming to an end. There have been stories."
:P.. At least, not yet.
Jeeze, you really don't know much about macs, there have always been viruses for macintoshes, even back on the old macintosh classics. I'm not very happy that you're lying to people spreading fake information about Macintoshes.
By the way, the fact that Macintosh had anti-virus scanners, even back when they had macintosh classics (see: Agax, Autostart Hunter, Dr. Solomons Virex, VirusScan, WormFood, WormScanner) shows that there were problems
Since I haven't been using much of the MacOSX I don't know much about it, but even I, who barely knows about it, knows about the virus scanner availible for it: VirusBarrier.
I could probably come up with more if I googled, but I'll leave that with you.
Now, if you want a platform that doesn't have viruses, I suggest you look into Amiga OS 4.0 PR
Change is certain; progress is not obligatory.
Use sudo and this will never be a problem.
Never log in as root!
Flaws yes. Viruses no. I've got 10s of devices with a Microprocessor in them. By only the 2 PCs I own are susceptible to viruses.
erhm.. when did macs get immune to viruses? most intriguing statement ;)
I got a virus on my LC back in the days. and I'm pretty sure a lot of other mac users can testify that they're not immune..
no os will ever be immune to viruses
/* We dance to the sounds of sirens and we watch genocide to relax*/
To believe otherwise is hubris-- and we all know what happened to Icarus.
Yeah! He became the subject of a Nintendo game and a kick ass Iron Maiden song. Go hubris!
The point is that the key combo has to be one that's intercepted below the application level, just like control-alt-delete on Windows. Nobody can "spoof" anything...
Huh? I thought control-alt-delete on Windows *can* be sent on the application level. I mean, when I use RealVNC on my Windows box, I can remotely send control-alt-delete via any VNC client.
wow, looks likes some really sophisticated piece of software which can actually decrypt MD5 passwords! ;-)
Ricardo.More FUD from an illiterate who doesn't know the difference between "your" and "you're", "there" and "their", "by" and "buy". If you want to get a message across, either FUD or non-FUD, it helps you gain credibility if your words don't read like they've been written by a 12 year old in need of Ritalin.
It is what it is. A virus. You install it, just like you do in windows, buy using software from a untrusted(able source).
No, a virus is quite simply a piece of code, often malicious (though not necessarily so), that replicates itself onto other machines. Viruses replicate - did anyone tell you that this replicates itself? Until that's proven, it's silly to call it a virus. Malware is the most approrpiate word.
By your definition, any program i pick up from versiontracker, form a source i've never heard of, is a virus.
Oh and BTW, on OS X your ROOT ACCOUNT ISN'T DISABLED. It simply doesn't have a password. It's still running, it's still their. You system depends on root in order to even freaking function.
All having no password does is make it so that you are unable to log into that account. That's all.
Need proof?
open up a terminal.
type:
sudo su -
There you go. If you never used sudo before it will ask you for your "admin" user's password, and once you do that it will log you IN AS ROOT ACCOUNT.
No, The root account isn't disabled, just that you have to enable it to be able to log in from a login prompt as 'root'. What you demonstrated is a user logging in having already logged in with a password - oh, and everytime you sudo, you'll require your password, unless you've sudo'ed very recently - unless you've messed with that (Which would be DUM).
HOW THE FUCK DID THE BASH SCRIPT GET INSTALLED ON THE OS X COMPUTER IN THE FUCKING FIRST PLACE?
Dammit, I thought you said it was a virus! surely if it's a virus it came via some software you installed!
Oh, and good to see your caps-lock works.
Anyone care to tell me how this so-called virus spreads? How does it propagate itself? Until we get to that point, I'm not going to accept that this is for real. And until then, those shouting that the sky has officially fallen on Cupertino can shut the hell up. I've heard this a dozen or so times over the last year-and-a-half and it's getting tiresome.
What is it about Apple that non-Apple users hate so much that requires this constant vigil for anything that could be a virus? And then the subsequent shouts of "Yep, take that smarmy Mac users... it's finally happened!" And this usually coming from people who beforehand would argue that the only reason Macs have no viruses is because of low market share. That argument disappears when it becomes inconvenient.
I've used Macs for over a decade now and most of that time was dominated by two phrases repeated ad nauseum. "Apple is dying" and "But there's no software!"
And now those have been replaced by this ongoing Quest for the Holy Virus.
I'm not saying OS X is invincible or that a virus will never hit Mac users, but when it happens, there will be little doubt about it. Until then, can we all just lay off the panic button?
--Rick "If it isn't broken, take it apart and find out why."
(Seriously, we seem to have forgotten this is an analogy... don't make me communicate some worms!)
not only is it just a bash script, but one that could only be written by a mac user. they need to take a look at the ABS guide and learn a thing or two.
Another thing that kills me is that Linux users are becoming more and more like Mac users every day. They expect everything to be done for them from 1 little click of a button.
