Destructive OS X malware spies on Apple users

By Munir Kotadia, ZDNet Australia
25 October 2004 12:25 PM
Tags: johntheripper, apple, virus, trojan, os, opener, osx, os10
A malicious script that spies on Apple Mac users was discovered over the weekend. The malware, which has been dubbed 'Opener' by Mac user-groups, disables Mac OS X's built-in firewall, steals personal information and can destroy data.

Security experts say these traits are common among the thousands of viruses targeting Microsoft's ubiquitous Windows operating system but are virtually unheard of amongst the Apple Macintosh community.

Paul Ducklin, Sophos' head of technology in the Asia Pacific, told ZDNet Australia that the malware, which Sophos calls Renepo, is designed to infect any Mac OS X drives connected to the infected system and it leaves affected computers vulnerable to further hacker attack.

Ducklin said Opener disables Mac OS X's built in firewall, creates a back door so the malware author can control the computer remotely, locates any passwords stored on the hard drive and downloads a password cracker called JohnTheRipper.

According to Ducklin, Opener tries to spread by copying itself to any drive that is mounted to the infected computer. This could be a local drive, part of a local network or a remote computer.

Most worryingly, according to Ducklin, this could be the start of a spate of malware that uses Mac OS X's scripting features against its users.

"The existence of Unix shells -- such as Bash for which Opener is written -- and the presence of powerful networking commands opens up the game a little bit for Mac users. It is no longer necessary to know about Mac file formats or executables you can write your malware in script and if you really wanted to you could probably write a portable virus that would run on many flavours of Unix (and Mac)," said Ducklin.

Chris Waldrip, president of the US-based Atlanta Macintosh Users Group, posted a detailed description of Opener on the MacInTouch Web site.

According to Waldrip, who admits the malware has him "a bit spooked," Opener seems to have started out with a "legitimate purpose" but has now been developed into a replicating piece of malware.

"I'm not sure how this could be guarded against," he said.

Mikko Hyppönen, director of antivirus research at F-Secure, said that viruses targeting the Macintosh system virtually disappeared in the late 80s.

"Things have been really quiet on Macintosh-front, virus-wise. Back in the late 1980s, viruses used to be a much bigger problem on Macs than on PCs. We here at F-Secure used to have an antivirus product for Mac but discontinued it after the macro viruses died out," said Hyppönen.

Symantec said users of Norton AntiVirus for Mac OS X were protected as long as they had updated their signatures over the weekend. A spokesperson for the company said the relevant signature files had been available since Friday evening.

Advertisement

Print feature brought to you by Adobe

Talkback 51 comments

    It's not a virus - you need ph ...Anonymous -- 25/10/04

    It's not a virus - you need physical access (or at least admin password) to put the scripts on the machine.

    I repeat - the only attack vector is physical access making this an extremely lame "security hole".

    Give me physical access to any computer and I can show you a security hole

    This is really, really old and ...Anonymous -- 25/10/04

    This is really, really old and nothing at all to worry about. It's a UNIX Shell script. It needs to be installed by someone with admin/root or physical access! (OR, the user has to be *tricked* into installing it via other means.) There is NO method of propagation, spread, or infection. There is no automated means to install it. It's not even a rootkit. In fact, it's the opposite of a conventional rootkit, since this doesn't obtain root access, it actually *requires* root access in order to be used.

    All in all, nothing very interesting here. A nifty script? Yes. But that's about it.

    Just because it tricks doesn't mean it's not malware Max Riethmuller -- 12/01/07 (in reply to #120109426)

    You say that "the user has to be *tricked* into installing it via other means."

    Sounds like malware to me. 90% of windows malware get's onto a machine because the end user was tricked into downloading or opening something.

    Mac users are even less sophisticated, since they believe they are invulnurable so will click anything.

    FALSE ALARM! Opener is not a v ...Anonymous -- 25/10/04

    FALSE ALARM!

    Opener is not a virus. It is a rootkit you install on the machine once you have taken control of it. This requires an admin account or physical access to an unprotected machine. Opener cannot take control of your Mac.

    SO? Max Riethmuller -- 12/01/07 (in reply to #120109427)

    before opener, mac user's delighted in telling everyone that even that wasn't possible.

