Something to be aware of: “Opener” Malware

By Bill Stiteler Saturday, October 23, 2004.
Tags: Blogs ď Apple ď

Tweet Share With Add to Buzz RSS! email Comments Other Sites

606 So, here are your choices. You can go to Macintouch now and read their discussion on what they're calling Opener malware, or you can wait until someone writes a half-assed "Nyah Nyah! Macs have viruses too!" article that will get picked up by every newspaper in the world. And News.com.

But I'd recommend the former, just so you get a better idea of what we're actually talking about.

Someone identified only as a "Macintouch Reader," however, writes in with a concern and invokes the V-word:

MacInTouch Reader
There's now a real virus out there for Mac OS X that can do some real damage. It doesn't seem to be too destructive although it does delete some UNIX commands and modifies prefs for a couple of others. It will gather all password info on your machine. For now, lets call it "Opener."

My system was a responding a bit slowly and a check of my /var/log files showed that they were _all_ empty and had the same mod date. The Activity Monitor showed a process called "john" eating almost an entire processor.

Some further looking showed an unknown startupitem in /Library/StartupItems/ called "opener". The executable file is a well-commented bash program. It scans for passwords for every user, processes the hashed info using your own Mac, turns on file sharing, and puts all this stuff into an invisible folder called .info on each users Public folder.

It does much, much more but it's important that a warning get out quickly.


But you can get words out too quickly... especially if they're the wrong words. In fact, the next user, after doing a Google seach, finds out that it's actually a script that's installed on a machine where the malicious user has an administrator password.

Additionally, Peter Gawlocki brings us this info:

This was posted earlier this year [March 28] ... Macintosh Underground Forum Index -> Security & Hacking > Startup Script Take a look at the file... and what it does. Note the second comment line.

# You need an admin level user name and password or physical access (boot from a CD or firewire, ignore permissions on the internal drive) to install this


I recommend reading the Macintouch article which provides a lot of information on the script, what it does, and how to detect it, but it looks as though unless someone has physical access to the machine and an admin password, these scripts are unlikely to affect you.

Of course, expect people to shortly equate this script with the vulnerabilites in Internet Explorer, which will (ahem) just go to show you that Macs are as insecure as PCs.



Bill's been using Macs since the late 80s. When he's not making smartass remarks to amuse Kirk Hiner, he enjoys fighting for the user.


Tweet Share With Add to Buzz RSS! email Comments

Tags: Blogs ď Apple ď

(0) Trackbacks ď

Reader Comments
Login † or † Register † †
†Posted By Zarembo On† Saturday, October 23, 2004 †at† 07:02 PM

So what software installer sureptitiously installs this malware?

That would be useful information. I immediately checked my system for the files. None found fortunately....

†Posted By das On† Sunday, October 24, 2004 †at† 09:49 AM

There is no proof that *any* “installer” actually installs this. In fact, none probably does: the only person who has allegedly found this on their machine is one MacInTouch poster, and it probably got on his machine manually, or because of a weak password issue, or some other means.

This is NOT a virus, NOT a worm, and NOT even a “trojan” (a trojan is something that masquerades as one thing and does something else, usually undesirable; this script does exactly what it advertises...a “trojan” would be some OTHER installer that would also secretly put this script on your computer).

Additionally, there is NO way for this to spread or propagate in any automated fashion, making it completely worthless. The only reason this script is getting any attention at all is because it is targeted specifically at Mac OS X, and does Mac OS X-specific things; but at its heart, it’s nothing more than a UNIX shell script - one that needs to be MANUALLY INSTALLED by someone with admin/root or physical access to the machine!

Here’s a piece of Mac “malware” that’s just as “dangerous” as opener:

#!/bin/sh
sudo rm -rf ~

It deletes your home directory. Any mechanism that could be used to install “opener” - remember, admin/root or physical access - could be used to “install” the above script.

How about this one:

#!/bin/sh
sudo rm -rf /

That one attempts to erase your whole hard drive! There’s nothing “special” about the opener script just because it’s longer. Yes, it’s designed to “hide” from the user, but it’s nothing more than a hodgepodge of ideas that script kiddies (note the reason for the term “script kiddies") on a “hacking” forum. Ooh, let’s get their Office serial number! Let’s kill off Little Snitch! So what? In order for this to even get on a machine, the machine *already has to be compromised*...and even IF there was a “trojan” that actually did install this, it would either be a.) something from an illegitimate source, posing as an updater or installer from something like a p2p network or a pirate/warez source, or b.) if it WAS from a “legitimate” source, the number of people that could potentially ever be affected would be statistically negligible because it would be discovered and shut down and/or removed.

(cont’d)

†Posted By das On† Sunday, October 24, 2004 †at† 09:49 AM

(...cont’d)

No matter how “nasty” or clever a script is, it’s nothing more than a script. Anyone could write an application that did even worse things, and played sounds and flashed “YOU’RE AN IDIOT” on your screen every day at noon. But if it needs admin/physical access to install, and has NO MEANS of
spread or propagation, it’s absolutely worthless.

†Posted By Marcos On† Sunday, October 24, 2004 †at† 11:54 AM

I think this is a virus writer looking for help. That person is doing social hacking. Looking for someone to show an hole in the system where to dig in.

†Posted By das On† Sunday, October 24, 2004 †at† 12:41 PM

No, it’s not “a virus writer”. It’s a group of people with spare time on their hands on a “hacker” forum:

http://freaky.staticusers.net/ugboard/viewtopic.php?t=10712

Nothing more. Sure, people would *like* to find a hole, but they’re not “looking for someone to show” them. And even if they are, they won’t find one, since Mac OS X ships by default with all ports closed, and that’s how the vast, vast majority of Mac OS X systems will always be. And when they DO have ports open, it will usually be for things like apache and OpenSSH, which receive intense scrutiny from the open source community. These kinds of exploits will always be relegated to being the novelties they are, completely useless because there’s no way for them to spread in any automated fashion.

Unfortunately, many people won’t understand this, and will think it’s some scary new virus when it’s nothing more than a shell script.

Page 1 of 1 pages

Follow Us

Twitter Facebook RSS! Buzz

Recent News

Most Popular

iPod




iPhone

iLife

Reviews

Software Updates

Games

Hot Topics
Hosted by MacConnect - Macintosh Web Hosting and Mac Mini Colocation                                                    Contact | Advanced Search|