'Opener' Malware Targets OS X 400
the_webmaestro writes "Macintouch.com is covering the "opener" malware, a new and potential vulnerability which affects Mac OS X. If true (it's not on HoaxBusters yet), this could become a Mac user's worst nightmare... Worse even than Microsoft Word macro viruses (heretofore the only real 'viruses' which threatened Mac users)! Normally, when ever I'd see virus alerts, I'd revel in the fact that as a Mac user, I was immune (except for the slow-down of the net, the loss in productivity of my colleagues, and the increase in SPAM--often coming from my friends and colleagues). [Sigh] Perhaps, my days of telling friends and family that there are no viruses for Macs may be coming to an end. There have been stories."
I am not too concerned (Score:5, Informative)
Saying this though, keeping your Mac patched is probably the best idea. Some vulnerabilities in Mac OS X can give you root privs, but having the firewall on and only services that you need enabled (none are enabled by default) will protect you from those issues.
Re: "Administration" Password Problem... (Score:4, Informative)
Bob
Re: "Administration" Password Problem... (Score:5, Informative)
The best fix for this problem is to apply common sense. Do not give your admin password to any application except an installer for software acquired from a trusted source, or the OS X system utilities.
Re:Nice script (Score:5, Informative)
Re:Nice script (Score:4, Informative)
Re:Security in Mac OS/X Tiger (Score:3, Informative)
Automator won't do much more that AppleScript couldn't already do (which is quite a lot, since you can AppleScript the Terminal and give it shell commands), it will just give scripting a point & click interface.
As a poster above said, a script by itself, whether it be Bash, AppleScript or Automator, is not really much of an exploit, it's the manner of getting on to the system that is.
Re:Security in Mac OS/X Tiger (Score:4, Informative)
Re:"spoof" ctrl-alt-delete (Score:4, Informative)
Causing the OS to respond as if to the control-alt-delete sequence is not a problem - the OS puts up its dialog box which is presumably secure.
The concern is if an application can intercept it when you do it on your keyboard, and stop the OS from putting up the box, but instead put up its own version that looks the same.
Re:Uninformed. (Score:4, Informative)
Sure, virus scanners are proof of viruses. It's definitely not possible that the company behind VirusBarrier is just trying to trick people into buying a product they don't need. Because corporations don't want profit, right? They'll just try to justify the program's existence by adding features for non-virus stuff and claiming they're building an infrastructure for fast response if there ever is a virus. So mod parent down -1 Troll!
Anti-Mac FUD? (Score:4, Informative)
"Oh woe is me! I have a Mac but someone might (cringe) hack it! And think of all those people who trusted me when I recommended Macs as safe! The world should be ending around 3pm today Eastern Time...."
And it's not even a vulnerability! Geez, it's almost enough to make me think this is just someone grinding an axe.
Re:Use sudo (Score:5, Informative)
Back when OS X was pretty new, lots of *nix illiterates used to think you had to be logged in as root to have all the administrative powers of the system. Lots of software would be broken by it, and shareware developers would be swamped by email by people saying "I'm logged in as root and your program doesn't work".
Re:All machines are vulnerable to this (Score:2, Informative)
Re: "Administration" Password Problem... (Score:5, Informative)
This is a common vulnerability to just about any shared medium, and why users need to be careful even just running untrusted programs as a user. The unix equivalent is well timed "password" prompts from malware when the user runs something else they expect to generate such a message, such as ssh.
Re:All machines are vulnerable to this (Score:2, Informative)
In fact, you have to do none of the above - you just have to have admin rights (which most not-so-unix-savvy Mac users probably do because the don't bother to add another account beside the one created during system setup, which *does* have admin rights) and run some program from a not-really-to-be-trusted source (e.g. some "nifty freeware tool") which contains the script and installs it without further user interaction. Users with admin rights do *not* need to login as root or to authenticate to install files in
Re:time to take action (Score:3, Informative)
any mac coder aroud to port tripwire to macos X ?
DarwinPorts [opendarwin.org] already offer a Tripwire port [opendarwin.org] for OS X.
Re:All machines are vulnerable to this (Score:3, Informative)
$ id
uid=501(alex) gid=501(alex) groups=501(alex), 79(appserverusr), 80(admin), 81(appserveradm)
$ ls -ld
drwxr-xr-x 3 root wheel 102 4 Aug 11:12
I can't remember changing the modes and ownership my self.
lame lame lame... (Score:3, Informative)
The most frightening thing is that if you read the evolving thread on the shell script in question, the "developers" seem to have trouble understanding what simple commands do. "What does 'find' do?" ... Yet, there's enough of them that they end up producing something that, at least, appears like it might function, and might serve some relatively benign but nefarious purpose...