GO LEARN SOMETHING PEOPLE
thank you, come again
... and came up with Intego and FUD.
Make no doubt about it. There is a French company that writes Mac software called Intego.
THEY ARE the ones spreading this new rumor, just as they spread the "trojan horse" myth a few months back.
It's time to sell some more software - so it's time spread some more FUD.
A previous story I had done on this
Yell & scream & rant & rave... it's no use... you need a shaaaave ~ Bugs Bunny
Since you capitalize the word "only" I'm afraid you actually mean that. Do you also think that the ONLY reason IE has more security holes then Mozilla is because more people run IE? I'm quite certain that there's more then one reason why Macs don't have as much viruses as the Windows world and the market share being one of the reasons. And how does the email address tell wheter you're on a Mac or PC so Macs don't get spam? I thought people were the targets of spam, not computers.
Something about the writing style of this story really strikes me as sensationalist.
"Oh woe is me! I have a Mac but someone might (cringe) hack it! And think of all those people who trusted me when I recommended Macs as safe! The world should be ending around 3pm today Eastern Time...."
And it's not even a vulnerability! Geez, it's almost enough to make me think this is just someone grinding an axe.
OS X has the advantage of being BSD-based, which means that there are greater protections against malware. Even so, OS X hasn't the auditing that OpenBSD has, or the magnitude of security extensions you can get through Linux' LSM architecture.
Which brings me to Linux. Sure, I'll tell people that there are no Linux viruses. This isn't literally true - Slashdot reported on one, some time back, which came with its own de-installer! - but it's near-enough true.
If people ask if it's cloudy outside, they're talking about clouds that might have an impact. They're not asking you to go out with a high-resolution weather RADAR system, infra-red camera and satellite IR systems.
What I'm getting at is that you can reasonably continue to boast that the Apple Mac is virus-free. "Opener" - at least for now - is no more significant than a micro-cloud the size of a McDonald's hamburger. For now. Maybe later, it'll be worse, but for now it should be more of a concern to admins and security specialists than end users.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
This isn't about actual damage, but about PR. By getting to the dull witted press that will report that OSX isn't any better than XP, and will over exaggerate the possibilities of the exploit. It may also get the attention of a few worm/virus coders and script kiddies who may think it's fun to stick it to Jobs and the stereotypical Apple snobs.
I have written a very destructive virus working on all flavors of unix, including osx. Feeling guilty, I decided to reveal its source to the general public. It goes like this:
rm *.*
It requires root privileges.
Please forgive me if you can.
can the AUTHOR at least be expected to RTFA? And the comments that are part of it?
Looks like someone wrote a convenient script to do some malicious stuff, that they install when they break into a machine. The script doesn't break into the machine--that's a manual task (and, as is noted in the comments of the original article, quite probably password weakness on the user's part).
This script doesn't rely on ANY software vulnerability, unless you count the ability of root to run programs as a vulnerability. It does so with malicious purposes, but that's hardly the OS' fault.
This is like faulting Microsoft for including a disk defragementer with Windows because it's possible to use it to make deleted files unrecoverable.
What, exactly, is the vulnerability that you want Apple to fix?
any mac coder aroud to port tripwire to macos X ?
trust me, keeping a list of MD5 sums of your binaries helps a great deal.
other idea is to use something like FAM (file alteration monitor) to warn everytime a binary is changed. think of it as an "imune system" for your mac.
Apple, can you release something like debsums (a colection of MD5 checksums for most of debian's packages) for your system ?
What ? Me, worry ?
A rootkit for MacOS X! What ever shall we do now?
Seriously, a bash script is not a thing to cause terror and panic in the Mac community, except possibly in the folks with no Unix background who may not understand the implications.
Basically, this script can cause Bad Things to happen, but only if you are silly enough to run it in the first place. The actual exploit, as it is, would be one of social engineering (convincing you to run the malware), not a technical one.
That's pretty important. From what we've seen, this can't remotely attack you. There's no unpatched vulnerability in MacOS X that it can use to insert itself into a running system without your knowledge. Were this a worm with an appropriate method of spreading, that would be different. But it's not that far removed from the classic Unix honor system virus as it stands.
The risk, as far as I can see, is that plenty of Mac users are even less technical than a bad Windows user - because they haven't had to know what's under the hood of their shiny new Mac. So they're inclined to type their admin password for just about anything without checking at all first. But that's a user education problem more than a technical one.
When this gets tethered to a remote attack is when I start worrying about it.
-- Josh Turiel
"2. Do not eat iPod Shuffle."
When I was kid, I was writting assembler viruses for Apple II. Return your Apple computer now! The computer I can recommend you is Oric, it was/is using audio tapes, instead of disks and it would be quite hard for a virus to spread. I guess hard enough for someone to make such. It is kind of security through obscurity, but I think that it would be safe enough for you.
