'Opener' Malware Targets OS X

the_webmaestro writes "Macintouch.com is covering the "opener" malware, a new and potential vulnerability which affects Mac OS X. If true (it's not on HoaxBusters yet), this could become a Mac user's worst nightmare... Worse even than Microsoft Word macro viruses (heretofore the only real 'viruses' which threatened Mac users)! Normally, when ever I'd see virus alerts, I'd revel in the fact that as a Mac user, I was immune (except for the slow-down of the net, the loss in productivity of my colleagues, and the increase in SPAM--often coming from my friends and colleagues). [Sigh] Perhaps, my days of telling friends and family that there are no viruses for Macs may be coming to an end. There have been stories."

I am not too concerned

[mj_1903]

As this Bash script (that's all it is) needs root access or physical access to the machine to propagate, I am not too concerned. Root is disabled by default on all shipping Mac's and if anyone has physical access to your machine then you are in serious trouble anyway.

Saying this though, keeping your Mac patched is probably the best idea. Some vulnerabilities in Mac OS X can give you root privs, but having the firewall on and only services that you need enabled (none are enabled by default) will protect you from those issues.

Re:All machines are vulnerable to this

[emerrill]

Incorrect. You do need to authenticate. As an admin you are given slightly brouder privileges, but you are not in wheel. You need to sudo (or the GUI equv) to write to anything in /System/Lib

Re:All machines are vulnerable to this

[tfrayner]

Users with admin rights do *not* need to login as root or to authenticate to install files in /Library/StartupItems. At the next boot, the script will be executed by root and your system is compromised without further notice.

Sorry, I can't just let this one go. As a nearby poster points out, the /Library/StartupItems directory is owned by root, and is not writable by the admin group. You would actually have to sudo or authenticate to create items in that directory (I have just confirmed this for myself).

This is on a machine running 10.3.5; I can't speak for earlier versions.

admin access

[hedrick]

In all of this discussion I still haven't seen a coherent account of how OS X actually works. Let me try:

1) Someone said that root isn't active by default. That's sort of true. Root obviously exists. Anyone who is in the group admin can do "sudo" to do a specific command as root. They have to type their password to use sudo. However they can't login as root or su to root, because root doesn't have a password. If you want to be able to su to root, you give root a password by "sudo passwd root" or something similar. That command is not documented by Apple. They intend that users who want to do something as root will use sudo. "sudo bash" would appear to be functionally equivalent to "su", so assigning a password to root doesn't seem necessary, and is probably not best practice.

2) There has been a lot of discussion about creating files in /Library/StartupItems. On a system that was installed from scratch a couple of months ago with the most recent OS, /Library/StartupItems is protected 755 root:wheel. On an older system it is protected 775 root:wheel. But you need to realize that wheel is *not* the admin group. My normal uid, which is an administrator, is not in wheel. The admin group is admin.

cd /Library/StartupItems
touch foo
touch: foo: Permission denied

This is on a system with 775 root:wheel.

Apple has done their best to make sure that you must type the password of an administrator before doing anything one would think of as administrator actions. Frankly I think there are enough corners in any complex OS to get unwary users to install Trojans. But some of the info in this thread has been wrong.