Forgot your password?
typodupeerror
OS X Operating Systems Security

'Opener' Malware Targets OS X 400

Posted by michael
from the laugh-it-up-fuzzball dept.
the_webmaestro writes "Macintouch.com is covering the "opener" malware, a new and potential vulnerability which affects Mac OS X. If true (it's not on HoaxBusters yet), this could become a Mac user's worst nightmare... Worse even than Microsoft Word macro viruses (heretofore the only real 'viruses' which threatened Mac users)! Normally, when ever I'd see virus alerts, I'd revel in the fact that as a Mac user, I was immune (except for the slow-down of the net, the loss in productivity of my colleagues, and the increase in SPAM--often coming from my friends and colleagues). [Sigh] Perhaps, my days of telling friends and family that there are no viruses for Macs may be coming to an end. There have been stories."
This discussion has been archived. No new comments can be posted.

'Opener' Malware Targets OS X

Comments Filter:
  • by dtolton (162216) * on Saturday October 23, 2004 @04:04AM (#10607618) Homepage
    I'm not sure how this qualifies as a vulnerability. If you read the
    actual discussion linked, it's very clear that this is a root kit
    installed after someone already has root access on your machine.

    How did it suddenly become a vulnerability that if you have root
    access to someones machine, you can write a script that will
    automatically install a bunch of malware? If this were a self
    propagating system, or if it were packaged up as a program that users
    might install by accident I could see the point. As it stands now,
    it's a script that you have to run *after* you have root access.

    Common sense should apply here. On *any* system, if you run untrusted
    code with root level access, it could do *bad* things to your system.
    • by Black Parrot (19622) on Saturday October 23, 2004 @04:11AM (#10607638)


      > I'm not sure how this qualifies as a vulnerability. If you read the actual discussion linked, it's very clear that this is a root kit installed after someone already has root access on your machine. How did it suddenly become a vulnerability that if you have root access to someones machine, you can write a script that will automatically install a bunch of malware?

      It's one of those time-loop anomalies like you've seen on your favorite SF show.

    • by Anonymous Coward on Saturday October 23, 2004 @04:14AM (#10607650)
      Yes, to make it more clear:

      The linked article ONLY talks about the things this program does to a person's computer, once it is on it, and does NOT discuss how it gets onto a computer in the first place--other than by manually installing it.

      It might be malicious, but unless it is possible/easy for folks to accidentally install it (like all of the Windows spyware/malware), it is not a threat, any more than is THIS piece of Linux and MacOS Malware:

      #!/bin/sh
      rm -Rf /
    • by asjk (569258) * on Saturday October 23, 2004 @05:01AM (#10607756)
      What about this assertion from the MacIntouch page?

      John C. Welch

      ...Using /Library/StartupItems/ for it shows some thought about Mac OS X. One of the problems with that directory is that, while items in it run as root prior to login, you don't have to be root to create startup items in that directory, nor do they have to be owned by root to run. Any admin user can use this directory to create startup items that will run as root. That's a weakness that hopefully will get fixed. ...

      Could a Trojan be written to trick the user into installing a StartUp Item?

      • by WiseWeasel (92224) on Saturday October 23, 2004 @05:07AM (#10607767)
        Yes, a trojan could be written to do that. It would prompt you for an admin password, even if you launched the trojan executable as an admin user, but it could definitely be done, and if done correctly, a lot of users might be duped by it. Basically, if you run executables from untrusted sources, you could get bitten by this. This is true of any operating system. Trojans are always going to be a problem. Careful users probably won't be affected by it, but others might be. This is a far cry from a worm or virus, in that there is no vector that will allow this to propagate to any significant level. That being said, it's always crucial to keep updated with the latest security patches just to be safe. For now, this is not even a concern, but it could make script kiddies' lives a little easier, especially with this added publicity.
      • by marcello_dl (667940) on Saturday October 23, 2004 @06:22AM (#10607927) Homepage Journal
        On a relatively up to date 10.2.8 running in a Mac on linux window as we speak, my user account cannot
        write into [Volume Name]:System:Library:StartupItems nor into its subdirectories (haven't tried them all but a quick chown or chmod can be a solution in that case). That folder is owned by 'system' and group 'wheel'.