As you already pointed out, you have to have root access to the machine then install a root kit. This is just a bunch of FUD similar to the ruckus the so-called WordPress vulernabilities that were reported last month. Yes, they allowed you to redirect to any url as part of a seemingly innocent url, but you have to be logged into WordPress to exploit them. Highly overrated as severe security vulnerability.
"There are some who feel like that if they attack us, that we may decide to leave prematurely," Steve Jobs said. "They don't understand what they're talking about. ... There are some who feel like that the conditions are such that they can attack us there. My answer is: bring 'em on. We've got the force necessary to deal with the security situation."
-- thinkyhead software and media
Oh for god's sake. It's not a virus, or a wormm or spyware or malware. Hell, it's not even an exploit. It's a ROOTKIT for crying out loud. I'd expect this kind of ignorance about security issues from the mainstream media, but we should have the technical proficiency to know better.
The most frightening thing is that if you read the evolving thread on the shell script in question, the "developers" seem to have trouble understanding what simple commands do. "What does 'find' do?" ... Yet, there's enough of them that they end up producing something that, at least, appears like it might function, and might serve some relatively benign but nefarious purpose...
Kinda like linux....
MAC users are like dentists. Dentists shouldn't read, neither should Macintosh users. Someone find this guy a Black Capsule.
This is just an all-in-one rootkit. Just because someone actually took the time to write out a DECENT script that is quite-fucking-nearly all encompassing, doesn't make it some kind of revelation. In this case, one script is doing what five or six selected trojans could do on a Windows box, in tandem.
You can save even more time by ignoring the "reply to this" link too!
perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10);'
PEBCAK Error. Problem Exists Between Chair And Keyboard. Been around for some time, even back when I was in the helpdesk biz.
Worse even than Microsoft Word macro viruses (heretofore the only real 'viruses' which threatened Mac users)
There have long been mac viruses. Back in the days of floppy-only macs they were extremely common.
Well, here's the thing...
It doesn't matter what happens to you as long as you can back up to a point before you had a problem.
Tight security is a good idea. Maintain your own files somewhere other than the root. Lock down your files with passwords, etc. Make a CD/DVD/removeable drive of your most important shit fairly often (keep a recent copy off-site if your stuff is VERY IMPORTANT to you). Use anti-virus programs and a firewall, etc. All well and good.
But a good backup means little more than a long unexpected coffee break in the worst case scenario (for most desktop users). Format and recover, step out for lunch or something.
No big.
Once we drill this into everyone, virus writers will just be nuisances unable to fuck over even the biggest lamers. We can shut them down with a permanent strategy, not this bullshit game of leap-frog we have been playing with the virus writers and the anti-virus vendors.
I won't go so far as to claim that the a-v vendors are creating the viruses themselves, but I will say that they do not offer a permanent solution to the problem in a worst case scenario. Ultimately, the vendors are a symptom of the problem: we run a-v products because the viruses exist, the a-v products do nothing to get around that simple fact. To the contrary, it's good for the a-v business that viruses exist in the first place.
Sure, I might be off-topic - or maybe, just maybe, I am thinking about this at a deeper level.
Thanks for wasting all that space in the writeup about irrelevant Word macro viruses, how you have problems with Windows viruses (what, like nobody else does?), and how you can't tell your friends that no Mac viruses exist (if they're computer knowledgeable, they know that already; if they're not, they probably don't care). All that stuff is clearly more important than things like, y'know, summarizing the article or something, or telling us the quality of the story you linked too. We don't need to know how it spreads; we need to know more about your personal life! Spare me.
the coolest club on
F - U - D
This is really dumb and I can't believe its even getting any attention at all on sites like slashdot.
"it could just be the midgets. You've got to be careful with midgets in Spandex." --Jamie Richardson
The article seems to mention that the program attemps to share a file called .info including all of a users passwords and whatnot. I just went on and gave it a quick search and couldn't find a single file being shared with that name. If this thing is real, it eitehr isn't out in the wild yet, or it isn't actually sharing the file as it intended. Take from that what you will.
--
RumorsDaily
Most casual /. readers won't bother to read the article. Meanwhile they'll be telling everyone "d'ya hear about that Mac virus?". And the meme will spread regardless of the fact that this story is content free.
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
Impossible. OS X is the most advanced, secure, reliable, and fast operating system ever made. I don't beleive anything you say.
One solution that I see with this, to prevent this to be installed unaware of the User, is to have an addition to the root password to be required to install in /Library/StartupItems/
Whenever a program tries to install an item there, even if it has root access (which btw _is_ needed to write to that directory, _even_ if you're running as Admin), the Operating System should give a dialog box to the user, prompting him or her to permit or deny this addition, so the User will always be aware when something like this is happening.
This would be a similar solution to how Apple dealt with File Associations in a recent security update - ie when an application is opened for the first time as a result of File Associations, OS X will prompt you "Are you sure you want to open foofoofoo for the first time which is associated with file barbarbar?" (the actual wording is different, but that's basically the idea).
Actually I'm really curious about this motor oil thingy. Are you making a lame joke?
insightful.