    Personally sick of hearing how insecure windows is when dumb users infect themselves, but that it's apparently not Mac's fault when the same thing is possible on a Mac.

    Package the script right, and the dumb mac user can be tricked just as effectively as any dumb windows user.

    This is not a virus, I'm afrai ...Anonymous -- 25/10/04

    This is not a virus, I'm afraid. It has no way of spreading, no way of infecting a user's computer. It is only a shell script that does bad things if installed by someone with administrator access to the machine.

    Yes, that's right, you need to be an administrator and DELIBERATELY install this. How that conforms to anyone's definition of a "virus" is beyond my comprehension.

    Let's panic users by calling A ...Anonymous -- 25/10/04

    Let's panic users by calling AUTOEXEC.BAT a scripting virus also.
    Did ZDNet and the anti-virus companies actually read the Macintouch story or just the first panic from a clueless user.

    "I'm not sure how this could be guarded against,"

    How about not installing the script and giving it your root password when asked? Duh!

    All UNIX based systems and Windows based systems have scripting abilities. The problem here is that the Opener script has to be installed by a user with root admin access. It also doesn't have any method of propagation. On Windows, you don't even need root access to modify AUTOEXEC or the startup scripts.

    So, it requires root access, a stupid user with root access and doesn't spread. How is this a virus? Why is this news?

    The "Opener" can onl ...Anonymous -- 25/10/04

    The "Opener" can only be installed by someone with either physical access to the computer, or root access. In either case, it is not a software bug.

    NOT a virus. You people go pan ...Anonymous -- 25/10/04

    NOT a virus. You people go panicking people and the thing can't even be installed on a machine with out an administrator password. Anyone on any platform can manually install malware that will do nasty things. This is not a virus however. Quit spreading FUD.

    It's not a virus because it do ...Anonymous -- 25/10/04

    It's not a virus because it doesn't spread itself guys. Get your facts straight. It's a malicious script, not a 'virus' or 'trojan horse.'

    This is not a virus. You calle ...Anonymous -- 25/10/04

    This is not a virus.

    You called it a virus because you knew nobody would read your article otherwise...

    Agreed, this is not a virus. A ...Anonymous -- 26/10/04

    Agreed, this is not a virus. At best it could be considered a trojan horse if it's installed with a bogus piece of software.

    This cannot 'infect' a machine unless an administrator-level user authenticates during an installation, or if someone has physical access to the machine.

    Once infected though, it can be very hard to undo the damage. It's almost easier to simply backup your home folder, erase, and reinstall your software and applications.

    Like with any operating system, if a user installs software from an unknown source (bittorrent, edonkey, etc) then they are opening themselves to possible problems.

    PS - I've emailed Munir Kotadia with a clairification of my comments found on MacInTouch. I'm mostly spooked about the breadth of this malware. There's nary a stone unturned in these script kiddies attempt to siphon as much information as possible out of a machine.

    again, i question your report ...Anonymous -- 26/10/04

    again, i question your reporters tech knowledge... last time one of your staff called a trojan horse, a virus...

    now, you are calling a piece of mal ware that can not reproduce it's self, unless you explicitly give it permission... a virus.....

    you have to actually tell this "virus" that it can have root access to your machine.... how many people do you think will click on "ok to install this spy ware" ???....

    thats what you'd have to do...... that isn't an effective virus, and you are doing people a disservice AGAIN by not telling the whole story...

    jon.

    Please do some proper research ...Anonymous -- 26/10/04

    Please do some proper research before posting an article like this. This is by definition not a virus since it can't spread by itself.

    Cannot spread itself, requires ...Anonymous -- 26/10/04

    Cannot spread itself, requires Admin priviledges to install - this is tinkerware, a glorified keylogger, but not a virus.

    No reason to cease abandoning Windows yet...

    Do you actually know what a vi ...Anonymous -- 26/10/04

    Do you actually know what a virus is... You have to run this by hand to start it... its not a virus or a trojan, just a script. a program. as valid as Word or Excel. It just does something you wouldnt' like.