        So a script that needs to be installed as root is definitely not comparable to the plethora of vulnerabilities win users are exposed to. If that were the case osx and linux should have approx 5 percent of the total viruses, according to their market share. That simply doesnt happen so I consider this /. article FUD until somebody discovers what can remotely install such script. Keep your "boxen" updated, though.
        • As an admin user though, you should be able to write to /Library/StartupItems. The script will then be run as root on next reboot, and move itself from /Library/StartupItems to /System/Library/StartupItems
          • I was wrong. Oops (Score:5, Informative)

            by scruffyMark (115082) on Saturday October 23, 2004 @11:06AM (#10608952)
            Hm, I remember you used to be able to write directly to /Library/StartupItems without sudo-ing.

            That must have been changed with some security update in the last while, because in 10.3.6 they're both

            drwxr-xr-x 6 root wheel 204 15 Oct 19:22 /Library/StartupItems/
            drwxr-xr-x 34 root wheel 1156 30 Sep 19:05 /System/Library/StartupItems/
            • Re:I was wrong. Oops (Score:4, Interesting)

              by Bishop (4500) on Saturday October 23, 2004 @05:18PM (#10610799)
              By default sudo (on all *nix systems) is configured to only request a password once within a set time period. (Read the man page for details.) It would be possible for a piece of smart malware to wait for the user to issue a sudo command. After the sudo ticket has been issued the malware could use sudo to gain root access without a password.

              I do not know how this affects OSX. Some preference controls and updates require a password similar to sudo, but I do not know if sudo is used.
    • by Laebshade (643478) <laebshade@gmail.com> on Saturday October 23, 2004 @07:22AM (#10608065)
      As you already pointed out, you have to have root access to the machine then install a root kit. This is just a bunch of FUD similar to the ruckus the so-called WordPress vulernabilities that were reported last month [net-security.org]. Yes, they allowed you to redirect to any url as part of a seemingly innocent url, but you have to be logged into WordPress to exploit them. Highly overrated as severe security vulnerability.
    • Someone even installed a keystroke logger [thestar.com] on a Sun box.

      I think the biggest security hole is this common sense that you speak of.

    • You are right. And I hope I'm not the only one here to have pointed out that 99% (if not all) of the current viruses/malware/spyware in Windows are due to this same issue. Windows users have been trained to run as root (Administrator) at all times -- so if I write a batch file that starts at C:\ and deletes recursively -- bingo! I have a working malware. We're starting to see a bigger push to move away from this from MS and from the outside, lets hope it gets widely adopted.

      Yes, there have been a handful o
    • admin access (Score:5, Informative)

      by hedrick (701605) on Saturday October 23, 2004 @10:57AM (#10608902)
      In all of this discussion I still haven't seen a coherent account of how OS X actually works. Let me try:

      1) Someone said that root isn't active by default. That's sort of true. Root obviously exists. Anyone who is in the group admin can do "sudo" to do a specific command as root. They have to type their password to use sudo. However they can't login as root or su to root, because root doesn't have a password. If you want to be able to su to root, you give root a password by "sudo passwd root" or something similar. That command is not documented by Apple. They intend that users who want to do something as root will use sudo. "sudo bash" would appear to be functionally equivalent to "su", so assigning a password to root doesn't seem necessary, and is probably not best practice.

      2) There has been a lot of discussion about creating files in /Library/StartupItems. On a system that was installed from scratch a couple of months ago with the most recent OS, /Library/StartupItems is protected 755 root:wheel. On an older system it is protected 775 root:wheel. But you need to realize that wheel is *not* the admin group. My normal uid, which is an administrator, is not in wheel. The admin group is admin.

      cd /Library/StartupItems

      touch foo
      touch: foo: Permission denied
      This is on a system with 775 root:wheel.

      Apple has done their best to make sure that you must type the password of an administrator before doing anything one would think of as administrator actions. Frankly I think there are enough corners in any complex OS to get unwary users to install Trojans. But some of the info in this thread has been wrong.