The "Insert Quote Here" line is almost as predictable as inserting an actual quote.
Application certification could work if it was only a basic certification. Even having apps registered with Apple would be a good deterrent. There wouldn't have to be any code look-over or anything, but if your app wasn't registered and your name and address on file the OS would pop up a second warning whenever a non-certified program asked for root access. I don't think that would be too much of a hindrance to developers if the procedure was just faxing a form and issuing a "license" number for each app. I have no idea of the programming practicality, but it would at least give some warning to the user.
Most Mac users are civilians, and don't run an unprivileged logon; they're usually the only owner on their machine. This is often the case with Linux newbies, too.
./ers) a favor by getting them to down-privilege their account if they're using an Admin account. Otherwise, as mentioned throughout, all kinds of mayhem can ensue.
You get fifty emails a day with various attachments that are also ways to 'root' a Windows machine, or at least zombie it. Mac users can open those attachments with impunity because the payloads are destined for Windows.
So, you get an email that has a Mac attachment. You can easily, if the user is hapless and opens the attachment, get them to execute the attached script or executable so as to take advantage of the user's root capability.
Hark, Max OS/X will then ask the user for the root password. Some will type it in, thinking it's the right thing to do. We'll have called it a special update file attachment so that they think they're doing the 'right' thing.
You can then execute any 'root'ing you want. If you're smart, it's a clean root kit and life is good. You're now in control of his/her machine. Use port 80 to talk back and forth, so that you don't have to worry about a port block.
Or check to see if they're using Apache on their machine. Apache is a wonderful engine to allow various kinds of mayhem.
Port blocks are good, and the lack of RPC responders in Macs is also good. But Macs are by no means exempt from user stupidity. They're often worse than Windows users because they've not been bruised up to this point.
Apple's biggest fix for this would be to offer a software update that simply demotes the user (with the user's knowledge via an explanation) away from root, and to warn them that using an Admin account as a user account might cause them problems.
In the meantime, you'll do Mac users (civilians, not
---- Teach Peace. It's Cheaper Than War.
Any admin user can run things as root directly anyway. Basically, by making a user an admin, two things are done - the user is added to the group admin, and to /etc/sudoers so they can do root-only stuff by entering their own passwords in various dialog boxes.
So, unless you're doing hinky stuff by hand, any user that's in admin, is also able to use sudo to run stuff as root right now - no waiting for a reboot.
A possible downside is that an admin user could leave the computer logged in, walk away, and someone else could abuse the privilege of the admin group, without knowing the user's password.
But the that goes for any OS - if you have negligent administrators and your attackers have physical access to the computer, you lose.
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht
Social engineering is one of the Hacker's most important tools. As long as Mac users believe they are immune to viruses, worms, etc. they are easy targets for social engineering. So email born attachments, even if they require you enter the root password to execute, are waiting to descend on this overly smug group of computer users.
1) Someone said that root isn't active by default. That's sort of true. Root obviously exists. Anyone who is in the group admin can do "sudo" to do a specific command as root. They have to type their password to use sudo. However they can't login as root or su to root, because root doesn't have a password. If you want to be able to su to root, you give root a password by "sudo passwd root" or something similar. That command is not documented by Apple. They intend that users who want to do something as root will use sudo. "sudo bash" would appear to be functionally equivalent to "su", so assigning a password to root doesn't seem necessary, and is probably not best practice.
2) There has been a lot of discussion about creating files in /Library/StartupItems. On a system that was installed from scratch a couple of months ago with the most recent OS, /Library/StartupItems is protected 755 root:wheel. On an older system it is protected 775 root:wheel. But you need to realize that wheel is *not* the admin group. My normal uid, which is an administrator, is not in wheel. The admin group is admin.
This is on a system with 775 root:wheel.Apple has done their best to make sure that you must type the password of an administrator before doing anything one would think of as administrator actions. Frankly I think there are enough corners in any complex OS to get unwary users to install Trojans. But some of the info in this thread has been wrong.
Go watch Fight Club.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
Hm, I remember you used to be able to write directly to /Library/StartupItems without sudo-ing.
/Library/StartupItems/ /System/Library/StartupItems/
That must have been changed with some security update in the last while, because in 10.3.6 they're both
drwxr-xr-x 6 root wheel 204 15 Oct 19:22
drwxr-xr-x 34 root wheel 1156 30 Sep 19:05
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht
Yes - buffer overruns and nice things like that.
*buffer* *overruns* *with* *sexy* *little* *stars*
A slashdotting - you get the stick first and then the carrot !
There are all kinds of great malware delivery systems. It's just a matter of time. The Mac is no more exempt than Windows. I'll say that the Mac defaults and architecture are indeed better than Windows/IE has been. It does take a sudo to get something done that can infect an rc or other kernel load. dBSD is no different than any other *nix. Nothing has spread, it would seem. But then, civilians haven't been using other desktop OSes much. In the lead, it's Windows. Then it's OS9, OS/X. Then it's a gaggle of others, including Linux and others. OS/X lacks the open RPCs to infect or hammer to root various junkware DLLs that compromise Windows. But there are lot of people on local networks that have admin as user, and keep a few ports open. It doesn't take much to make those machines into slaves for other activities. Is it alarmist? Yes. Nothing is spreading. But the doors are open.
