Slashdot Mirror


'Opener' Malware Targets OS X

the_webmaestro writes "Macintouch.com is covering the "opener" malware, a new and potential vulnerability which affects Mac OS X. If true (it's not on HoaxBusters yet), this could become a Mac user's worst nightmare... Worse even than Microsoft Word macro viruses (heretofore the only real 'viruses' which threatened Mac users)! Normally, when ever I'd see virus alerts, I'd revel in the fact that as a Mac user, I was immune (except for the slow-down of the net, the loss in productivity of my colleagues, and the increase in SPAM--often coming from my friends and colleagues). [Sigh] Perhaps, my days of telling friends and family that there are no viruses for Macs may be coming to an end. There have been stories."

8 of 400 comments (clear)

  1. FUD... by nordicfrost · · Score: 4, Interesting

    This is lame. A script! -this is Slashdot, you should know tthe possibilities of bash scripting. Besides, it doesn't even spread itself, don't hide its tracks...

  2. Re:I am not too concerned by j-pimp · · Score: 4, Interesting

    Root is disabled by default on all shipping Mac's and if anyone has physical access to your machine then you are in serious trouble anyway. Right, but the initial setup of every shipping mac out there has the user create an administrative account on there machine. This person can run sudo to execute a root command. The password prompt you get before installing most mac software runs sudo. So an install program effectively runs as root and if the install program silently added this script to your system then it would run.

    --
    --- Justin Dearing http://www.justaprogrammer.net/ We're just programmers.
  3. Re:Not to worry then by wrldwzrd89 · · Score: 3, Interesting

    I agree with everyone else. This is nothing more than a Trojan Horse - and in order to do anything meaningful it needs lots of privileges, like becoming root. There's nothing seriously worrying in this (Mac OS X is STILL without a virus), because, as mentioned in the article, all the stuff it does can be reversed easily (even more easily if you clone your HD daily like I do).

  4. Re:All machines are vulnerable to this by asjk · · Score: 5, Interesting
    What about this assertion from the MacIntouch page?

    John C. Welch

    ...Using /Library/StartupItems/ for it shows some thought about Mac OS X. One of the problems with that directory is that, while items in it run as root prior to login, you don't have to be root to create startup items in that directory, nor do they have to be owned by root to run. Any admin user can use this directory to create startup items that will run as root. That's a weakness that hopefully will get fixed. ...

    Could a Trojan be written to trick the user into installing a StartUp Item?

  5. I looked up "virus for the Mac" by adzoox · · Score: 5, Interesting

    ... and came up with Intego and FUD.

    Make no doubt about it. There is a French company that writes Mac software called Intego.

    THEY ARE the ones spreading this new rumor, just as they spread the "trojan horse" myth a few months back.

    It's time to sell some more software - so it's time spread some more FUD.

    A previous story I had done on this

    --
    Yell & scream & rant & rave... it's no use... you need a shaaaave ~ Bugs Bunny
  6. Similar to the "so-called" vulns. in WordPress by Laebshade · · Score: 4, Interesting

    As you already pointed out, you have to have root access to the machine then install a root kit. This is just a bunch of FUD similar to the ruckus the so-called WordPress vulernabilities that were reported last month. Yes, they allowed you to redirect to any url as part of a seemingly innocent url, but you have to be logged into WordPress to exploit them. Highly overrated as severe security vulnerability.

  7. Did anyone notice how nicely it's commented? by peteMG · · Score: 3, Interesting
    .. Almost like they were tailoring it to an audience of scripting newbies. It even comes with a readme. It's like the iHack of rootkits. The source has great stuff like
    echo "nidump the password file"
    echo #lets grab this now in case anything goes wrong
    /usr/bin/nidump passwd .
    echo ""
    /usr/bin/nidump passwd /
    and
    # append some commands to the cron scripts
    # since both routines are checking the last line of the file they should not be using the same
    # file as they will both just keep appending!
    I'm surprised they didn't pop up a nice helpful dialog box if the script is killed - something like "For your information, your Mac has been taken over by another user. You may want to do some reading on security and protecting yourself. [OK]"
  8. Re:I was wrong. Oops by Bishop · · Score: 3, Interesting

    By default sudo (on all *nix systems) is configured to only request a password once within a set time period. (Read the man page for details.) It would be possible for a piece of smart malware to wait for the user to issue a sudo command. After the sudo ticket has been issued the malware could use sudo to gain root access without a password.

    I do not know how this affects OSX. Some preference controls and updates require a password similar to sudo, but I do not know if sudo is used.