'Opener' Malware Targets OS X 400
the_webmaestro writes "Macintouch.com is covering the "opener" malware, a new and potential vulnerability which affects Mac OS X. If true (it's not on HoaxBusters yet), this could become a Mac user's worst nightmare... Worse even than Microsoft Word macro viruses (heretofore the only real 'viruses' which threatened Mac users)! Normally, when ever I'd see virus alerts, I'd revel in the fact that as a Mac user, I was immune (except for the slow-down of the net, the loss in productivity of my colleagues, and the increase in SPAM--often coming from my friends and colleagues). [Sigh] Perhaps, my days of telling friends and family that there are no viruses for Macs may be coming to an end. There have been stories."
All machines are vulnerable to this (Score:5, Insightful)
actual discussion linked, it's very clear that this is a root kit
installed after someone already has root access on your machine.
How did it suddenly become a vulnerability that if you have root
access to someones machine, you can write a script that will
automatically install a bunch of malware? If this were a self
propagating system, or if it were packaged up as a program that users
might install by accident I could see the point. As it stands now,
it's a script that you have to run *after* you have root access.
Common sense should apply here. On *any* system, if you run untrusted
code with root level access, it could do *bad* things to your system.
Normal rootkit (Score:5, Insightful)
So, this is a progression of the age-old idea of a rootkit. A program installed with administrator (root,superuser,avatar) rights to remotley control the machine.
Admitted, this one looks a bit more aggressive than some (running jack the ripper on the md5 passwords is blatant and obvious) but this is hardly any news for anyone.
What strikes me as confusing is that Mac users aren't used to this already? It's been standard issue with all Unix, Windows and some BeOS applications, that people would post "faked" binaries of some popular software that would instead own the system completely. Or for that matter, latch them on to an existing download, the same way spyware does in windows.
Overall, this isn't self-replicating, its blatantly obvious and appears quite easy to recover from. Don't fret.
Not to worry then (Score:5, Insightful)
Not to worry then, you're still immune. It's not a virus. It's not much of a vulnerability either; and no-one has ever suggested that OS/X - or any operating system for that matter - is immune to trojan horses. And this is what this is (if it's true) - a good old fashioned trojan horse.
Re:All machines are vulnerable to this (Score:5, Insightful)
The linked article ONLY talks about the things this program does to a person's computer, once it is on it, and does NOT discuss how it gets onto a computer in the first place--other than by manually installing it.
It might be malicious, but unless it is possible/easy for folks to accidentally install it (like all of the Windows spyware/malware), it is not a threat, any more than is THIS piece of Linux and MacOS Malware:
#!/bin/sh
rm -Rf
Worst. virus. ever (Score:5, Insightful)
"Administration" Password Problem... (Score:5, Insightful)
Something thats always bothered me about OSX is how easy it is to write a program that prompts the user to enter their Admin password, and how many users just enter it when requested, for any old program.
I don't really know how Apple can address this.. perhaps some sort of 'certification' system for "programs which need admin access", but I've seen how that approach got dealt with by Microsoft and I don't really see it as a solution; just more problems. (App Certification is a crappy idea..)
Really, there's just no such thing as a piss-free sandbox. *sigh*
Re:I am not too concerned (Score:3, Insightful)
Hardly news (Score:5, Insightful)
Lame script kiddie (Score:5, Insightful)
Doing things like changing preferences and turning on 5 different methods of remote access is a bit obvious.
What's really obvious is running john the ripper on the machine that was hacked. Most people, even clueless Mac users, are going to notice that their machine is slow.
Even brute force DES attacks are not feasible if your passowrd is not dictionary based, so cracking the password isn't going to be quick.
Re:All machines are vulnerable to this (Score:2, Insightful)
Security in Mac OS/X Tiger (Score:3, Insightful)
Re:All machines are vulnerable to this (Score:5, Insightful)
Re:Burn them! (Score:1, Insightful)
Re:It's a lame virus, but YOUR MISSING THE POINT (Score:2, Insightful)
It is what it is. A virus. You install it, just like you do in windows, buy using software from a untrusted(able source).