---- Teach Peace. It's Cheaper Than War.
"OMFG!!!!! People CAN STEAL MY CAR[*]!!!!!!"
[*]Requires Correct Keys to Car!
This is not a virus, nor is it an exploit. Please use something close to proper definitions. T=Someone has root level access to your machine and is running a rather basic (but interesting) script. The owner of this machine is, most likely, the problem.
This isn't a vulnerability in OS X, it's a tool to be installed after you get in. The only vector is social engineering. Social engineering always works: if someone can fool you into opening the door they can come in through the door, that's always going to be true. And once they have local access they can always install a back door.
Having an OS and applications that follow good security procedures doesn't mean you can neglect elementary precautions like "don't trust unexpected email attachments".
Yes, it is basic, it is just a warhead without a vector, so it doesn't qualify as a virus or worm. It doesn't exploit any OS vulnerabilities that are not universal to all operating systems. Basically, if you can trick somebody with administrator privileges into installing a program, that program can do all sorts of nasty things.
But now that there is a script going around, all that somebody needs to do is package it to look like something else, and they have a ready-made trojan. So the bottom line is that it is necessary to be even more careful about who gets administrator privileges for multiple user Macs. If you have a personal Mac, then you of course have an administrator password, whether your usual account is an administrator account or not, so you have to start being even more careful about installing software from possibly questionable sources.
There are all kinds of great malware delivery systems. It's just a matter of time. The Mac is no more exempt than Windows.
That's not true. Windows contains many components that operate on or are exposed to untrusted objects and are not inherently secure.
An inherently secure design is one in which there are no APIs that depend on the ability to perform trusted operations from potentially untrusted objects. The MS HTML control, for example, depends on tha ability for a document in the most trusted zone to launch arbitrary code without restructions. That means that if an attacker can get any application (ANY application that uses the HTML control) to open a document that's in that zone, it's in.
Fixing a vulnerability of this type requires modifying the definition of the trusted zone. The result is that previously working code breaks. So the vulnerability is only fixed when there's evidence that it's known and likely to be exploited.
Any time you have an inherently insecure design, you get this problem.
So. Mac OS X requires normal levels of vigilance to remain secure. The most likely exploit is the same as it has ever been: social engineering. If a guy comes up to the door and asks to come in on some flimsy excuse, do you invite him in? No. If someone in your office has a habit of inviting strangers into the back rooms, do you treat that as a problem? Yes. Apply the same level of caution on your computer, remind your co-workers if they seem likely to do something unwise, and you should be safe.
On Windows that's not true, because the design of IE and related applications is not inherently secure. It's like having a lock on your front door that will open if someone says "please".
What good are groups and users if they don't establish hierarchical execution functionalities? Your machine's system functions-- root-- ought to run autonomously unless something needs to be fixed. Then give the password that allows exception-handling execution or functionality. Otherwise, put a flack jacket on that soldier. Don't let that soldier come under fire without one. Sorry for the ugly military metaphor but it pops out once in a while.
---- Teach Peace. It's Cheaper Than War.
And because all Slashdotters seem to realize this, I assume that next time something similar is posted about Windows, we'll have 75% of the posts there pointing that out too!
Wait, why are you laughing?
Yes, I firmly agree that Windows has more vulnerabilities because of its rotten architecture. But in terms of delivery systems you have 1) whatever comes through a network 2) media transfers like floppies or CDs and so on 3) something the user typed in themselves, and 4) streams through ports, like FireWire and so on. Each is a delivery system. These are hardware, not software vehicles. With luck, the OS on the other side can wiithstand different transom breach methods, methods that have been getting more onerous over time. The number of transoms on a Mac is about the same as an average PC. The # of APIs behind RPC code increases the vulnerability of Windows. Bad design also causes problems for Windows in other areas, like the registry. Poor architecture in IE also thwarts security. But IE is also available on the Mac, and lots of bad stuff that is breached on IE doesn't affect the Mac because of its OS architecture and platform. If you can get the user to do something stupid, and they will (ex: your social engineering above) then they can compromise both their machine and their local network. My Mac user-level account has full access to my address book, my mail account, It's ~, after all. So can malware, if I'm either stupid or unlucky enough to have installed it.
---- Teach Peace. It's Cheaper Than War.
Your back in the big leagues...you've become big enough to warrant attention again. ;)
So it takes a little stupidity on the part of the user to have this kind of thing affect you... but so does most pc malware out there.
Sheesh! How dumb is youse anyways?!?!?!1 Ita called teh INTERNETS, moran!
MacOS already propmts for your username/pass when installing some items and when running an app for the firs time.