  • by mj_1903 (570130) * on Saturday October 23, 2004 @04:05AM (#10607623)
    As this Bash script (that's all it is) needs root access or physical access to the machine to propagate, I am not too concerned. Root is disabled by default on all shipping Mac's and if anyone has physical access to your machine then you are in serious trouble anyway.

    Saying this though, keeping your Mac patched is probably the best idea. Some vulnerabilities in Mac OS X can give you root privs, but having the firewall on and only services that you need enabled (none are enabled by default) will protect you from those issues.
    • by j-pimp (177072) <zippy1981.gmail@com> on Saturday October 23, 2004 @04:20AM (#10607670) Homepage Journal
      Root is disabled by default on all shipping Mac's and if anyone has physical access to your machine then you are in serious trouble anyway. Right, but the initial setup of every shipping mac out there has the user create an administrative account on there machine. This person can run sudo to execute a root command. The password prompt you get before installing most mac software runs sudo. So an install program effectively runs as root and if the install program silently added this script to your system then it would run.
      • Of course, but if I download and install any software that contains malicious code then I am in trouble. Similar to that incidence of a developer deleting ~/ on users machines that used a pirated serial number.
      • by cbiffle (211614) on Saturday October 23, 2004 @12:15PM (#10609373)
        I know this is not the best place to say this, but:

        Hey! Mac developers! Quit requiring privileged steps during install!

        Seriously. The Mac app architecture is designed so you can put all your files into a single bundle without littering crap all over the user's system folders.

        I, for one, tend to kill any install that asks for my admin password (which is why I'm still using Preview instead of Adobe Acrobat).

        If people get used to entering their admin password on every damn install, trojans like this will be all too easy. It's like software requiring a root install on Unix -- it's suspicious.
        • by Erik Hollensbe (808) on Saturday October 23, 2004 @01:39PM (#10609808) Homepage
          And the reality, is that only the largest apps do that.

          Really, I have over 200 apps on this machine and I can count on one hand (from memory) which ones used installers.

          Emacs, XCode, Cisco VPNClient. Sorry, 3.

          Everything else is standard mac fare, open DMG, drag n' drop and get to something more interesting.

          That said, some of the programs ask for root after they're installed, which I think is a larger problem. A couple of "tweak" utilities that I use to do things which apple buries or makes hard to use do this. I even found one doing this:

          echo "rootpassword" | sudo program

          So, I think it would be easy to argue that malware is not my biggest problem as a mac user.

  • Anti-Virus (Score:5, Funny)

    by Kesh (65890) on Saturday October 23, 2004 @04:06AM (#10607627)
    You mean my copy of Virex I get with .Mac will actually be useful now? ;)
  • FUD... (Score:5, Interesting)

    by nordicfrost (118437) * on Saturday October 23, 2004 @04:06AM (#10607628)
    This is lame. A script! -this is Slashdot, you should know tthe possibilities of bash scripting. Besides, it doesn't even spread itself, don't hide its tracks...
  • Normal rootkit (Score:5, Insightful)

    by Spider[DAC] (129824) on Saturday October 23, 2004 @04:10AM (#10607635) Homepage
    *chuckle*

    So, this is a progression of the age-old idea of a rootkit. A program installed with administrator (root,superuser,avatar) rights to remotley control the machine.

    Admitted, this one looks a bit more aggressive than some (running jack the ripper on the md5 passwords is blatant and obvious) but this is hardly any news for anyone.

    What strikes me as confusing is that Mac users aren't used to this already? It's been standard issue with all Unix, Windows and some BeOS applications, that people would post "faked" binaries of some popular software that would instead own the system completely. Or for that matter, latch them on to an existing download, the same way spyware does in windows.