    This cannot reproduce itself a ...Anonymous -- 26/10/04

    This cannot reproduce itself and therefore is not a virus. Not only that, to be installed it requires, root access. Root access is disabled by default and is not easily enabled and especially not by inexperienced users who would likey fall for a scam such as this.

    I will sleep easy in the knowledge that there is absolutely no chance of me acquiring this.

    Honestly, I think they are just trying to drum up interest in Mac virus software, because currently there is none.

    Windows users are so hungry fo ...Anonymous -- 26/10/04

    Windows users are so hungry for a Mac virus, they will call anything a virus. This is pitiful

    I would have thought ZDNet wou ...Anonymous -- 26/10/04

    I would have thought ZDNet would know the difference between a virus and a root-kit, but I digress.

    What virus?!? Sensationalism, ...Anonymous -- 26/10/04

    What virus?!? Sensationalism, this is not responsible journalism, I hope Apple's lawyers are sharpening their teeth. Not only has Norton had fixes available since Friday, it NOT a virus, its more of a trojan horse than anything else.

    In order for "Opener" ...Anonymous -- 26/10/04

    In order for "Opener" to run your system has to be running in "root" user mode which Apple doesn't make a defalt. Only advanced UNIX users have any need to run in "root" mode. Most users are running in "admin" user mode which only allows the worm's scrip to be run when the "admin" specifically allows it by entering their password in the dialog box. Therefore, the typical user isn't vulnerable unless they are quite careless and give it permission to run.

    Not Viral. A Virus spreads aut ...Anonymous -- 26/10/04

    Not Viral.

    A Virus spreads automatically by replicating itself--hence the name. This is not a virus and isn't any different than any other trojan for Unix based systems

    Viruses spread over networks, ...Anonymous -- 26/10/04

    Viruses spread over networks, not attached disk drives. This is FUD of the highest order, and gives people the false impression that there is a vulnerability with the Mac when there is not one. It must be installed manually by a system administrator and manually copied to any computers you want to have "infected".

    This is a non issue.

    *YAWN* Not a virus, not a worm ...Anonymous -- 26/10/04

    *YAWN*

    Not a virus, not a worm, not anything more than the fact that *one* Mac user had his admin password compromised, most likely by someone with physical access to his computer - and that person installed this script on his machine.

    Move along folks, nothing to see here...

    p.s. What a load of shoddy reporting and fear-mongering by ZD Net.

    First this particular script h ...Anonymous -- 26/10/04

    First this particular script has been floating around for some time,it's nothing new and not really anything to be concerned about.

    It is all a non-issue. It has no known infection vector. The way this piece of code get's on your system is you're stupid enough to copy it there and then execute it with root privileges. So basically this is just a quick method to shoot yourself in the foot. That is this isn't a virus, or a worm (it has no ability to copy itself to other systems) nor is it really a trojan horse either.

    All it demonstrates is that you or someone else can write a malicious script and that if a suitably privileged user is stupid enough to run it it will cause damage. In fact it's trivial to create a much more malicious and better written script than this one. This "situation" has always existed on the Mac (both classical and OS X) and on any system that is capable of being scripted or programmed in any way.

    Anyone executing unknown, untrusted scripts/code while operating as the root user or administrator of a machine gets what they deserve for their lack of common sense.

    Idiots will infect any kind of system Max Riethmuller -- 12/01/07 (in reply to #120109455)

    Ah, so when windows users click links in emails they shouldn't, it not because they are stupid but because Windows is insecure.

    But when a Mac user does something they shouldn't, it's not the os's fault but the end user? Well I suppose I'm glad that you think Windows users aren't idiots, but personally I think that most virus infections do result from idiots ie: those without AV protection or firewalls.

    BTW, Apple themselves recommends BOTH AV and Firewall as well as daily security updates for MAC.

    Wow! Spectacular bad reporting ...Anonymous -- 26/10/04

    Wow! Spectacular bad reporting.... Check your facts, man!

    It's not a virus, it doesn't r ...Anonymous -- 26/10/04

    It's not a virus, it doesn't replicate itself. This is just a nasty script that you have to run yourself.

    Once again.. NO VIRUSES ON THE MAC.