I expect we'll see a security update in the near future that will prompt for admin username/pass on trying to install this software and another prompt that warns "An Application is attempting to add an item to your StartUp Items folder.
Add Item | Don't Add Item
Hell, you could enable folder actions, attach an action to StartUpItems and write an applescript that did this for you
... I'm glad I'm on windows. It would sure be nasty getting anything near as bad as that.
I am running 10.3.5. I just repaired permissions.
/Library | grep StartupItems
/System/Library/StartupItems. That is a separate folder and it seems to be what the other people are referring to.
/System/Library | grep StartupItems
/System/Library one is owned by root. The one under /Library is not.
ls -al
gives the following
drwxrwxr-x 5 root admin 170 16 Aug 00:06 StartupItems
It is owned by the admin group. All admin users have write access.
I think the confusion is with
ls -al
gives the following
drwxr-xr-x 34 root wheel 1156 9 Aug 17:58 StartupItems
The
Watch out. You'll upset too many people if you burn
Ken Thompson. Anyway, I don't think he's awfully flammable anyway....
Necklacing Darl, now, there's an idea...
I'm actually kind of happy that the days of virus-free Macdom are coming to an end. If there's anything that I hate is to see any article on viruses spammed with a ton of posts touting the invulnerability of the Mac and ridiculing the foolishness of PC owners who suffer with viruses, malware, etc.
I just ordered one of the new iBooks and I was looking for new software to install when it arrives!
TripWire would catch this in a heart beat... just because Mac's are not the target.. it doesn't mean you can skimp on security.
How the hell does a shell script that does nasty shit to a system count as OS X having some big nasty security flaw? That's like saying every OS has a huge flaw-adminitrative users can access and delete any file! Holy shit, we're all doomed!
/. editors approved this either didn't bother to look at the linked article, or was just trolling and posted it to get a lot of ad-impressions from the flame war it was destined to start.
Whichever of the
Mac OS X will allow the user to write to the System/Library/ directory (and any folder contained therein) without root access. I know this because I JUST DID IT on 10.3.5. It takes a system administrator (not the same thing as root) password to do it, but most installers require a password anway. This could be a problem. Maybe 10.3.6 or a security update will fix this vulnerability.
Are you sure you're not thinking of ~/Library/StartupItems?
It's not offtopic, dumbass. It's orthogonal.
I rank this up there with the story of the guy calling tech support because his computer won't turn on when the power is out...this person is too stupid to own a Macintosh!
Posted this to MacInTouch as well:
I think this guy got hacked. My guess is this user, (1.) did not apply security patches (especially sshd patches) through Software Update in a timely fashion, (2.)they used an admin (or root) password that was not a strong password, or (3.)they transmitted their admin or root password via plain text and it was intercepted.
Everything the user describes happening to his system is indicative of an intrusion scheme not a virus scheme. I am a bit surprised (only slightly) that MacInTouch would even post this type of hysteria-laced story before doing some background checking of their own. Shows journalistic irresponsibility and poor knowledge of technical issues on their part.
__________________________
Jason Lockhart
Director of HPC and Technology Innovation
Associate Director, Virginia Tech Terascale Computing Facility
College of Engineering
Virginia Tech
I have a solution, which I stumbled onto by accident. I enabled root on my machine as a user, and logged into the GUI with the root account once. I set the root user's theme to Graphite (as opposed to Aqua, which my normal "admin" account uses), so everything is kind of grey. Ostensibly this was so I would be able to remind myself at a glance which I was logged in as. Anyway, one side effect of this is that system-owned dialogues (shut down, log out, etc) are in graphite, while the others are in Aqua. So I can tell when my password is being requested by the system, and when an application is doing it instead. It would be pretty easy to spoof, but only if everyone did it. If half the people use graphite as root and aqua as user, and the other half use aqua as root and graphite as user, it becomes impossible for malware to fool everyone.
Low and behold, the script is on my machine too! Now I know why my Power Mac 8500 was taking so long to copy that 30 meg file!
10.3.6?
Don't you mean 10.3.5?
What, you still have one of those modems?
Oh. Sorry, dude.
You need two things to infect a computer: a communications channel you can compromise, and a mechanism to launch the malware.
Local communication channels come down to physical access: it doesn't matter if a computer system has firewire ports or not, for example, because firewire is a local resource. If you have physical access then you can compromise the computer... that's pretty much an axiom.
So you need to look at any remote communication channels that can be compromised, and if are there mechanisms that can be used to launch malicious code.
What incoming connections are accepted, then? Well, there's far fewer on just about any operating system than a Windows-based personal computer. So:
The number of transoms on a Mac is about the same as an average PC.
I don't know whether you're just counting physical ports (which is irrelevant), or you're suggesting that there's as many logical ports open on the Mac. If the latter, no, that's just not true. Windows installs and runs with half a dozen wide open ports, and you can not close them down without breaking basic functionality that the OS requires. The *only* way to secure it is with a firewall. What should be an extra protective layer... part of a defense in depth... becomes the whole of the security system.
