Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Opener' Malware Targets OS X

Posted by michael on from the laugh-it-up-fuzzball dept.

the_webmaestro writes "Macintouch.com is covering the "opener" malware, a new and potential vulnerability which affects Mac OS X. If true (it's not on HoaxBusters yet), this could become a Mac user's worst nightmare... Worse even than Microsoft Word macro viruses (heretofore the only real 'viruses' which threatened Mac users)! Normally, when ever I'd see virus alerts, I'd revel in the fact that as a Mac user, I was immune (except for the slow-down of the net, the loss in productivity of my colleagues, and the increase in SPAM--often coming from my friends and colleagues). [Sigh] Perhaps, my days of telling friends and family that there are no viruses for Macs may be coming to an end. There have been stories."

15 of 400 comments (clear)

  1. FUD... by nordicfrost · · Score: 4, Interesting

    This is lame. A script! -this is Slashdot, you should know tthe possibilities of bash scripting. Besides, it doesn't even spread itself, don't hide its tracks...

  2. Mac owners are like Volvo drivers... by Anonymous Coward · · Score: 1, Interesting

    Because they think they're perfectly safe, that must mean that they're perfectly safe and can therefore do whatever the hell they want to without thinking, or learning from the experience.

    I have learned this from two years of cycling to work, and taking tech support calls from Mac owners while there.

    Pride comes before a fall - just because your computer has training wheels doesn't mean you can do whatever you want to without some kind of consequence... Most of us learned this as children.

  3. Re:I am not too concerned by j-pimp · · Score: 4, Interesting

    Root is disabled by default on all shipping Mac's and if anyone has physical access to your machine then you are in serious trouble anyway. Right, but the initial setup of every shipping mac out there has the user create an administrative account on there machine. This person can run sudo to execute a root command. The password prompt you get before installing most mac software runs sudo. So an install program effectively runs as root and if the install program silently added this script to your system then it would run.

    --
    --- Justin Dearing http://www.justaprogrammer.net/ We're just programmers.
  4. Re:Nice script by beelsebob · · Score: 2, Interesting

    I can't claim to know bash scripting (I'm ashamed to say I'm a slashdotter and have never looked at it)... Is this a forkbomb? defining a lambda expression ':' that runs ':' twice, and then running it once. If so, surely the process limits are going to kill it after a short while? Bob

  5. Re:Not to worry then by wrldwzrd89 · · Score: 3, Interesting

    I agree with everyone else. This is nothing more than a Trojan Horse - and in order to do anything meaningful it needs lots of privileges, like becoming root. There's nothing seriously worrying in this (Mac OS X is STILL without a virus), because, as mentioned in the article, all the stuff it does can be reversed easily (even more easily if you clone your HD daily like I do).

  6. Re:All machines are vulnerable to this by asjk · · Score: 5, Interesting
    What about this assertion from the MacIntouch page?

    John C. Welch

    ...Using /Library/StartupItems/ for it shows some thought about Mac OS X. One of the problems with that directory is that, while items in it run as root prior to login, you don't have to be root to create startup items in that directory, nor do they have to be owned by root to run. Any admin user can use this directory to create startup items that will run as root. That's a weakness that hopefully will get fixed. ...

    Could a Trojan be written to trick the user into installing a StartUp Item?

  7. I looked up "virus for the Mac" by adzoox · · Score: 5, Interesting

    ... and came up with Intego and FUD.

    Make no doubt about it. There is a French company that writes Mac software called Intego.

    THEY ARE the ones spreading this new rumor, just as they spread the "trojan horse" myth a few months back.

    It's time to sell some more software - so it's time spread some more FUD.

    A previous story I had done on this

    --
    Yell & scream & rant & rave... it's no use... you need a shaaaave ~ Bugs Bunny
  8. Similar to the "so-called" vulns. in WordPress by Laebshade · · Score: 4, Interesting

    As you already pointed out, you have to have root access to the machine then install a root kit. This is just a bunch of FUD similar to the ruckus the so-called WordPress vulernabilities that were reported last month. Yes, they allowed you to redirect to any url as part of a seemingly innocent url, but you have to be logged into WordPress to exploit them. Highly overrated as severe security vulnerability.

