A malicious script that spies on Apple Mac users was discovered over the weekend. The malware, which has been dubbed 'Opener' by Mac user groups, disables Mac OS X's built-in firewall, steals personal information and can destroy data.
Security experts say these traits are common among the thousands of viruses targeting Microsoft's ubiquitous Windows operating system but are virtually unheard of amongst the Apple Macintosh community.
Paul Ducklin, Sophos' head of technology in the Asia Pacific, told ZDNet Australia that the malware, which Sophos calls Renepo, is designed to infect any Mac OS X drives connected to the infected system and it leaves affected computers vulnerable to further hacker attack.
Ducklin said Opener disables Mac OS X's built in firewall, creates a back door so the malware author can control the computer remotely, locates any passwords stored on the hard drive and downloads a password cracker called JohnTheRipper.
According to Ducklin, Opener tries to spread by copying itself to any drive that is mounted to the infected computer. This could be a local drive, part of a local network or a remote computer.
Most worryingly, according to Ducklin, this could be the start of a spate of malware that uses Mac OS X's scripting features against its users.
"The existence of Unix shells -- such as Bash for which Opener is written -- and the presence of powerful networking commands opens up the game a little bit for Mac users. It is no longer necessary to know about Mac file formats or executables you can write your malware in script and if you really wanted to you could probably write a portable virus that would run on many flavours of Unix (and Mac)," said Ducklin.
Chris Waldrip, president of the US-based Atlanta Macintosh Users Group, posted a detailed description of Opener on the MacInTouch Web site.
According to Waldrip, who admits the malware has him "a bit spooked", Opener seems to have started out with a "legitimate purpose" but has now been developed into a replicating piece of malware.
"I'm not sure how this could be guarded against," he said.
Mikko Hyppönen, director of antivirus research at F-Secure, said that viruses targeting the Macintosh system virtually disappeared in the late 80s.
"Things have been really quiet on Macintosh front, virus-wise. Back in the late 1980s, viruses used to be a much bigger problem on Macs than on PCs. We here at F-Secure used to have an antivirus product for Mac but discontinued it after the macro viruses died out," said Hyppönen.
Symantec said users of Norton AntiVirus for Mac OS X were protected as long as they had updated their signatures over the weekend. A spokesperson for the company said the relevant signature files had been available since Friday evening.
Munir Kotadia reported from Sydney for ZDNet Australia. For more ZDNet Australia stories, click here.
Talkback
If this is a virus, why is there no mention of how it is transmitted?
If you follow the link to the Chris Waldrip posting, you will notice that none of the people who comment on the "virus" posting think it is a virus. Rather it seems like a cracker manually breaking into the system.
It seems like poor journalism to put up an article on a "virus" without having identified the information about viruses that a uses actually needs, how it spreads and thus how it could get onto your machine.
So if I write a program that for instance,
- deletes files from a computer and
- I then include documentation such as a read me or messages in the program itself stating very clearly that the program can delete your files and
- documentation telling you how to run the program for the purposes of deleting your files and
- just for the sake of argument let's say I call the program Finder, will you idiots in the press call it a virus too?
And will the anti-virus company spokespersons be labeling it a worm since after all, Finder can copy itself...
Is there anyone in the press (or the anti-virus industry) that has ANY CLUE at all?
"There has been a security alert about malware that targets computers running Apple's OSX"
The opener script does not target anything, it can not install itself. A human may target someone's OS X computer, crack it and then install the script but the important thing to remember is that the person must already have access.
"The malware, which has been dubbed 'Opener' by Mac user groups, disables Mac OS X's built-in firewall, steals personal information and can destroy data."
It copies personal information in the form of passwords and preference files to another location on the same hard drive where those files are accessible via network connections. The only data files destroyed by the script are log files - no other personal data files are deleted.
"Ducklin said Opener disables Mac OS X's built in firewall, creates a back door so the malware author can control the computer remotely"
It does not create a backdoor. It turns on some of the standard sharing services that are part of the operating system.
"Opener tries to spread by copying itself to any drive that is mounted to the infected computer. This could be a local drive, part of a local network or a remote computer."
Opener only tries to copy itself to drives that appear to have the OS X System installed. Opener can not copy itself to a network volume. First, the script runs at startup so the network volume would have to be mounted before any user has logged in. Second, the network volume would have to be the root directory of a hard drive - which OS X will not share by default and there is no option within the OS X GUI to do so. Last, Apple's file sharing will not allow root to login to a remote computer and no matter what the user has logged in as, they will not have write access to /System/Library/StartupItems on the remote volume. OPENER CAN NOT COPY ITSELF TO NETWORK VOLUMES, THE ANTIVIRUS COMPANIES ARE BEING DISHONEST WHEN THEY SAY THAT IT CAN.
"viruses targeting the Macintosh system virtually disappeared in the late 80s"
Try, "Virtually never appeared at all and there are currently ZERO viruses known to infect Mac OS X"
http://freaky.staticusers.net/ugboard/viewtopic.php?t=10712