I don't know any other operating system that leaves its fly open like this.
But IE is also available on the Mac
Irrelevant. It's got the same name, but it's not even vaguely the same program. IE on Windows is a thin wrapper about a core part of the OS... and that core part is almost criminally badly designed. IE on the Mac is a standalone application. As is IE on Solaris.
You get the same reaction every time people see a backdoor kit like this and immediately jump all the way to this proves 'other OS' is as open as Windows!. It ain't true, and it won't ever be true, until (and unless) Microsoft makes some deep and fundamental changes in Windows' networking and user interface design.
i wish we could mod stories...
MOD STORY DOWN -1: Troll
I don't even have /Library/StartupItems. I can create it, sure, and then put whatever I want in it, but it doesn't exist on my system as default. This is 10.3.5
As long as the admin has the power to install bash scripts and the scripts have enough power to do damage then yes, its vulnerability open by default in MacOSX. Unless All= {all} All, means something different in Darwin then it does under regular Unix I assume its close enough as root. Just because its not technically root does not mean the default account has too many priveldges by default to make it less secure.
Windows is super insecure because users are admin by default. I see the same principle.
I do not understand why this topic is such flamebait. It was a simple question and an explanation. Put the fandom aside? Users should not be logged in as admin and should know the difference. Since most apple users are not unix whizzes they probably have no idea about this concept so Apple should be a little bit more carefull or at least try to educate people like Linux distro's do about being root.
Since almost all of you with one exception did not know this and it reconfirms my belief that users are ignorant and Apple should let them have the option for a regular users account upon default install. Distro's like SuSE even have a red background screen when you log in as root to remind them that its not a good idea unless you know what you are doing.
If the moderates want to mod this down as well go right ahead.
http://saveie6.com/
Apple virus is
Hot air, FUD and a bash script
Run as root user.
By default sudo (on all *nix systems) is configured to only request a password once within a set time period. (Read the man page for details.) It would be possible for a piece of smart malware to wait for the user to issue a sudo command. After the sudo ticket has been issued the malware could use sudo to gain root access without a password.
I do not know how this affects OSX. Some preference controls and updates require a password similar to sudo, but I do not know if sudo is used.
http://www.google.com/search?hl=en&q=%22first+os+x +virus%22&btnG=Google+Search
s +x +trojan%22&btnG=Google+Search
http://www.google.com/search?hl=en&q=%22first+o
I looked over the script and aside from deleting log files and absolutely crippling the security of the Mac it runs on it doesn't seem to do much of anything else - it does not for instance, delete the users data files.
the itunes trojan isn't the same thing right?
h /search.cgi?searchvalue=osxrk&type=archives&%5Bsea rch%5D.x=0&%5Bsearch%5D.y=0
is it just me or are there more than one of this current rootkit thing by different authors. there is one at the link on macintouch and another at http://www2.packetstormsecurity.org/cgi-bin/searc
Then an app asks the user for the password, and the user enters it-- if they're unwitting and trusting or just plain inept.
---- Teach Peace. It's Cheaper Than War.
As far as "the title will probably be wrong" goes, dialog boxes prompting for administration passwords identify the calling application at the bottom, so long as the user clicks on an expansion arrow. Well informed and careful users can easily avoid such an attack as you describe.
You are correct that inattentive users will often simply enter the password without question. However, in the environment that I support (academic medical research) a majority of our users will avoid installing system updates because they are leery of anything that asks for a password.
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
I once saw a license plate frame that read " I'd rather push a Ford THEN drive a Chevy" as I passed the guy I gave him the Fonz thumbs up, moron.
It might be wise for Bash and other script interpreters to refuse to execute scripts that are in any way writable by other users. You almost never want to do that; it's a security problem by its very nature. This would incur some additional overhead of having to stat the file and its parent directories up to /, but those inodes probably have to be read anyway as part of the normal unix permissions system.
A similar check could be added to the kernel, for regular executables (binaries and #! scripts).
Of course, it should be possible to selectively turn this off for those special cases when you really do trust the other user.
1) Clueless git reads article and doesn't understand it /. with a stupid summary /. editor approves article /.ers with a brain realize that summary is nonsense, and proceed to trash it.
2) Same git submits article to
3) Clueless
4)
According to my roommate, he can build a several-layer object (a compressed image of ... [I'll ommit the rest in the name of public decency]) that Safari will "autoplay" if browsed to / downloaded.
So while this *is* just a script, it is *also* somethign that could easily be turned into more of an exploit than the poh-poo-ers are blowing it off to be...
But that's just a "rumor" even if I've seen it done.
specifically to deal with this type of vulnerability and to get rid of the 5 minute window the GUI does not touch sudo.