  9. The vector is social engineering by tonyray · · Score: 2, Interesting

    Social engineering is one of the Hacker's most important tools. As long as Mac users believe they are immune to viruses, worms, etc. they are easy targets for social engineering. So email born attachments, even if they require you enter the root password to execute, are waiting to descend on this overly smug group of computer users.

  10. Did anyone notice how nicely it's commented? by peteMG · · Score: 3, Interesting
    .. Almost like they were tailoring it to an audience of scripting newbies. It even comes with a readme. It's like the iHack of rootkits. The source has great stuff like
    echo "nidump the password file"
    echo #lets grab this now in case anything goes wrong
    /usr/bin/nidump passwd .
    echo ""
    /usr/bin/nidump passwd /
    and
    # append some commands to the cron scripts
    # since both routines are checking the last line of the file they should not be using the same
    # file as they will both just keep appending!
    I'm surprised they didn't pop up a nice helpful dialog box if the script is killed - something like "For your information, your Mac has been taken over by another user. You may want to do some reading on security and protecting yourself. [OK]"
  11. Re:All machines are vulnerable to this by Anonymous Coward · · Score: 1, Interesting
    Maybe you should calm down and listen to the man's post.
    this payload
    Read: the "useless" script.
    with the propigation engine of a win32 worm
    Read: IP-scanning algorithms from Win32 worms
    and an OS X security exploit or 3?
    Read: buffer overflows from OS X (which DO exist)

    So, in summary: dumb script + IP scanner + OS X buffer overflows... Bad news. Yes, it IS possible that someone could put the three together in an automated, self-propogating worm.
  12. I call Shenanigans... by Anonymous Coward · · Score: 2, Interesting

    I rank this up there with the story of the guy calling tech support because his computer won't turn on when the power is out...this person is too stupid to own a Macintosh!

    Posted this to MacInTouch as well:

    I think this guy got hacked. My guess is this user, (1.) did not apply security patches (especially sshd patches) through Software Update in a timely fashion, (2.)they used an admin (or root) password that was not a strong password, or (3.)they transmitted their admin or root password via plain text and it was intercepted.

    Everything the user describes happening to his system is indicative of an intrusion scheme not a virus scheme. I am a bit surprised (only slightly) that MacInTouch would even post this type of hysteria-laced story before doing some background checking of their own. Shows journalistic irresponsibility and poor knowledge of technical issues on their part.

    __________________________
    Jason Lockhart
    Director of HPC and Technology Innovation
    Associate Director, Virginia Tech Terascale Computing Facility

    College of Engineering
    Virginia Tech

  13. Re:I was wrong. Oops by Bishop · · Score: 3, Interesting

    By default sudo (on all *nix systems) is configured to only request a password once within a set time period. (Read the man page for details.) It would be possible for a piece of smart malware to wait for the user to issue a sudo command. After the sudo ticket has been issued the malware could use sudo to gain root access without a password.

    I do not know how this affects OSX. Some preference controls and updates require a password similar to sudo, but I do not know if sudo is used.

  14. Re:Now the script kiddies have it by arminw · · Score: 2, Interesting

    A person who has administrator privileges by definition can do *anything* to that computer. That is why on our Macs there is only ONE person who has admin priv. So when ordinary users want to do certain things that could be dangerous, they simply can't. Anyone who knows the admin password should be knowlegeable enough about computers not to wantonly install any unsolicited files. The basic rule is really very simple: If you did not intitiate the transaction don't give the password." I have gotten plenty of "phishing" e-mails, but by simply following that rule religigiously, I have never been tricked by even the most clever schemes to give out any useful information.

    --
    All theory is gray
  15. Could this be fixed in bash and the kernel? by Admiral+Burrito · · Score: 2, Interesting

    It might be wise for Bash and other script interpreters to refuse to execute scripts that are in any way writable by other users. You almost never want to do that; it's a security problem by its very nature. This would incur some additional overhead of having to stat the file and its parent directories up to /, but those inodes probably have to be read anyway as part of the normal unix permissions system.

    A similar check could be added to the kernel, for regular executables (binaries and #! scripts).

    Of course, it should be possible to selectively turn this off for those special cases when you really do trust the other user.