    Not because of marketshare, but because a virus is replicating itself and spreading exponentially.. this thing doesn't spread and it sure doesn't run automatically.. two things necessary for a real threatening virus.

    Blame ZDnet for Fear Mongering

    Viruses self-replicate and spr ...Anonymous -- 26/10/04

    Viruses self-replicate and spread. All indications including samples posted on the web indicate that this is just bad code as this cannot self replicate, nor spread.

    Anyone can write bad code and put it into a script, e.g.: put this line into your command line then enter your password and see what happens: "sudo rm -r *"

    Did I just write a virus? That’s some evil code there though, isn’t it?

    There’s a big difference between people writing bad code and a virus!

    THis is not, in any way shape ...Anonymous -- 26/10/04

    THis is not, in any way shape or form, a virus. This script requires an Administrator to INSTALL IT. It has no methods of propagation, does not copy intself, nor install itself.

    Again, it must be MANUALLY INSTALLED by a user with admin priveledges to the system. Calling this a virus is a bit like calling a gentle breeze a hurricane.

    I have updated the story and h ...Anonymous -- 26/10/04

    I have updated the story and headline to clarify that Opener or Renepo is technically not a virus.

    However I would like to point out that the code does try to "spread by copying itself to any drive that is mounted to the infected computer. This could be a local drive, part of a local network or a remote computer."

    IMHO this is very much virus-like activity.

    Thank you all for your comments.

    "[Johannesburg, 25 Octobe ...Anonymous -- 26/10/04

    "[Johannesburg, 25 October 2004] - Security experts have discovered a worm that targets Apple's Macintosh OS X operating system.

    While not in the wild, the SH/Renopo worm is still fairly malicious as it attempts to turn off firewall and other security software, says Brett Myroff, CEO of local Sophos distributor Netxactics."

    How can a security firm "DISCOVER" a worm that is "NOT IN THE WILD"?! - perhaps the headlines in articles such as ZDNET's should be reading:

    "SECURITY FIRM WRITES WORM THAT TARGETS APPLE's Mac OPERATING SYSTEM" - for this is surely what has happened.

    I don't think the full-blame s ...Anonymous -- 26/10/04

    I don't think the full-blame should be heaped upon the reporters as they are no doubt relying on the "experts" at the anti-virus software companies who keep referring to this script as a trojan, worm, virus, malware etc. when it is clearly none of those things.

    For anyone wanting a first-hand look, the script is here:
    http://freaky.staticusers.net/ugboard/viewtopic.php?t=10712

    As anyone can see, the authors of the script have not in anyway tried to disguise it's purpose - quite to the contrary they have taken pains to add comments to the code such that even those unfamiliar with bash scripting or OS X can follow along and easily learn what the script does (and does not) do (in fact it appears that the entire point of the script is a shared learning and teaching project about OS X cracking and security.)

    There is indeed a routine that attempts to install the script to any mounted volume which appears to be a valid OS X startup volume. Here is the code from that script:
    # Copy this startup script to any mounted startup volume.
    ls /Volumes | while read vol; do
    if test -d /Volumes/"${vol}"/System/Library ; then
    mkdir /Volumes/"${vol}"/System/Library/StartupItems
    cp -R /System/Library/StartupItems/"${scriptpath}" /Volumes/"${vol}"/System/Library/StartupItems/
    chmod -Rf 777 /Volumes/"${vol}"/System/Library/StartupItems/
    fi
    done

    Note that since the script is designed to be run as a startup item, it would be running as root and can copy itself anywhere it wishes on local drives but due to the nature of Apple's well-thought-out file sharing system, it is not possible to have root privilege on a mounted volume shared via AFP.

    So for this script to infect a network volume the following things are required:
    - The volumes must already be mounted at startup
    - The volume must appear to be a valid OS X startup volume
    - The permissions to the /System/Library/StartupItems on the mounted volumes WOULD HAVE TO ALREADY HAVE BEEN COMPROMISED. EVEN IF THE LOCAL USER IS ROOT THEY DO NOT HAVE ROOT ACCESS TO THE REMOTE VOLUME.

