Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Opener' Malware Targets OS X

Posted by michael on from the laugh-it-up-fuzzball dept.

the_webmaestro writes "Macintouch.com is covering the "opener" malware, a new and potential vulnerability which affects Mac OS X. If true (it's not on HoaxBusters yet), this could become a Mac user's worst nightmare... Worse even than Microsoft Word macro viruses (heretofore the only real 'viruses' which threatened Mac users)! Normally, when ever I'd see virus alerts, I'd revel in the fact that as a Mac user, I was immune (except for the slow-down of the net, the loss in productivity of my colleagues, and the increase in SPAM--often coming from my friends and colleagues). [Sigh] Perhaps, my days of telling friends and family that there are no viruses for Macs may be coming to an end. There have been stories."

26 of 400 comments (clear)

  1. All machines are vulnerable to this by dtolton · · Score: 5, Insightful

    I'm not sure how this qualifies as a vulnerability. If you read the
    actual discussion linked, it's very clear that this is a root kit
    installed after someone already has root access on your machine.

    How did it suddenly become a vulnerability that if you have root
    access to someones machine, you can write a script that will
    automatically install a bunch of malware? If this were a self
    propagating system, or if it were packaged up as a program that users
    might install by accident I could see the point. As it stands now,
    it's a script that you have to run *after* you have root access.

    Common sense should apply here. On *any* system, if you run untrusted
    code with root level access, it could do *bad* things to your system.

    --

    Doug Tolton

    "The destruction of a value which is, will not bring value to that which isn't." -John Galt
    1. Re: All machines are vulnerable to this by Black+Parrot · · Score: 5, Funny


      > I'm not sure how this qualifies as a vulnerability. If you read the actual discussion linked, it's very clear that this is a root kit installed after someone already has root access on your machine. How did it suddenly become a vulnerability that if you have root access to someones machine, you can write a script that will automatically install a bunch of malware?

      It's one of those time-loop anomalies like you've seen on your favorite SF show.

      --
      Sheesh, evil *and* a jerk. -- Jade
    2. Re:All machines are vulnerable to this by Anonymous Coward · · Score: 5, Insightful

      Yes, to make it more clear:

      The linked article ONLY talks about the things this program does to a person's computer, once it is on it, and does NOT discuss how it gets onto a computer in the first place--other than by manually installing it.

      It might be malicious, but unless it is possible/easy for folks to accidentally install it (like all of the Windows spyware/malware), it is not a threat, any more than is THIS piece of Linux and MacOS Malware:

      #!/bin/sh
      rm -Rf /

    3. Re:All machines are vulnerable to this by asjk · · Score: 5, Interesting
      What about this assertion from the MacIntouch page?

      John C. Welch

      ...Using /Library/StartupItems/ for it shows some thought about Mac OS X. One of the problems with that directory is that, while items in it run as root prior to login, you don't have to be root to create startup items in that directory, nor do they have to be owned by root to run. Any admin user can use this directory to create startup items that will run as root. That's a weakness that hopefully will get fixed. ...

      Could a Trojan be written to trick the user into installing a StartUp Item?

    4. Re:All machines are vulnerable to this by WiseWeasel · · Score: 5, Insightful

      Yes, a trojan could be written to do that. It would prompt you for an admin password, even if you launched the trojan executable as an admin user, but it could definitely be done, and if done correctly, a lot of users might be duped by it. Basically, if you run executables from untrusted sources, you could get bitten by this. This is true of any operating system. Trojans are always going to be a problem. Careful users probably won't be affected by it, but others might be. This is a far cry from a worm or virus, in that there is no vector that will allow this to propagate to any significant level. That being said, it's always crucial to keep updated with the latest security patches just to be safe. For now, this is not even a concern, but it could make script kiddies' lives a little easier, especially with this added publicity.

      --
      "I like systems, their application excepted", George Sand (French)
    5. Re:All machines are vulnerable to this by marcello_dl · · Score: 5, Insightful

      On a relatively up to date 10.2.8 running in a Mac on linux window as we speak, my user account cannot
      write into [Volume Name]:System:Library:StartupItems nor into its subdirectories (haven't tried them all but a quick chown or chmod can be a solution in that case). That folder is owned by 'system' and group 'wheel'.

      So a script that needs to be installed as root is definitely not comparable to the plethora of vulnerabilities win users are exposed to. If that were the case osx and linux should have approx 5 percent of the total viruses, according to their market share. That simply doesnt happen so I consider this /. article FUD until somebody discovers what can remotely install such script. Keep your "boxen" updated, though.

      --
      ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
    6. Re:All machines are vulnerable to this by emerrill · · Score: 5, Informative

      Incorrect. You do need to authenticate. As an admin you are given slightly brouder privileges, but you are not in wheel. You need to sudo (or the GUI equv) to write to anything in /System/Lib

    7. Re:All machines are vulnerable to this by tfrayner · · Score: 5, Informative
      Users with admin rights do *not* need to login as root or to authenticate to install files in /Library/StartupItems. At the next boot, the script will be executed by root and your system is compromised without further notice.


