Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Opener' Malware Targets OS X

Posted by michael on from the laugh-it-up-fuzzball dept.

the_webmaestro writes "Macintouch.com is covering the "opener" malware, a new and potential vulnerability which affects Mac OS X. If true (it's not on HoaxBusters yet), this could become a Mac user's worst nightmare... Worse even than Microsoft Word macro viruses (heretofore the only real 'viruses' which threatened Mac users)! Normally, when ever I'd see virus alerts, I'd revel in the fact that as a Mac user, I was immune (except for the slow-down of the net, the loss in productivity of my colleagues, and the increase in SPAM--often coming from my friends and colleagues). [Sigh] Perhaps, my days of telling friends and family that there are no viruses for Macs may be coming to an end. There have been stories."

15 of 400 comments (clear)

  1. I am not too concerned by mj_1903 · · Score: 5, Informative

    As this Bash script (that's all it is) needs root access or physical access to the machine to propagate, I am not too concerned. Root is disabled by default on all shipping Mac's and if anyone has physical access to your machine then you are in serious trouble anyway.

    Saying this though, keeping your Mac patched is probably the best idea. Some vulnerabilities in Mac OS X can give you root privs, but having the firewall on and only services that you need enabled (none are enabled by default) will protect you from those issues.

    1. Re:I am not too concerned by Erik+Hollensbe · · Score: 4, Informative

      And the reality, is that only the largest apps do that.

      Really, I have over 200 apps on this machine and I can count on one hand (from memory) which ones used installers.

      Emacs, XCode, Cisco VPNClient. Sorry, 3.

      Everything else is standard mac fare, open DMG, drag n' drop and get to something more interesting.

      That said, some of the programs ask for root after they're installed, which I think is a larger problem. A couple of "tweak" utilities that I use to do things which apple buries or makes hard to use do this. I even found one doing this:

      echo "rootpassword" | sudo program

      So, I think it would be easy to argue that malware is not my biggest problem as a mac user.

  2. Re: "Administration" Password Problem... by TheRaven64 · · Score: 4, Informative
    It is very easy to pop up a dialog that looks like the standard system one asking for an admin password. A simple fix for this would be to require the user to press command-option-escape (or some other OS-caught interrupt key combination) before typing in the dialog. This would identify spoofed dialogs and allow a user to check that the program popping up the dialog is the correct one, and it's asking for sensible permissions. I suspect the reason that this is not done, is that there is no reason for trojan writers no to simply use the API calls to create the dialog, and then abuse root privilege.

    The best fix for this problem is to apply common sense. Do not give your admin password to any application except an installer for software acquired from a trusted source, or the OS X system utilities.

    --
    I am TheRaven on Soylent News
  3. Re:Nice script by Zocalo · · Score: 4, Informative
    Yeah, it's a fork bomb with tiny amount of obfuscation, if you can call using a non-alpha character as a function name obfuscation. Things become clearer if you format it properly, and replace the user defined function name ":" with "foo", like this:

    #!/bin/bash
    foo()
    {
    foo | foo &
    };

    foo
    So, we define a function, "foo", which runs "foo" piped into itself as a background task, then call "foo", and off we go. Essentially you are trying to execute the infinitely long command line of:

    foo | foo | foo | foo | foo...
    --
    UNIX? They're not even circumcised! Savages!
  4. Re:Uninformed. by Anonymous Coward · · Score: 4, Informative

    Yes, there were viruses in the pre-OS X days. But the crappy article summary was obviously talking about OS X. Do you have any examples of OS X viruses? Without one, you have no point, and sound like a troll.

    Sure, virus scanners are proof of viruses. It's definitely not possible that the company behind VirusBarrier is just trying to trick people into buying a product they don't need. Because corporations don't want profit, right? They'll just try to justify the program's existence by adding features for non-virus stuff and claiming they're building an infrastructure for fast response if there ever is a virus. So mod parent down -1 Troll!

  5. Re:Use sudo by CptChipJew · · Score: 4, Informative

    Go into Netinfo, enable root account. You can now log in as root.

    Back when OS X was pretty new, lots of *nix illiterates used to think you had to be logged in as root to have all the administrative powers of the system. Lots of software would be broken by it, and shareware developers would be swamped by email by people saying "I'm logged in as root and your program doesn't work".

    --
    Vonal Declosion
  6. Re: "Administration" Password Problem... by SnowZero · · Score: 4, Informative

    You can make it a lot worse that that. It is (somewhat) exploitable by a timing attack if your virus waits patiently for another program to start installing. There is probably some recognizable signature you can check for in ps, and just keep running it repeatedly. Once another program is installing, the virus can then jump in and do the operation that requires root, thus popping up a dialog box. The title will probably be wrong, but the timing of the dialog box will be *right*, so most users wouldn't notice except for a second box popping up later. They'll probably convince themselves that they mistyped the password the first time.