    Not only is this script not a virus, it isn't malware either as it VERY CLEARLY tells the user exactly what it will do - why anyone would run it is a matter best left to those in the field of psychiatry to explain.

    Two words: Social Engineering Max Riethmuller -- 12/01/07 (in reply to #120109470)

    the point is that it won't be loing before virus writers are combining this type of script with social engineering techniques to trick users. This script itself is not a concern, but it does highlight potential weaknesses in the OS, given the ability of a someone to be tricked.

    And if you think Mac users have some sort of magical higher brain power than windows users then you need you head checked. I personally have come across mac users who will click anything believing they are completely secure.

    IT'S NOT A VIRUS. IT'S NOT A ...Anonymous -- 26/10/04

    IT'S NOT A VIRUS. IT'S NOT A VIRUS. IT'S NOT A VIRUS.

    ZDnet should know the difference. Viruses spread by themselves. This must be opened manually by a user with ROOT privs which almost zero Mac users even know how to activate. Why anti-virus definitions would even be in play is beyond me. It's a SCRIPT. You can write scripts on Windows, on Linux, on OS X and on OS 9 that do bad things. This is as much a virus as the following code on windows:

    rem deleteharddrive.bat
    deltree *.*
    end

    In otherwords, Virus, NO. Worm, NO. Trojan, yes.

    The article says: "I'm no ...Anonymous -- 26/10/04

    The article says:

    "I'm not sure how this could be guarded against," he said.

    Well, one good way to guard against it it to *not allow it to install*. To run, it has to be allowed to be executed by a conscious decision of the user. Not like Windows, where many programs must run with administrator priveleges and unless you fiddle with it, it doesn't even ask or notify you that it's happening That's how spyware works.

    Occasionally I read about mac ...Anonymous -- 26/10/04

    Occasionally I read about mac viruses on your site. What a load of rubbish. Each day I have to clean the school network (Windows) of between 5,000 and 10,000 viruses. I have never cleaned one from our Macs. I know what I would do if I had the right to decide for our school: I'd use every PC for boat anchors!

    After reading some of the user ...Anonymous -- 02/11/04

    After reading some of the users comments, I conclude yet AGAIN, typical Apple "kiddies" are trying to defend the dying brand.

    It may come as a bit of a shock to you, but Apple isnt any more "secure" or "immune" than Windows, Unix, DOS. SURPRISE! It doesnt take a masters degree to work that one out. And those who think that OS X is 100% Virus free really need to wake up and smell the coffee (Mmmmm coffee). All I can say is, buy a REAL computer :)

    My mother works for the Apple ...Anonymous -- 17/11/04

    My mother works for the Apple security team: it is nothing illeagal, since you need administrator rights to run it remotely and localy, but rather classified as a helpfull tool. I had a look at the code, and I could almost do better.

    Can someone please clarify..Is ...Anonymous -- 28/12/04

    Can someone please clarify..Is it a virus?

    Okay, let's say it "isn't ...Anonymous -- 26/01/05

    Okay, let's say it "isn't contageous", therefore not a virus. However, if the thing kills my new G5, or exposes my network to anyone who isn't legitimate, then it isn't relevant, that you argue over "spreadability". The question should be "is the code or script intended for somthing that the user would not ordinarily approve of?"

    It is easy to throw these kinds of stones when you are not the one damaged. However, my experience is the naysayers yell the loudest when they are the victim.

    They NEVER called it a virus, ...Anonymous -- 21/02/05

    They NEVER called it a virus, so calm down. Read a little more carefully before you go shooting your mouth off.

    Just ****ing bull **** about v ...Anonymous -- 08/06/05

    Just ****ing bull **** about virus on mac.A can guess ZDNet Australia get money from Microsoft to talking bull **** abut Apple and,ZDNet Australia licking Bill gates and Blamers ****

    **** MICROSOFT LONG LIVE APPLE

    So, if I open an attachment in Outlook, it's not a virus? Anonymous -- 13/09/05

    If I have to open an attachment in Outlook Express in Windows XP in order to infect myself, that is not a virus? Seems to me that most virii are spread as attachments that users have to open to activate.