Kinda like linux....
Re:time to take action (Score:3, Informative)
"At its core, radmind operates as a tripwire. It is able to detect changes to any managed filesystem object, e.g. files, directories, links, etc. However, radmind goes further than just integrity checking: once a change is detected, radmind can optionally reverse the change."
Re:time to take action (Score:1, Informative)
I work at the configuration and deployment level rather than the source code level most of the time, so I may not quite explain this correctly. But one of the performance optimisation features of Darwin / Mac OS X is to pre-bind executables to libraries which would otherwise be dynamically linked at runtime. This makes launching an application faster.
In doing so it actually alters the executable file itself. Most install packages explicitly do this as a post-install step, and the runtime system itself will attempt to re-bind any executable it finds without valid prebinding information.
The specifics of prebinding differ from machine to machine, even with the same OS, library and application versions... so an MD5 checksum of somebody else's binary is going to be useless to you because the files themselves are almost certainly not identical after prebinding has been performed.
Re:All machines are vulnerable to this (Score:5, Informative)
Re:All machines are vulnerable to this (Score:4, Informative)
Re:All machines are vulnerable to this (Score:5, Informative)
Sorry, I can't just let this one go. As a nearby poster points out, the
This is on a machine running 10.3.5; I can't speak for earlier versions.
Re:All machines are vulnerable to this (Score:4, Informative)
Re: "Administration" Password Problem... (Score:5, Informative)
Not if the OS is written correctly. Secure attention sequences (the official name for this idea) work, when implemented correctly.
I've noticed that XP seems to have introduced a setting (on by default, even!) which stops it from working, though, which is remarkably daft IMO.
admin access (Score:5, Informative)
1) Someone said that root isn't active by default. That's sort of true. Root obviously exists. Anyone who is in the group admin can do "sudo" to do a specific command as root. They have to type their password to use sudo. However they can't login as root or su to root, because root doesn't have a password. If you want to be able to su to root, you give root a password by "sudo passwd root" or something similar. That command is not documented by Apple. They intend that users who want to do something as root will use sudo. "sudo bash" would appear to be functionally equivalent to "su", so assigning a password to root doesn't seem necessary, and is probably not best practice.
2) There has been a lot of discussion about creating files in /Library/StartupItems. On a system that was installed from scratch a couple of months ago with the most recent OS, /Library/StartupItems is protected 755 root:wheel. On an older system it is protected 775 root:wheel. But you need to realize that wheel is *not* the admin group. My normal uid, which is an administrator, is not in wheel. The admin group is admin.
This is on a system with 775 root:wheel.Apple has done their best to make sure that you must type the password of an administrator before doing anything one would think of as administrator actions. Frankly I think there are enough corners in any complex OS to get unwary users to install Trojans. But some of the info in this thread has been wrong.
Re:All machines are vulnerable to this (Score:3, Informative)
I was wrong. Oops (Score:5, Informative)
That must have been changed with some security update in the last while, because in 10.3.6 they're both
drwxr-xr-x 6 root wheel 204 15 Oct 19:22
drwxr-xr-x 34 root wheel 1156 30 Sep 19:05
Re:All machines are vulnerable to this (Score:5, Informative)
Anyone out there who has installed Aironet wireless drivers, you might want to do something about your permissions in /Library/StartupItems.
Re:Not to worry then (Score:3, Informative)
Okay, there are two folders being confused here (Score:3, Informative)
ls -al
gives the following
drwxrwxr-x 5 root admin 170 16 Aug 00:06 StartupItems
It is owned by the admin group. All admin users have write access.
I think the confusion is with
ls -al
gives the following
drwxr-xr-x 34 root wheel 1156 9 Aug 17:58 StartupItems
The
Comment removed (Score:5, Informative)
Re:admin access (Score:2, Informative)
it gives you a root shell
Re:admin access (Score:1, Informative)
You need to read the posts about the stupid Cisco installer (Aeronet wireless stuff) that created a dir in
Ooops. Baaaaaaaaad 3rd party software for introducing a security hole in your up-to-then nicely secured system. A hole any other software you run as an admin user (..such as, the default user account...) can exploit.
Once the KaZaas and other such nonsense starts making the rounds of OS X, want to be how many more stooooopid installers will be run (with root permissions, as they have to be)?...
Re:admin access (Score:2, Informative)
sudo su