By Munir Kotadia, 25 October 2004 09:25
NEWS A new script-based virus that spies on Apple Mac users was discovered over the weekend. The malware, which has been dubbed ‘Opener’ by Mac user-groups, disables Mac OS X’s built-in firewall, steals personal information and can destroy data.
Security experts say these traits are common among the thousands of viruses targeting MicrosoftÂ’s ubiquitous Windows operating system but are virtually unheard of amongst the Apple Macintosh community.
Paul Ducklin, SophosÂ’ head of technology in the Asia Pacific, said the virus, which Sophos calls Renepo, is designed to infect any Mac OS X drives connected to the infected system and it leaves affected computers vulnerable to further hacker attack.
Ducklin said Opener disables Mac OS X's built in firewall, creates a back door so the malware author can control the computer remotely, locates any passwords stored on the hard drive and downloads a password cracker called JohnTheRipper.
According to Ducklin, Opener tries to spread by copying itself to any drive that is mounted to the infected computer. This could be a local drive, part of a local network or a remote computer.
Most worryingly, according to Ducklin, this could be the start of a spate of viruses that uses Mac OS XÂ’s scripting features against its users.
"The existence of Unix shells - such as Bash for which this virus is written - and the presence of powerful networking commands opens up the game a little bit for Mac users. It is no longer necessary to know about Mac file formats or executables you can write your malware in script and if you really wanted to you could probably write a portable virus that would run on many flavours of Unix [and Mac]," said Ducklin.
Chris Waldrip, president of the US-based Atlanta Macintosh Users Group, posted a detailed description of Opener on the MacInTouch website.
According to Waldrip, who admits the virus has him "a bit spooked", Opener seems to have started out with a "legitimate purpose" but has now been developed into a replicating piece of malware.
"I'm not sure how this could be guarded against," he said.
Mikko Hyppönen, director of antivirus research at F-Secure, said that viruses targeting the Macintosh system virtually disappeared in the late 1980s.
"Things have been really quiet on Macintosh-front, virus-wise. Back in the late 1980s, viruses used to be a much bigger problem on Macs than on PCs. We here at F-Secure used to have an antivirus product for Mac but discontinued it after the macro viruses died out," said Hyppönen.
Symantec said users of Norton AntiVirus for Mac OS X were protected as long as they had updated their signatures over the weekend. A spokesperson for the company said the relevant signature files had been available since Friday evening.
Munir Kotadia writes for ZDNet Australia.
Comments
There are 8 comments. Join the discussion
1. Lies Lies
Let me see if I have this right...
Someone wrote a script that does various things.
They included documentation explaining what the program does.
They made no effort whatsoever to disguise the program in any way - and in fact they are practically shouting it's features in a public forum. http://freaky.staticusers.net/ugboard/viewtopic.php?t=10712&postdays=0&postorder=asc&start=0
Anyone may download said program and run it on their OS X computer if they wish (why they would is a bit mystifying though) at no charge.
Someone did in fact download and run the program and discovered that it did exactly what it said it would do... that someone then posted to a certain forum that said program is a virus. http://macintouch.com/opener.html
Media falls for "virus" post hook, line and sinker and blows the whole thing grossly out of proportion.
Anti-virus companies jump on the band-wagon seeking to bilk Mac users out of some money in exchange for protection from... what? Themselves?
You're all a little crazy if you ask me.
2. anonymous
It's not really a virus: it's a Trojan root-kit. In order for Opener to work, you have to have administrator access and then have to authorise it to install itself with administrator rights. It has no real ability to self-propogate either. In other words it's social engineering hacking: what defence is there against that except educating users or having an artificial intelligence for an OS to monitor everyone's activity?
3. Michael Fischer
This is almost certainly not a virus. It would more likely be a garden variety trojan horse that is installed by a bit of free/shareware someone downloaded. Or the result of an internet breakin. See discussion at MacIntouch.
To do the activities described would require at least administror priviledge, which means that at some point the victim would have answered yes and given a password (another danger, since malware could always fake the password dialog anyway, sending the password and ip back to whoever launced the malware).
It could also be the result of someone breaking in to their machine, either by booting it from a cd (or iPod), or by internet.
It cannot spread on its own - it requires action by the user. This is one of the reasons that viruses are rare on OSX, and successful ones non-existent - the amount of damage is limited to the user files, and the ability to spread is not strong.
The lesson here is not to be first to download software from a source that you do not trust, and keep an eye on the user groups to see if anyone spots problems. Be especially careful of software that requires you to give a password to install.
4. Jen Inloes
"A new script-based virus"
Can you tell us what features of the opener script allow it to be classified as a virus?