    [none] Anonymous -- 20/12/05 (in reply to #120121046)

    An infected e-mail attachment is a Trojan. Once you open it and activate it, the virus inside the Trojan propogates. The script in the article is nothing more than malicious code. It's not a virus because it doesn't replicate. It's not even a Trojan since you have to give it permission to run.

    Attention!! Anonymous -- 27/01/06 (in reply to #120125624)

    You have just been hit by the world's first amish virus. We do not have access to computer technology, so we'll have to rely on the honor system. Now, please go delete all your files. Thank ye.

    Not a virus, wake up! MacUsersWakeUp -- 20/01/07

    Get off the mac is the most secure system ever build and I use it so its the best ever and it cant happen attitude. This is a virus and the person in front of the pc applying it can be well um i dont know how about a user with admin privs who owns the POS and dont know what they are doing so installs it and wham it is infected. wake up people realize that as the systems become more and more popular that more and more people will try and hack them. Since they are not used by many there really isnt much to attract a hacker to.

    Mac users unite! Anonymous -- 01/02/08 (in reply to #320073355)

    I love to hear about dopey mac people. They even advertise that you can run windows on a mac! That must be a selling point for them? mac mac mac , why bother writing a virus for the 4 people that use them? And when they do the dumb users still do not believe they have a problem? LOL.

Add your opinion

Latest Videos

Sponsored content

Power Centre - Content from our premier sponsors

Blogs

  • Suzanne Tindal IT: Govt's cost-cutting bitch
    The government needs to stop looking at IT as a necessary evil or the place to remove costs when the Treasurer comes calling.
  • Array Can complaints on mobile content be cut?
    On 1 July this year the new Mobile Premium Services Code was introduced. It sounds like it's had a good impact, but is it enough?
  • Array NZ farmers: Bleating about broadband
    As we know, farmers are such bleaters. They bleat as much as the four-legged woolly things in their paddocks. If it's not the weather, it's the strength of the dollar! Nothing is ever right. Likewise with rural broadband.
  • More blogs »

Tags

  1. 489 articles are tagged with 3g
  2. 41 articles are tagged with afact
  3. 83 articles are tagged with asic
  4. 141 articles are tagged with ato
  5. 1306 articles are tagged with broadband
  6. 14 articles are tagged with cenitex
  7. 670 articles are tagged with cio
  8. 253 articles are tagged with conroy
  9. 132 articles are tagged with contract
  10. 47 articles are tagged with david thodey
  11. 514 articles are tagged with dell
  12. 155 articles are tagged with exchange
  13. 152 articles are tagged with firewall
  14. 129 articles are tagged with fujitsu
  15. 53 articles are tagged with gnome
  16. 1033 articles are tagged with government
  17. 21 articles are tagged with hfc
  18. 790 articles are tagged with hp
  19. 1304 articles are tagged with ibm
  20. 222 articles are tagged with iinet
  21. 289 articles are tagged with isp
  22. 7 articles are tagged with jodee rich
  23. 13 articles are tagged with longhaus
  24. 35 articles are tagged with michael malone
  25. 1481 articles are tagged with microsoft
  26. 35 articles are tagged with mike quigley
  27. 51 articles are tagged with minchin
  28. 1127 articles are tagged with mobile
  29. 218 articles are tagged with national broadband network
  30. 395 articles are tagged with nbn
  31. 201 articles are tagged with new zealand
  32. 195 articles are tagged with nsw
  33. 61 articles are tagged with one.tel
  34. 929 articles are tagged with open source
  35. 884 articles are tagged with optus
  36. 20 articles are tagged with pipe networks
  37. 171 articles are tagged with queensland
  38. 2650 articles are tagged with security
  39. 53 articles are tagged with senate
  40. 69 articles are tagged with separation
  41. 9 articles are tagged with sp telemedia
  42. 176 articles are tagged with sydney
  43. 232 articles are tagged with telco
  44. 61 articles are tagged with telecom nz
  45. 2440 articles are tagged with telstra
  46. 138 articles are tagged with tender
  47. 25 articles are tagged with thodey
  48. 31 articles are tagged with tpg
  49. 176 articles are tagged with victoria
  50. 79 articles are tagged with wholesale

Back to top

Featured