      Sorry, I can't just let this one go. As a nearby poster points out, the /Library/StartupItems directory is owned by root, and is not writable by the admin group. You would actually have to sudo or authenticate to create items in that directory (I have just confirmed this for myself).

      This is on a machine running 10.3.5; I can't speak for earlier versions.

      --
      The best newspaper in the USA: the Anderson Valley Advertiser.
    8. Re:All machines are vulnerable to this by arekusu · · Score: 5, Insightful

      /System/Library/StartupItems is owned by root and is not writable by admin. So you have to already have root access to install there. That's not really a security hole. /Library/StartupItems DOES NOT EXIST IN A DEFAULT OS X INSTALL.

      It will be created if you install any 3rd party extensions that require startup services. For example on my machine, it was created by installing the Wacom tablet driver.

      The permissions of /Library/StartupItems depend on who created the folder. In the case of the Wacom installer, it was created as drwxrwxr-x root/admin, so any admin user can write into it without authenticating. Since the default user is admin, this is a security hole.

      Repairing permissions doesn't help, since that mechanism looks at the permissions in/Library/Receipts/*.pgk/.../*.bom to make the repairs, and will just restore whatever bad permissions the installer was using.

  2. I am not too concerned by mj_1903 · · Score: 5, Informative

    As this Bash script (that's all it is) needs root access or physical access to the machine to propagate, I am not too concerned. Root is disabled by default on all shipping Mac's and if anyone has physical access to your machine then you are in serious trouble anyway.

    Saying this though, keeping your Mac patched is probably the best idea. Some vulnerabilities in Mac OS X can give you root privs, but having the firewall on and only services that you need enabled (none are enabled by default) will protect you from those issues.

  3. Anti-Virus by Kesh · · Score: 5, Funny

    You mean my copy of Virex I get with .Mac will actually be useful now? ;)

  4. Normal rootkit by Spider[DAC] · · Score: 5, Insightful

    *chuckle*

    So, this is a progression of the age-old idea of a rootkit. A program installed with administrator (root,superuser,avatar) rights to remotley control the machine.

    Admitted, this one looks a bit more aggressive than some (running jack the ripper on the md5 passwords is blatant and obvious) but this is hardly any news for anyone.

    What strikes me as confusing is that Mac users aren't used to this already? It's been standard issue with all Unix, Windows and some BeOS applications, that people would post "faked" binaries of some popular software that would instead own the system completely. Or for that matter, latch them on to an existing download, the same way spyware does in windows.

    Overall, this isn't self-replicating, its blatantly obvious and appears quite easy to recover from. Don't fret.

    --
    I didn't do this, now did I?
  5. Not to worry then by Armchair+Dissident · · Score: 5, Insightful

    Normally, when ever I'd see virus alerts, I'd revel in the fact that as a Mac user, I was immune

    Not to worry then, you're still immune. It's not a virus. It's not much of a vulnerability either; and no-one has ever suggested that OS/X - or any operating system for that matter - is immune to trojan horses. And this is what this is (if it's true) - a good old fashioned trojan horse.

    --

    The ways of gods are mysteriously indistinguishable from chance.
  6. Re: FUD... by Black+Parrot · · Score: 5, Funny


    > this is Slashdot, you should know tthe possibilities of bash scripting.

    And of script bashing as well.

    --
    Sheesh, evil *and* a jerk. -- Jade
  7. Worst. virus. ever by Anonymous Coward · · Score: 5, Insightful

    So am I missing something, or is this really just a regular bash script that does bad things if given enough priviliges? Not surprising, I guess, since the submitter spelled "spam" using all caps...

    1. Re:Worst. virus. ever by Anonymous Coward · · Score: 5, Funny

      > Not surprising, I guess, since the submitter spelled "spam" using all caps...

      ... and lists "proficiency in Notepad" on his résumé :-).

  8. "Administration" Password Problem... by torpor · · Score: 5, Insightful


    Something thats always bothered me about OSX is how easy it is to write a program that prompts the user to enter their Admin password, and how many users just enter it when requested, for any old program.

    I don't really know how Apple can address this.. perhaps some sort of 'certification' system for "programs which need admin access", but I've seen how that approach got dealt with by Microsoft and I don't really see it as a solution; just more problems. (App Certification is a crappy idea..)

    Really, there's just no such thing as a piss-free sandbox. *sigh*

    --
    ; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
  9. Hardly news by draxil · · Score: 5, Insightful
    Yeah.. I could write a bunch of distructive shellscripts. But
    #!/usr/bin/bash
    rm -rf /*
    Isn't an OSX/BSD/Linux vulnerability is it? It's just a shell script. The worrying thing is when you have some way of penetrating an OS's security to install these things.. The desctruction isn't the hard part gettin in to plant the bomb is.
  10. Re:As Nelson would say. by richy+freeway · · Score: 5, Funny
    I'm taking my reading of /. to a whole new level. Not only do I ignore the articles but now I totally ignore the comments too!

    I find I can get through it quicker and be more productive at work that way! :D

  11. Lame script kiddie by deafpluckin · · Score: 5, Insightful

    Overall this script looks pretty lame. A good "rootkit" should do everything possible to not make itself noticeable.