    Overall, this isn't self-replicating, its blatantly obvious and appears quite easy to recover from. Don't fret.
  • Not to worry then (Score:5, Insightful)

    by Armchair Dissident (557503) * on Saturday October 23, 2004 @04:12AM (#10607644) Homepage
    Normally, when ever I'd see virus alerts, I'd revel in the fact that as a Mac user, I was immune

    Not to worry then, you're still immune. It's not a virus. It's not much of a vulnerability either; and no-one has ever suggested that OS/X - or any operating system for that matter - is immune to trojan horses. And this is what this is (if it's true) - a good old fashioned trojan horse.
    • Re:Not to worry then (Score:3, Interesting)

      by wrldwzrd89 (611694)
      I agree with everyone else. This is nothing more than a Trojan Horse - and in order to do anything meaningful it needs lots of privileges, like becoming root. There's nothing seriously worrying in this (Mac OS X is STILL without a virus), because, as mentioned in the article, all the stuff it does can be reversed easily (even more easily if you clone your HD daily like I do).
      • Re:Not to worry then (Score:3, Informative)

        by nordicfrost (118437) *
        Well, technically it's not a trojan horse either. A trojan (horse) always hides itself in vessel, usually some stupid program or excecutable app... This is just a rootkit without andy means of becoming root, so the issue is moot...
  • Worst. virus. ever (Score:5, Insightful)

    by Anonymous Coward on Saturday October 23, 2004 @04:16AM (#10607654)
    So am I missing something, or is this really just a regular bash script that does bad things if given enough priviliges? Not surprising, I guess, since the submitter spelled "spam" using all caps...
  • Burn them! (Score:2, Funny)

    by Anonymous Coward
    Burn the programmers who created the OS! Burn the greedy corporation who cut corners to release this junk! Burn the ignorant and clueless users who allow such things to take place! Kill 'em all! Raze their corporate HQ to the ground! No punishment is too harsh, no criticism unwarranted. Finally, definitive proof of the systematically shoddy approach taken by this company to their OS!

    Oh wait... you said Apple, not Microsoft. Well in that case, let me just say that the user interface for this exploit is FA
  • Nice script (Score:5, Funny)

    by Zorilla (791636) on Saturday October 23, 2004 @04:21AM (#10607674)
    I don't think it's as much of a real vulnerability as it is Macintouch.com being mesmerized by looking at the code in the "new" exploit.

    #!/bin/bash
    :(){ :|:& };:


    Oooooooh, trippy code!
    • Re:Nice script (Score:3, Interesting)

      by beelsebob (529313)
      I can't claim to know bash scripting (I'm ashamed to say I'm a slashdotter and have never looked at it)... Is this a forkbomb? defining a lambda expression ':' that runs ':' twice, and then running it once. If so, surely the process limits are going to kill it after a short while? Bob
      • You know more than I do, apparently. The only bash scripting I've done is to force programs into a specific working directory. I can barely look at that code myself, I just found it under a Google search. My best guess is that it creates a function fork that is very obfuscated to the reader. There were some pretty neat obtuse examples during that "Obfuscated voting machine code contest" as well.
      • Re:Nice script (Score:5, Informative)

        by Zocalo (252965) on Saturday October 23, 2004 @04:54AM (#10607738) Homepage
        Yeah, it's a fork bomb with tiny amount of obfuscation, if you can call using a non-alpha character as a function name obfuscation. Things become clearer if you format it properly, and replace the user defined function name ":" with "foo", like this:

        #!/bin/bash
        foo()
        {
        foo | foo &
        };

        foo
        So, we define a function, "foo", which runs "foo" piped into itself as a background task, then call "foo", and off we go. Essentially you are trying to execute the infinitely long command line of:

        foo | foo | foo | foo | foo...
  • by torpor (458) <ibisum@gmail. c o m> on Saturday October 23, 2004 @04:21AM (#10607675) Homepage Journal

    Something thats always bothered me about OSX is how easy it is to write a program that prompts the user to enter their Admin password, and how many users just enter it when requested, for any old program.

    I don't really know how Apple can address this.. perhaps some sort of 'certification' system for "programs which need admin access", but I've seen how that approach got dealt with by Microsoft and I don't really see it as a solution; just more problems. (App Certification is a crappy idea..)

    Really, there's just no such thing as a piss-free sandbox. *sigh*
    • by beelsebob (529313) on Saturday October 23, 2004 @04:37AM (#10607705)
      OS X does this to a certain extent in that it tells you what application is running the security dialogue and what key it's requested, but unfortunately anyone can fake that interface in seconds. One thing to sure of is that when you type in your password it is into a normal OS X password box, anything else and the program gets to see the plain text of your password and could do anything. If it's the system's password box then the system does all the authentication and the program never gets a chance to steal the password.