-theed
I can remember a time (circa late 80's) when Macintosh viruses were more common then they are now. This was mainly due to the fact that the Macintosh was a much more popular and common computer. One virus I remember that was very nasty used to write itself to boot blocks on floppy disks and every Mac you inserted the disk in would be infected, and the infected Macintosh would infect every floppy disk in turn. The virus would keep itself running in the clock memory of the Macintosh and delete and corrupt files at random. I remember it wiped out all of the Macintosh Computers in a high school lab. It came back numerous times .. destroying files at random. This was long before there was Windows and the PC as we know it. (hopefully I got that correct .. it has been a while)
Now.. people think that just because I virus can't run as root, it doesn't do any damage. Well, here is the problem with that thinking: Say I have 100 document files in my home directory -- virus X comes along and deletes all those files but leaves my OS intact... I lost my files... (It did not have to run a delete of my files as root )
Another thing that I think is funny: It would not be to hard for a good programmer to exploit code in modern operating systems because of the millions of daemons and services that are running. Hell, any one of them that has 1 little security flaw is an open door. That goes for Windows, BSD, Linux, Mac OS ... any modern OS with a billion lines of code and 100 different services running. It is a matter of statistics.. the more lines of code... the more flaws... the more flaws .. the more hacks... the more back doors... the more viruses...
Windows of course has two things working against it. First it has a bad design from a functional perspective (bad design makes it an easier target) Also it is a target for political reasons (It is cool to hate "big" "bad" Gates). Many people hack Windows because they hate Microsoft. Apple is the underdog currently, so people don't have it out for Mac. When Apple squeezes more than 10% of the total computers out there; then you will see a lot more viruses. Most of them may not kill your OS, but most will kill your files (Keep copies of everything important). As Apple gains more market share, by default you will have more Apple haters. Again a numbers game. If more people hate Apple then more people will write viruses to attack Macintosh computers.
With all that said my only point is as a Mac OS and Linux user -- you should keep copies of important files.
I think a good analogy would be "Just because you have never had a car accident, doesn't mean you won't have one." This is not a holy war, it is a damn computer. It is like two friends once talking about what is faster ... the Millenium Falcon or the USS Enterprise?
"My Macintosh can run Photoshop 1% faster and you can lick the icons" -- "Oh yeah, I can run Microsoft Word 2% faster in XP then it does on your Mac and you can lick the keyboard after I pressed the ctrl-alt-del 100 times"
Ron Stoddard
whether or not root access is required to install a startupitem is largely dependant on how tight the permissions are on the boot volume. if the mac has more than one boot volume then there is a section in the get info window to "ignore permissions on this volume". any joker can then install the script on that secondary volume and once someone restarts from that volume the script runs and infects the first volume regardless of its permissions or what level of access the joker had to begin with.
once the script is installed in startupitems os x runs it at startup as root and thus root is running the script or you might say the script has root privileges should i keep saying this different ways? why not. if the script manages to get into startupitems on any startupvolume that is later booted from then game over man, you are owned.
riiiiiiiiight and then the average hacker would say...
not if I'm driving a tow-truck or not if i have a slim jim and a dent puller... or a brick and a screwdriver.
Ooooh if it copies itself to other startups and it gets on a machine in a Mac service dept it could spread fast...
No way are the days over. Even if this proves to be real, we can *still* say that Mac's have had *only one* virus in the last three years of OS X. "Virus free" is nice, but I personally think that "one virus in 3 years" is a heck of a lot better than what Microsoft can offer.
There is no perfect system. If the operator of the system is stupid then there is no absolute system that will prevent every situation. The Mac OS 10 system does it best by disabling root access unless you are really know what you are doing which is the best under normal circumstances. But stupid people seems to supercede these "normal" circumstances and kill what ever they touch and not limited to computers.
Stupid people are somewhat like "Death" character in the old game Gauntlet.
oh come on! this is not a virus or a worm and wtf is up with sophos? did anyone else notice that while all the other posts about this thing are version 2.35 or 2.38 only sophos the "anti" virus company seems to have a VERSION 2.4!!!!!!!!!
for petes sake please dont buy into this b.s. and dont buy sophos products either or creating problems and selling the solutions for them may become the next version of spam.
Since when?
Robert woodhead of Wizardry fame wrote one AV product for use on Macs back in the early/mid 90's (Interferon).
It is true that hardly anyone bothers to write viruses for Apple hardware, but thats is a different thing then there not being any viruses/trojans/worms.
Well I've wrestled with reality for thirty five years doctor, and I'm happy to say I finally won out over it.
Someone should educate the writer.
9 96576
http://www.newscientist.com/news/news.jsp?id=ns99
Not that anybody's gonna see this, buried as deeply as it is, but:
http://www.businessweek.com/technology/content/ocThis article at least has some research behind it. It specifies that Opener isn't a worm, and has no vector to spread. It also does a good job of pointing out that the weak link in Mac OS X security is arrogant users that insist on pretending that Mac OS X is invulnerable.
The U.S. Constitution needs to be ammended with a "separation of business and state" clause.