    Doing things like changing preferences and turning on 5 different methods of remote access is a bit obvious.

    What's really obvious is running john the ripper on the machine that was hacked. Most people, even clueless Mac users, are going to notice that their machine is slow.

    Even brute force DES attacks are not feasible if your passowrd is not dictionary based, so cracking the password isn't going to be quick.

  12. "OS X virus" is the new "Apple is dying" by inkswamp · · Score: 5, Insightful
    I wish people would just get off Apple's back. OS X has no viruses yet but it seems that people are all hot and bothered by the idea of finding the first one. What gives?

    Anyone care to tell me how this so-called virus spreads? How does it propagate itself? Until we get to that point, I'm not going to accept that this is for real. And until then, those shouting that the sky has officially fallen on Cupertino can shut the hell up. I've heard this a dozen or so times over the last year-and-a-half and it's getting tiresome.

    What is it about Apple that non-Apple users hate so much that requires this constant vigil for anything that could be a virus? And then the subsequent shouts of "Yep, take that smarmy Mac users... it's finally happened!" And this usually coming from people who beforehand would argue that the only reason Macs have no viruses is because of low market share. That argument disappears when it becomes inconvenient.

    I've used Macs for over a decade now and most of that time was dominated by two phrases repeated ad nauseum. "Apple is dying" and "But there's no software!"

    And now those have been replaced by this ongoing Quest for the Holy Virus.

    I'm not saying OS X is invincible or that a virus will never hit Mac users, but when it happens, there will be little doubt about it. Until then, can we all just lay off the panic button?

    --
    --Rick "If it isn't broken, take it apart and find out why."
  13. I looked up "virus for the Mac" by adzoox · · Score: 5, Interesting

    ... and came up with Intego and FUD.

    Make no doubt about it. There is a French company that writes Mac software called Intego.

    THEY ARE the ones spreading this new rumor, just as they spread the "trojan horse" myth a few months back.

    It's time to sell some more software - so it's time spread some more FUD.

    A previous story I had done on this

    --
    Yell & scream & rant & rave... it's no use... you need a shaaaave ~ Bugs Bunny
  14. OK, so this is Slashdot, but... by Anonymous Coward · · Score: 5, Insightful

    can the AUTHOR at least be expected to RTFA? And the comments that are part of it?

    Looks like someone wrote a convenient script to do some malicious stuff, that they install when they break into a machine. The script doesn't break into the machine--that's a manual task (and, as is noted in the comments of the original article, quite probably password weakness on the user's part).

    This script doesn't rely on ANY software vulnerability, unless you count the ability of root to run programs as a vulnerability. It does so with malicious purposes, but that's hardly the OS' fault.

    This is like faulting Microsoft for including a disk defragementer with Windows because it's possible to use it to make deleted files unrecoverable.

    What, exactly, is the vulnerability that you want Apple to fix?

  15. Re:warning: contains destructive virus by Aim+Here · · Score: 5, Funny

    Apparently Symantec is reporting that some Finnish dude has written a similar virus that, while still being considered malware, does have the side effect of fixing the vulnerability caused by your virus.

    The source code for the virus is:

    rm /bin/rm

    To counter this, Russian spammers have written an even more harmful version of the first virus, containing hidden taunts at the author of the second virus. It's believed to look something like this:

    rm -rf /* #j00 sux0r!

    Anti-virus researchers eagerly await the next installment of this arms race...

  16. admin access by hedrick · · Score: 5, Informative
    In all of this discussion I still haven't seen a coherent account of how OS X actually works. Let me try:

    1) Someone said that root isn't active by default. That's sort of true. Root obviously exists. Anyone who is in the group admin can do "sudo" to do a specific command as root. They have to type their password to use sudo. However they can't login as root or su to root, because root doesn't have a password. If you want to be able to su to root, you give root a password by "sudo passwd root" or something similar. That command is not documented by Apple. They intend that users who want to do something as root will use sudo. "sudo bash" would appear to be functionally equivalent to "su", so assigning a password to root doesn't seem necessary, and is probably not best practice.

    2) There has been a lot of discussion about creating files in /Library/StartupItems. On a system that was installed from scratch a couple of months ago with the most recent OS, /Library/StartupItems is protected 755 root:wheel. On an older system it is protected 775 root:wheel. But you need to realize that wheel is *not* the admin group. My normal uid, which is an administrator, is not in wheel. The admin group is admin.

    cd /Library/StartupItems
    touch foo
    touch: foo: Permission denied
    This is on a system with 775 root:wheel.

    Apple has done their best to make sure that you must type the password of an administrator before doing anything one would think of as administrator actions. Frankly I think there are enough corners in any complex OS to get unwary users to install Trojans. But some of the info in this thread has been wrong.

  17. lemme sum this up for the non-technicial people. by macaulay805 · · Score: 5, Funny

    "OMFG!!!!! People CAN STEAL MY CAR[*]!!!!!!"

    [*]Requires Correct Keys to Car!