      Bob
    • Really, there's just no such thing as a piss-free sandbox.

      Uhh... gee I hope when we were kids you never invited me over to build sand castles with you.

    • by TheRaven64 (641858) on Saturday October 23, 2004 @04:42AM (#10607714) Journal
      It is very easy to pop up a dialog that looks like the standard system one asking for an admin password. A simple fix for this would be to require the user to press command-option-escape (or some other OS-caught interrupt key combination) before typing in the dialog. This would identify spoofed dialogs and allow a user to check that the program popping up the dialog is the correct one, and it's asking for sensible permissions. I suspect the reason that this is not done, is that there is no reason for trojan writers no to simply use the API calls to create the dialog, and then abuse root privilege.

      The best fix for this problem is to apply common sense. Do not give your admin password to any application except an installer for software acquired from a trusted source, or the OS X system utilities.

      • That's the stupidest solution I've heard all day. Just how long do you think it would take malicious coders to spoof the required key combo as well? Anything Apple can do can be imitated by other coders. The solution is to NOT RUN UNTRUSTED EXECUTABLES!!!!!! I cannot stress that enough. If you launch an executable from an untrusted source, you can get hosed.
    • by SnowZero (92219) on Saturday October 23, 2004 @07:20AM (#10608059)
      You can make it a lot worse that that. It is (somewhat) exploitable by a timing attack if your virus waits patiently for another program to start installing. There is probably some recognizable signature you can check for in ps, and just keep running it repeatedly. Once another program is installing, the virus can then jump in and do the operation that requires root, thus popping up a dialog box. The title will probably be wrong, but the timing of the dialog box will be *right*, so most users wouldn't notice except for a second box popping up later. They'll probably convince themselves that they mistyped the password the first time.

      This is a common vulnerability to just about any shared medium, and why users need to be careful even just running untrusted programs as a user. The unix equivalent is well timed "password" prompts from malware when the user runs something else they expect to generate such a message, such as ssh.
    • by jdreed1024 (443938) on Saturday October 23, 2004 @08:18AM (#10608207)
      Something thats always bothered me about OSX is how easy it is to write a program that prompts the user to enter their Admin password, and how many users just enter it when requested, for any old program.

      Well, it's not like it's real hard for me to spoof a Windows dialog box asking for your administrator password (and I bet most users would give it, even though Windows has no concept of 'sudo'), or even telling you that your Internet Connection is too slow.

      But it's not just OS X - any OS that has a GUI equivalent of sudo (which now includes FC2, RHEL, SuSE, among others) is easy enough to spoof with a dialog box. FC2 and RHEL just have some python libraries you import, and you're all set, and you get a userhelper dialog, just like the one displayed by the system utilities (system-config-packages, for example), and off you go.

      The thing is, there is no good way around this. "Certification" is a problem, since getting your program certified (well, getting the CA) costs a *shitload* of money (yes, yes, CAcert [cacert.org], I saw them at USENIX too, except I wasn't real comfortable having my driver's license scanned by a bunch of people I'd never met), and that would rule out the smaller developers. Plus, it's not like the CA used to sign the programs can ever get stolen, or anything (*cough* Microsoft/VeriSign *cough*).

      A key combination (like how XP claims pressing Ctrl-Alt-Del to log in makes your computer "more secure") is a pretty stupid idea, and anything will be able to intercept it before the OS does if it tries hard enough.

      The best thing I can think of is that unless the software is produced by Apple (verified via some key), the dialog box to request the admin password says something that says "Admin privileges are being requsted by foo.pkg/bar.app located at /Users/joeuser/Desktop/downloadz. According to the metadata, this is required in order to install the following files or do the following operation. This software claims to be produced by FooCorp, at the URL www.foocorp.com". And then maybe that might make the user think harder about what they're doing. Sure, there's no reason why you wouldn't be able to fake it to look like Word or iDVD or something, but hopefully users might take a second or to and think "But, wait, I *have* iDVD, why am I installing a new version". And those that don't are going to get screwed anyway by giving all their money to the son of the former president of Nigeria, or by replying to "Citibank"'s request for their account number and PIN.

      Really, I'm convinced education is the only way to fix this. What would be kind of cool would be like what the Justice Department did with online pyramid schemes - setting up fake web pages that lured people in and then told them that they could have been duped and lost millions if they clicked on the "Click here to sign up" link. Apple or someone could make a package that purports to be 10.4 preview release, yet has spelling errors and l33t-speak in the installer text, and then when you give it your admin password, it tells you why you're a moron and how not to do that in the future. But I suspect that wouldn't go over well - people don't like having stupidity pointed out to them.

      • by julesh (229690) on Saturday October 23, 2004 @10:42AM (#10608832)
        A key combination (like how XP claims pressing Ctrl-Alt-Del to log in makes your computer "more secure") is a pretty stupid idea, and anything will be able to intercept it before the OS does if it tries hard enough.

        Not if the OS is written correctly. Secure attention sequences (the official name for this idea) work, when implemented correctly.

        I've noticed that XP seems to have introduced a setting (on by default, even!) which stops it from working, though, which is remarkably daft IMO.
  • Hardly news (Score:5, Insightful)

    by draxil (198788) on Saturday October 23, 2004 @04:26AM (#10607683) Homepage
    Yeah.. I could write a bunch of distructive shellscripts. But
    #!/usr/bin/bash
    rm -rf /*
    Isn't an OSX/BSD/Linux vulnerability is it? It's just a shell script. The worrying thing is when you have some way of penetrating an OS's security to install these things.. The desctruction isn't the hard part gettin in to plant the bomb is.
  • Lame script kiddie (Score:5, Insightful)

    by deafpluckin (776193) on Saturday October 23, 2004 @04:29AM (#10607689)
    Overall this script looks pretty lame. A good "rootkit" should do everything possible to not make itself noticeable.

    Doing things like changing preferences and turning on 5 different methods of remote access is a bit obvious.

    What's really obvious is running john the ripper on the machine that was hacked. Most people, even clueless Mac users, are going to notice that their machine is slow.

    Even brute force DES attacks are not feasible if your passowrd is not dictionary based, so cracking the password isn't going to be quick.
  • by jededeck (798190) on Saturday October 23, 2004 @04:37AM (#10607706)
    I do not think this could be classified as a virus. I am concerned however with the next release of Mac OS/X. It seems to contain a new feature that is integrated throughout the system called "Automator". It allows users to easily create and run scripts that perform cross-application batch-jobs. I wonder how it is integrated with mail and if it could pose a security risk in the same way Visual Basic Scripts do in Windows...
  • by inkswamp (233692) on Saturday October 23, 2004 @05:53AM (#10607872)
    I wish people would just get off Apple's back. OS X has no viruses yet but it seems that people are all hot and bothered by the idea of finding the first one. What gives?

    Anyone care to tell me how this so-called virus spreads? How does it propagate itself? Until we get to that point, I'm not going to accept that this is for real. And until then, those shouting that the sky has officially fallen on Cupertino can shut the hell up. I've heard this a dozen or so times over the last year-and-a-half and it's getting tiresome.

    What is it about Apple that non-Apple users hate so much that requires this constant vigil for anything that could be a virus? And then the subsequent shouts of "Yep, take that smarmy Mac users... it's finally happened!" And this usually coming from people who beforehand would argue that the only reason Macs have no viruses is because of low market share. That argument disappears when it becomes inconvenient.

    I've used Macs for over a decade now and most of that time was dominated by two phrases repeated ad nauseum. "Apple is dying" and "But there's no software!"

    And now those have been replaced by this ongoing Quest for the Holy Virus.

    I'm not saying OS X is invincible or that a virus will never hit Mac users, but when it happens, there will be little doubt about it. Until then, can we all just lay off the panic button?

  • Real Virus (Score:3, Funny)

    by BarryNorton (778694) on Saturday October 23, 2004 @06:05AM (#10607895)
    Worse even than Microsoft Word macro viruses (heretofore the only real 'viruses' which threatened Mac users)!
    I'm going to find a Mac user and sneeze on them... then they'll know what a real virus is!

    (Seriously, we seem to have forgotten this is an analogy... don't make me communicate some worms!)

  • by adzoox (615327) on Saturday October 23, 2004 @06:21AM (#10607926) Journal
    ... and came up with Intego and FUD.

    Make no doubt about it. There is a French company that writes Mac software called Intego.

    THEY ARE the ones spreading this new rumor, just as they spread the "trojan horse" myth a few months back.

    It's time to sell some more software - so it's time spread some more FUD.

    A previous story I had done on this [jackwhispers.com]
  • Anti-Mac FUD? (Score:4, Informative)

    by MilenCent (219397) <johnwh@gmailLION.com minus cat> on Saturday October 23, 2004 @06:35AM (#10607941) Homepage
    Something about the writing style of this story really strikes me as sensationalist.

    "Oh woe is me! I have a Mac but someone might (cringe) hack it! And think of all those people who trusted me when I recommended Macs as safe! The world should be ending around 3pm today Eastern Time...."

    And it's not even a vulnerability! Geez, it's almost enough to make me think this is just someone grinding an axe.
  • by jd (1658) <{moc.oohay} {ta} {kapimi}> on Saturday October 23, 2004 @06:40AM (#10607951) Homepage Journal
    I can remember downloading lists of known viruses when I was at University, between 1990 and 1994. Sure, the Mac was doing well (the total of all known viruses was under a hundred, compared to those for DOS/Windows, which exceeded 22,000.) But the number was certainly not zero.


    OS X has the advantage of being BSD-based, which means that there are greater protections against malware. Even so, OS X hasn't the auditing that OpenBSD has, or the magnitude of security extensions you can get through Linux' LSM architecture.


    Which brings me to Linux. Sure, I'll tell people that there are no Linux viruses. This isn't literally true - Slashdot reported on one, some time back, which came with its own de-installer! - but it's near-enough true.


    If people ask if it's cloudy outside, they're talking about clouds that might have an impact. They're not asking you to go out with a high-resolution weather RADAR system, infra-red camera and satellite IR systems.


    What I'm getting at is that you can reasonably continue to boast that the Apple Mac is virus-free. "Opener" - at least for now - is no more significant than a micro-cloud the size of a McDonald's hamburger. For now. Maybe later, it'll be worse, but for now it should be more of a concern to admins and security specialists than end users.

  • by Anonymous Coward on Saturday October 23, 2004 @06:59AM (#10608003)
    can the AUTHOR at least be expected to RTFA? And the comments that are part of it?

    Looks like someone wrote a convenient script to do some malicious stuff, that they install when they break into a machine. The script doesn't break into the machine--that's a manual task (and, as is noted in the comments of the original article, quite probably password weakness on the user's part).

    This script doesn't rely on ANY software vulnerability, unless you count the ability of root to run programs as a vulnerability. It does so with malicious purposes, but that's hardly the OS' fault.

    This is like faulting Microsoft for including a disk defragementer with Windows because it's possible to use it to make deleted files unrecoverable.

    What, exactly, is the vulnerability that you want Apple to fix?
  • Oh, no! (Score:5, Insightful)

    by jht (5006) on Saturday October 23, 2004 @07:12AM (#10608036) Homepage Journal
    A rootkit for MacOS X! What ever shall we do now?

    Seriously, a bash script is not a thing to cause terror and panic in the Mac community, except possibly in the folks with no Unix background who may not understand the implications.

    Basically, this script can cause Bad Things to happen, but only if you are silly enough to run it in the first place. The actual exploit, as it is, would be one of social engineering (convincing you to run the malware), not a technical one.

    That's pretty important. From what we've seen, this can't remotely attack you. There's no unpatched vulnerability in MacOS X that it can use to insert itself into a running system without your knowledge. Were this a worm with an appropriate method of spreading, that would be different. But it's not that far removed from the classic Unix honor system virus as it stands.

    The risk, as far as I can see, is that plenty of Mac users are even less technical than a bad Windows user - because they haven't had to know what's under the hood of their shiny new Mac. So they're inclined to type their admin password for just about anything without checking at all first. But that's a user education problem more than a technical one.

    When this gets tethered to a remote attack is when I start worrying about it.
  • by Slur (61510) on Saturday October 23, 2004 @07:37AM (#10608100) Homepage Journal
    "There are some who feel like that if they attack us, that we may decide to leave prematurely," Steve Jobs said. "They don't understand what they're talking about. ... There are some who feel like that the conditions are such that they can attack us there. My answer is: bring 'em on. We've got the force necessary to deal with the security situation."
  • lame lame lame... (Score:3, Informative)

    by nblender (741424) on Saturday October 23, 2004 @07:52AM (#10608147)
    When will /. get some editors that actually pay attention to stuff?

    The most frightening thing is that if you read the evolving thread on the shell script in question, the "developers" seem to have trouble understanding what simple commands do. "What does 'find' do?" ... Yet, there's enough of them that they end up producing something that, at least, appears like it might function, and might serve some relatively benign but nefarious purpose...

    Kinda like linux....

  • wow (Score:3, Insightful)

    by X_Bones (93097) <danorz13.yahoo@com> on Saturday October 23, 2004 @09:28AM (#10608478) Homepage Journal
    Thanks for wasting all that space in the writeup about irrelevant Word macro viruses, how you have problems with Windows viruses (what, like nobody else does?), and how you can't tell your friends that no Mac viruses exist (if they're computer knowledgeable, they know that already; if they're not, they probably don't care). All that stuff is clearly more important than things like, y'know, summarizing the article or something, or telling us the quality of the story you linked too. We don't need to know how it spreads; we need to know more about your personal life! Spare me.
  • by exp(pi*sqrt(163)) (613870) on Saturday October 23, 2004 @09:37AM (#10608511) Journal
    Most casual /. readers won't bother to read the article. Meanwhile they'll be telling everyone "d'ya hear about that Mac virus?". And the meme will spread regardless of the fact that this story is content free.
  • by macaulay805 (823467) on Saturday October 23, 2004 @11:20AM (#10609042) Homepage Journal
    "OMFG!!!!! People CAN STEAL MY CAR[*]!!!!!!"

    [*]Requires Correct Keys to Car!
  • by argent (18001) <peter@NOsPam.slashdot.2006.taronga.com> on Saturday October 23, 2004 @11:22AM (#10609058) Homepage Journal
    This isn't a vulnerability in OS X, it's a tool to be installed after you get in. The only vector is social engineering. Social engineering always works: if someone can fool you into opening the door they can come in through the door, that's always going to be true. And once they have local access they can always install a back door.

    Having an OS and applications that follow good security procedures doesn't mean you can neglect elementary precautions like "don't trust unexpected email attachments".
  • by peteMG (87639) on Saturday October 23, 2004 @01:00PM (#10609609) Homepage
    .. Almost like they were tailoring it to an audience of scripting newbies. It even comes with a readme. It's like the iHack of rootkits. The source [mac.com] has great stuff like
    echo "nidump the password file"
    echo #lets grab this now in case anything goes wrong
    /usr/bin/nidump passwd .
    echo ""
    /usr/bin/nidump passwd /
    and
    # append some commands to the cron scripts
    # since both routines are checking the last line of the file they should not be using the same
    # file as they will both just keep appending!
    I'm surprised they didn't pop up a nice helpful dialog box if the script is killed - something like "For your information, your Mac has been taken over by another user. You may want to do some reading on security and protecting yourself. [OK]"
  • by supabeast! (84658) on Saturday October 23, 2004 @02:12PM (#10609950)
    How the hell does a shell script that does nasty shit to a system count as OS X having some big nasty security flaw? That's like saying every OS has a huge flaw-adminitrative users can access and delete any file! Holy shit, we're all doomed!

    Whichever of the /. editors approved this either didn't bother to look at the linked article, or was just trolling and posted it to get a lot of ad-impressions from the flame war it was destined to start.
  • by Steve Cowan (525271) on Saturday October 23, 2004 @02:56PM (#10610164) Journal
    Low and behold, the script is on my machine too! Now I know why my Power Mac 8500 was taking so long to copy that 30 meg file!

If the code and the comments disagree, then both are probably wrong. -- Norm Schryer

Working...