"The malware, which has been dubbed ‘Opener’ by Mac user-groups, disables Mac OS X’s built-in firewall, steals personal information and can destroy data."
Where in the script does it destroy data or were you referring to the log files that it deletes?
Perhaps instead of saying that it "steals personal information" it would be more honest to say that it duplicates some files that may contain personal information and leaves those files where they could be accessed via a network connection.
"Paul Ducklin, Sophos’ head of technology in the Asia Pacific, said the virus, which Sophos calls Renepo, is designed to infect any Mac OS X drives connected to the infected system"
As far as I can see it will only attempt to infect a drive that has a valid OS X system installed on it, hard drives without a system are in no way affected.
"Ducklin said Opener disables Mac OS X's built in firewall, creates a back door so the malware author can control the computer remotely"
I can't find one line of the script that creates a backdoor for remote control. Can you show us the code in the script?
"According to Ducklin, Opener tries to spread by copying itself to any drive that is mounted to the infected computer. This could be a local drive, part of a local network or a remote computer."
I challenge Mr. Ducklin to take two OS X systems out of the box, install this script on one, turn on sharing on the second one and list all the steps he would have to go through for the script to be able to successfully infest the second computer. (While he's at it perhaps he would list the steps he had to go through to install the script on the first one as well.)
"Most worryingly, according to Ducklin, this could be the start of a spate of viruses that uses Mac OS X’s scripting features against its users."
Since it isn't a virus I don't see the connection.
5. Ruprecht
Thank you Jen...finally someone who can offer up constructive and informative criticism of a piece rather than petty name calling and 'slagging off' of the journalist involved unlike Fred Bloggs and others:
http://management.silicon.com/government/talkback.htm?PROCESS=show&ID=20034529&AT=39125221-39024677t-40000033c
R
6. anonymous
This article is the true virus. It seems to be replicating its lies all over the Internet, infecting tech sites like this one first but finally infesting even general newswire stories. <disinfectant> THIS IS NOT A VIRUS!!!!!!! </disinfectant>
7. mig
RUPRECHT < IDIOT!
lets face it ruprecht - u are a complete AR$E-licker, always defending appllingly researched and written articles. Either you work for Silicon.com or you want to.
8. Martin Hill
I'm afraid Symantec's widely reported marketing material is misleading and self-serving (it would after all be surprising for them not to attempt to encourage the development of new market segments in light of Microsoft's competitive entry into the AV market).
Let's look at the statistics:
Microsoft Windows:
Viruses and Worms = 70,000+ (symantec.com)
Spyware programs = 78,000 (www.pestpatrol.com)
Burrowers = 40 (www.pestpatrol.com)
80% of PCs infected with spyware (webroot.com)
Last year alone (www.pestpatrol.com):
500 new Trojans
500 new keyloggers
1,287 new adware apps
40 burrowers
Mac OS X:
Viruses and Worms = 0
Spyware programs = 0
Adware = 0
Keyloggers = 0
Burrowers = 0
Trojans = 3
Rootkit = 1
Note that Trojans can't spread by themselves - they are bits of code that pretend to be something innocuous and need to be downloaded and opened by an authorised user. In the case of the three targeting Mac OS X, two are harmless while the third issues a rm -rf command if run by a user.
Note also the Rootkit discovered on a couple of OS X machines is a set of scripts that requires root access to be turned on (turned off by default on all Macs). The hacker also needs to know the root password and the malware has no mechanism of spreading and infecting other computers by itself.
Symantec's espousal of the theory of "Security through Obscurity" fails to explain the fact that the number 1 web server, open source Apache with around 69% marketshare has far fewer attacks (including viruses and worms) than Microsoft's IIS which comes in at only 21% marketshare (Netcraft.com). It also does not explain why the many flavours of Linux suffer from so many instances of malware despite having as small a marketshare as OS X.
31 vulnerabilities (mostly in open source components of Mac OS X) which were promptly patched by Apple does not constitute "increased attacks on OS X" as no attacks using any of these now closed vulnerabilities have been recorded.
John Gruber has a useful article on why Windows suffers so much malware:
http://daringfireball.net/2004/06/broken_windows
However, no software can be perfect and it would be foolish to say there won't eventually appear some malware targeting the 10 million+ OS X users out there - however, today is not that day. Mac OS X has been sitting untouched for 4 years now pretty much without blemish which speaks to a very impressive security story even if/when some effective malware appears. This would be a much more constructive issue for you to be writing about.
Martin Hill
Information Management Services
Curtin University of Technology
Western Australia