    This is a common vulnerability to just about any shared medium, and why users need to be careful even just running untrusted programs as a user. The unix equivalent is well timed "password" prompts from malware when the user runs something else they expect to generate such a message, such as ssh.

  7. Re:All machines are vulnerable to this by emerrill · · Score: 5, Informative

    Incorrect. You do need to authenticate. As an admin you are given slightly brouder privileges, but you are not in wheel. You need to sudo (or the GUI equv) to write to anything in /System/Lib

  8. Re:All machines are vulnerable to this by Ingenium13 · · Score: 4, Informative

    Actually, the default account created by system setup (at least on my Mac running 10.3.5) is a regular user account for the most part. I can access admin sections of the system, but I am prompted for my password first to confirm that I want to do this. This is really no different than having a seperate user for admin rights, and I feel it's a very good solution.

  9. Re:All machines are vulnerable to this by tfrayner · · Score: 5, Informative
    Users with admin rights do *not* need to login as root or to authenticate to install files in /Library/StartupItems. At the next boot, the script will be executed by root and your system is compromised without further notice.


    Sorry, I can't just let this one go. As a nearby poster points out, the /Library/StartupItems directory is owned by root, and is not writable by the admin group. You would actually have to sudo or authenticate to create items in that directory (I have just confirmed this for myself).

    This is on a machine running 10.3.5; I can't speak for earlier versions.

    --
    The best newspaper in the USA: the Anderson Valley Advertiser.
  10. Re:All machines are vulnerable to this by Anonymous Coward · · Score: 4, Informative

    No, you're simply wrong. Unlike Linux, by default on MacOS X, there is no root account active. Read that again - there is no root account active. You have to specifically enable it after you've installed the OS. The user created during install does have admin priviledges, but that doesn't mean that he or she has root priviledges. In fact, this has saved OS X from several vulnerabilities that afflicted Linux and other Unixes in the past.

  11. Re: "Administration" Password Problem... by julesh · · Score: 4, Informative

    A key combination (like how XP claims pressing Ctrl-Alt-Del to log in makes your computer "more secure") is a pretty stupid idea, and anything will be able to intercept it before the OS does if it tries hard enough.

    Not if the OS is written correctly. Secure attention sequences (the official name for this idea) work, when implemented correctly.

    I've noticed that XP seems to have introduced a setting (on by default, even!) which stops it from working, though, which is remarkably daft IMO.

  12. admin access by hedrick · · Score: 5, Informative
    In all of this discussion I still haven't seen a coherent account of how OS X actually works. Let me try:

    1) Someone said that root isn't active by default. That's sort of true. Root obviously exists. Anyone who is in the group admin can do "sudo" to do a specific command as root. They have to type their password to use sudo. However they can't login as root or su to root, because root doesn't have a password. If you want to be able to su to root, you give root a password by "sudo passwd root" or something similar. That command is not documented by Apple. They intend that users who want to do something as root will use sudo. "sudo bash" would appear to be functionally equivalent to "su", so assigning a password to root doesn't seem necessary, and is probably not best practice.

    2) There has been a lot of discussion about creating files in /Library/StartupItems. On a system that was installed from scratch a couple of months ago with the most recent OS, /Library/StartupItems is protected 755 root:wheel. On an older system it is protected 775 root:wheel. But you need to realize that wheel is *not* the admin group. My normal uid, which is an administrator, is not in wheel. The admin group is admin.

    cd /Library/StartupItems
    touch foo
    touch: foo: Permission denied
    This is on a system with 775 root:wheel.

    Apple has done their best to make sure that you must type the password of an administrator before doing anything one would think of as administrator actions. Frankly I think there are enough corners in any complex OS to get unwary users to install Trojans. But some of the info in this thread has been wrong.

  13. I was wrong. Oops by scruffyMark · · Score: 4, Informative

    Hm, I remember you used to be able to write directly to /Library/StartupItems without sudo-ing.

    That must have been changed with some security update in the last while, because in 10.3.6 they're both

    drwxr-xr-x 6 root wheel 204 15 Oct 19:22 /Library/StartupItems/
    drwxr-xr-x 34 root wheel 1156 30 Sep 19:05 /System/Library/StartupItems/

    --

    What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht

  14. Re:All machines are vulnerable to this by Megane · · Score: 4, Informative
    Oh crap, it's true. When there is no existing /Library/StartupItems, the Aironet installer is creating one with 775 me:staff permissions. And even when there is, I bet it creates /Library/StartupItems/Cisco with the same permissions. Which means that any admin user (or me without doing a sudo) can change the scripts inside. Scripts that get run as root during startup.

    Anyone out there who has installed Aironet wireless drivers, you might want to do something about your permissions in /Library/StartupItems.

    --
    #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }