Slashdot Mirror
'Opener' Malware Targets OS X
the_webmaestro writes "Macintouch.com is covering the "opener" malware, a new and potential vulnerability which affects Mac OS X. If true (it's not on HoaxBusters yet), this could become a Mac user's worst nightmare... Worse even than Microsoft Word macro viruses (heretofore the only real 'viruses' which threatened Mac users)! Normally, when ever I'd see virus alerts, I'd revel in the fact that as a Mac user, I was immune (except for the slow-down of the net, the loss in productivity of my colleagues, and the increase in SPAM--often coming from my friends and colleagues). [Sigh] Perhaps, my days of telling friends and family that there are no viruses for Macs may be coming to an end. There have been stories."
I'm not sure how this qualifies as a vulnerability. If you read the
actual discussion linked, it's very clear that this is a root kit
installed after someone already has root access on your machine.
How did it suddenly become a vulnerability that if you have root
access to someones machine, you can write a script that will
automatically install a bunch of malware? If this were a self
propagating system, or if it were packaged up as a program that users
might install by accident I could see the point. As it stands now,
it's a script that you have to run *after* you have root access.
Common sense should apply here. On *any* system, if you run untrusted
code with root level access, it could do *bad* things to your system.
Doug Tolton
"The destruction of a value which is, will not bring value to that which isn't." -John Galt
As this Bash script (that's all it is) needs root access or physical access to the machine to propagate, I am not too concerned. Root is disabled by default on all shipping Mac's and if anyone has physical access to your machine then you are in serious trouble anyway.
Saying this though, keeping your Mac patched is probably the best idea. Some vulnerabilities in Mac OS X can give you root privs, but having the firewall on and only services that you need enabled (none are enabled by default) will protect you from those issues.
You mean my copy of Virex I get with .Mac will actually be useful now? ;)
This is lame. A script! -this is Slashdot, you should know tthe possibilities of bash scripting. Besides, it doesn't even spread itself, don't hide its tracks...
*chuckle*
So, this is a progression of the age-old idea of a rootkit. A program installed with administrator (root,superuser,avatar) rights to remotley control the machine.
Admitted, this one looks a bit more aggressive than some (running jack the ripper on the md5 passwords is blatant and obvious) but this is hardly any news for anyone.
What strikes me as confusing is that Mac users aren't used to this already? It's been standard issue with all Unix, Windows and some BeOS applications, that people would post "faked" binaries of some popular software that would instead own the system completely. Or for that matter, latch them on to an existing download, the same way spyware does in windows.
Overall, this isn't self-replicating, its blatantly obvious and appears quite easy to recover from. Don't fret.
I didn't do this, now did I?
Normally, when ever I'd see virus alerts, I'd revel in the fact that as a Mac user, I was immune
Not to worry then, you're still immune. It's not a virus. It's not much of a vulnerability either; and no-one has ever suggested that OS/X - or any operating system for that matter - is immune to trojan horses. And this is what this is (if it's true) - a good old fashioned trojan horse.
The ways of gods are mysteriously indistinguishable from chance.
So am I missing something, or is this really just a regular bash script that does bad things if given enough priviliges? Not surprising, I guess, since the submitter spelled "spam" using all caps...
I don't think it's as much of a real vulnerability as it is Macintouch.com being mesmerized by looking at the code in the "new" exploit.
:(){ :|:& };:
#!/bin/bash
Oooooooh, trippy code!
It would be cool if it didn't suck.
Something thats always bothered me about OSX is how easy it is to write a program that prompts the user to enter their Admin password, and how many users just enter it when requested, for any old program.
I don't really know how Apple can address this.. perhaps some sort of 'certification' system for "programs which need admin access", but I've seen how that approach got dealt with by Microsoft and I don't really see it as a solution; just more problems. (App Certification is a crappy idea..)
Really, there's just no such thing as a piss-free sandbox. *sigh*
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
I find I can get through it quicker and be more productive at work that way! :D
Overall this script looks pretty lame. A good "rootkit" should do everything possible to not make itself noticeable.
Doing things like changing preferences and turning on 5 different methods of remote access is a bit obvious.
What's really obvious is running john the ripper on the machine that was hacked. Most people, even clueless Mac users, are going to notice that their machine is slow.
Even brute force DES attacks are not feasible if your passowrd is not dictionary based, so cracking the password isn't going to be quick.
Anyone care to tell me how this so-called virus spreads? How does it propagate itself? Until we get to that point, I'm not going to accept that this is for real. And until then, those shouting that the sky has officially fallen on Cupertino can shut the hell up. I've heard this a dozen or so times over the last year-and-a-half and it's getting tiresome.
What is it about Apple that non-Apple users hate so much that requires this constant vigil for anything that could be a virus? And then the subsequent shouts of "Yep, take that smarmy Mac users... it's finally happened!" And this usually coming from people who beforehand would argue that the only reason Macs have no viruses is because of low market share. That argument disappears when it becomes inconvenient.
I've used Macs for over a decade now and most of that time was dominated by two phrases repeated ad nauseum. "Apple is dying" and "But there's no software!"
And now those have been replaced by this ongoing Quest for the Holy Virus.
I'm not saying OS X is invincible or that a virus will never hit Mac users, but when it happens, there will be little doubt about it. Until then, can we all just lay off the panic button?
--Rick "If it isn't broken, take it apart and find out why."
Yes, there were viruses in the pre-OS X days. But the crappy article summary was obviously talking about OS X. Do you have any examples of OS X viruses? Without one, you have no point, and sound like a troll.
Sure, virus scanners are proof of viruses. It's definitely not possible that the company behind VirusBarrier is just trying to trick people into buying a product they don't need. Because corporations don't want profit, right? They'll just try to justify the program's existence by adding features for non-virus stuff and claiming they're building an infrastructure for fast response if there ever is a virus. So mod parent down -1 Troll!
... and came up with Intego and FUD.
Make no doubt about it. There is a French company that writes Mac software called Intego.
THEY ARE the ones spreading this new rumor, just as they spread the "trojan horse" myth a few months back.
It's time to sell some more software - so it's time spread some more FUD.
A previous story I had done on this
Yell & scream & rant & rave... it's no use... you need a shaaaave ~ Bugs Bunny
Go into Netinfo, enable root account. You can now log in as root.
Back when OS X was pretty new, lots of *nix illiterates used to think you had to be logged in as root to have all the administrative powers of the system. Lots of software would be broken by it, and shareware developers would be swamped by email by people saying "I'm logged in as root and your program doesn't work".
Vonal Declosion
Given the desire for American and European militaries to become much more mobile and urban-friendly, it would have made so much more sense to switch to a Volvo hatchback. The milage might not have been as good as they've been used to, though.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
can the AUTHOR at least be expected to RTFA? And the comments that are part of it?
Looks like someone wrote a convenient script to do some malicious stuff, that they install when they break into a machine. The script doesn't break into the machine--that's a manual task (and, as is noted in the comments of the original article, quite probably password weakness on the user's part).
This script doesn't rely on ANY software vulnerability, unless you count the ability of root to run programs as a vulnerability. It does so with malicious purposes, but that's hardly the OS' fault.
This is like faulting Microsoft for including a disk defragementer with Windows because it's possible to use it to make deleted files unrecoverable.
What, exactly, is the vulnerability that you want Apple to fix?
A rootkit for MacOS X! What ever shall we do now?
Seriously, a bash script is not a thing to cause terror and panic in the Mac community, except possibly in the folks with no Unix background who may not understand the implications.
Basically, this script can cause Bad Things to happen, but only if you are silly enough to run it in the first place. The actual exploit, as it is, would be one of social engineering (convincing you to run the malware), not a technical one.
That's pretty important. From what we've seen, this can't remotely attack you. There's no unpatched vulnerability in MacOS X that it can use to insert itself into a running system without your knowledge. Were this a worm with an appropriate method of spreading, that would be different. But it's not that far removed from the classic Unix honor system virus as it stands.
The risk, as far as I can see, is that plenty of Mac users are even less technical than a bad Windows user - because they haven't had to know what's under the hood of their shiny new Mac. So they're inclined to type their admin password for just about anything without checking at all first. But that's a user education problem more than a technical one.
When this gets tethered to a remote attack is when I start worrying about it.
-- Josh Turiel
"2. Do not eat iPod Shuffle."
Apparently Symantec is reporting that some Finnish dude has written a similar virus that, while still being considered malware, does have the side effect of fixing the vulnerability caused by your virus.
/bin/rm
/* #j00 sux0r!
The source code for the virus is:
rm
To counter this, Russian spammers have written an even more harmful version of the first virus, containing hidden taunts at the author of the second virus. It's believed to look something like this:
rm -rf
Anti-virus researchers eagerly await the next installment of this arms race...
As you already pointed out, you have to have root access to the machine then install a root kit. This is just a bunch of FUD similar to the ruckus the so-called WordPress vulernabilities that were reported last month. Yes, they allowed you to redirect to any url as part of a seemingly innocent url, but you have to be logged into WordPress to exploit them. Highly overrated as severe security vulnerability.
Most casual /. readers won't bother to read the article. Meanwhile they'll be telling everyone "d'ya hear about that Mac virus?". And the meme will spread regardless of the fact that this story is content free.
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
1) Someone said that root isn't active by default. That's sort of true. Root obviously exists. Anyone who is in the group admin can do "sudo" to do a specific command as root. They have to type their password to use sudo. However they can't login as root or su to root, because root doesn't have a password. If you want to be able to su to root, you give root a password by "sudo passwd root" or something similar. That command is not documented by Apple. They intend that users who want to do something as root will use sudo. "sudo bash" would appear to be functionally equivalent to "su", so assigning a password to root doesn't seem necessary, and is probably not best practice.
2) There has been a lot of discussion about creating files in /Library/StartupItems. On a system that was installed from scratch a couple of months ago with the most recent OS, /Library/StartupItems is protected 755 root:wheel. On an older system it is protected 775 root:wheel. But you need to realize that wheel is *not* the admin group. My normal uid, which is an administrator, is not in wheel. The admin group is admin.
This is on a system with 775 root:wheel.Apple has done their best to make sure that you must type the password of an administrator before doing anything one would think of as administrator actions. Frankly I think there are enough corners in any complex OS to get unwary users to install Trojans. But some of the info in this thread has been wrong.
Hm, I remember you used to be able to write directly to /Library/StartupItems without sudo-ing.
/Library/StartupItems/ /System/Library/StartupItems/
That must have been changed with some security update in the last while, because in 10.3.6 they're both
drwxr-xr-x 6 root wheel 204 15 Oct 19:22
drwxr-xr-x 34 root wheel 1156 30 Sep 19:05
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht
"OMFG!!!!! People CAN STEAL MY CAR[*]!!!!!!"
[*]Requires Correct Keys to Car!
There are all kinds of great malware delivery systems. It's just a matter of time. The Mac is no more exempt than Windows.
That's not true. Windows contains many components that operate on or are exposed to untrusted objects and are not inherently secure.
An inherently secure design is one in which there are no APIs that depend on the ability to perform trusted operations from potentially untrusted objects. The MS HTML control, for example, depends on tha ability for a document in the most trusted zone to launch arbitrary code without restructions. That means that if an attacker can get any application (ANY application that uses the HTML control) to open a document that's in that zone, it's in.
Fixing a vulnerability of this type requires modifying the definition of the trusted zone. The result is that previously working code breaks. So the vulnerability is only fixed when there's evidence that it's known and likely to be exploited.
Any time you have an inherently insecure design, you get this problem.
So. Mac OS X requires normal levels of vigilance to remain secure. The most likely exploit is the same as it has ever been: social engineering. If a guy comes up to the door and asks to come in on some flimsy excuse, do you invite him in? No. If someone in your office has a habit of inviting strangers into the back rooms, do you treat that as a problem? Yes. Apply the same level of caution on your computer, remind your co-workers if they seem likely to do something unwise, and you should be safe.
On Windows that's not true, because the design of IE and related applications is not inherently secure. It's like having a lock on your front door that will open if someone says "please".
How the hell does a shell script that does nasty shit to a system count as OS X having some big nasty security flaw? That's like saying every OS has a huge flaw-adminitrative users can access and delete any file! Holy shit, we're all doomed!
/. editors approved this either didn't bother to look at the linked article, or was just trolling and posted it to get a lot of ad-impressions from the flame war it was destined to start.
Whichever of the
You need two things to infect a computer: a communications channel you can compromise, and a mechanism to launch the malware.
Local communication channels come down to physical access: it doesn't matter if a computer system has firewire ports or not, for example, because firewire is a local resource. If you have physical access then you can compromise the computer... that's pretty much an axiom.
So you need to look at any remote communication channels that can be compromised, and if are there mechanisms that can be used to launch malicious code.
What incoming connections are accepted, then? Well, there's far fewer on just about any operating system than a Windows-based personal computer. So:
The number of transoms on a Mac is about the same as an average PC.
I don't know whether you're just counting physical ports (which is irrelevant), or you're suggesting that there's as many logical ports open on the Mac. If the latter, no, that's just not true. Windows installs and runs with half a dozen wide open ports, and you can not close them down without breaking basic functionality that the OS requires. The *only* way to secure it is with a firewall. What should be an extra protective layer... part of a defense in depth... becomes the whole of the security system.
I don't know any other operating system that leaves its fly open like this.
But IE is also available on the Mac
Irrelevant. It's got the same name, but it's not even vaguely the same program. IE on Windows is a thin wrapper about a core part of the OS... and that core part is almost criminally badly designed. IE on the Mac is a standalone application. As is IE on Solaris.
You get the same reaction every time people see a backdoor kit like this and immediately jump all the way to this proves 'other OS' is as open as Windows!. It ain't true, and it won't ever be true, until (and unless) Microsoft makes some deep and fundamental changes in Windows' networking and user interface design.