No, a virus is quite simply a piece of code, often malicious (though not necessarily so), that replicates itself onto other machines. Viruses replicate - did anyone tell you that this replicates itself? Until that's proven, it's silly to call it a virus. Malware is the most approrpiate word.
By your definition, any program i pick up from versiontracker, form a source i've never heard of, is a virus.
Oh and BTW, on OS X your ROOT ACCOUNT ISN'T DISABLED. It simply doesn't have a password. It's still running, it's still their. You system depends on root in order to even freaking function.
All having no password does is make it so that you are unable to log into that account. That's all.
Need proof?
open up a terminal.
type:
sudo su -
There you go. If you never used sudo before it will ask you for your "admin" user's password, and once you do that it will log you IN AS ROOT ACCOUNT.
No, The root account isn't disabled, just that you have to enable it to be able to log in from a login prompt as 'root'. What you demonstrated is a user logging in having already logged in with a password - oh, and everytime you sudo, you'll require your password, unless you've sudo'ed very recently - unless you've messed with that (Which would be DUM).
HOW THE FUCK DID THE BASH SCRIPT GET INSTALLED ON THE OS X COMPUTER IN THE FUCKING FIRST PLACE?
Dammit, I thought you said it was a virus! surely if it's a virus it came via some software you installed!
Oh, and good to see your caps-lock works.
"OS X virus" is the new "Apple is dying" (Score:5, Insightful)
Anyone care to tell me how this so-called virus spreads? How does it propagate itself? Until we get to that point, I'm not going to accept that this is for real. And until then, those shouting that the sky has officially fallen on Cupertino can shut the hell up. I've heard this a dozen or so times over the last year-and-a-half and it's getting tiresome.
What is it about Apple that non-Apple users hate so much that requires this constant vigil for anything that could be a virus? And then the subsequent shouts of "Yep, take that smarmy Mac users... it's finally happened!" And this usually coming from people who beforehand would argue that the only reason Macs have no viruses is because of low market share. That argument disappears when it becomes inconvenient.
I've used Macs for over a decade now and most of that time was dominated by two phrases repeated ad nauseum. "Apple is dying" and "But there's no software!"
And now those have been replaced by this ongoing Quest for the Holy Virus.
I'm not saying OS X is invincible or that a virus will never hit Mac users, but when it happens, there will be little doubt about it. Until then, can we all just lay off the panic button?
Re:All machines are vulnerable to this (Score:5, Insightful)
write into [Volume Name]:System:Library:StartupItems nor into its subdirectories (haven't tried them all but a quick chown or chmod can be a solution in that case). That folder is owned by 'system' and group 'wheel'.
So a script that needs to be installed as root is definitely not comparable to the plethora of vulnerabilities win users are exposed to. If that were the case osx and linux should have approx 5 percent of the total viruses, according to their market share. That simply doesnt happen so I consider this
Re:You're not immune, just too little to care abou (Score:3, Insightful)
Macs have always had viruses (Score:4, Insightful)
OS X has the advantage of being BSD-based, which means that there are greater protections against malware. Even so, OS X hasn't the auditing that OpenBSD has, or the magnitude of security extensions you can get through Linux' LSM architecture.
Which brings me to Linux. Sure, I'll tell people that there are no Linux viruses. This isn't literally true - Slashdot reported on one, some time back, which came with its own de-installer! - but it's near-enough true.
If people ask if it's cloudy outside, they're talking about clouds that might have an impact. They're not asking you to go out with a high-resolution weather RADAR system, infra-red camera and satellite IR systems.
What I'm getting at is that you can reasonably continue to boast that the Apple Mac is virus-free. "Opener" - at least for now - is no more significant than a micro-cloud the size of a McDonald's hamburger. For now. Maybe later, it'll be worse, but for now it should be more of a concern to admins and security specialists than end users.
Re:You're not immune, just too little to care abou (Score:3, Insightful)
Perceptions (Score:2, Insightful)
OK, so this is Slashdot, but... (Score:5, Insightful)
Looks like someone wrote a convenient script to do some malicious stuff, that they install when they break into a machine. The script doesn't break into the machine--that's a manual task (and, as is noted in the comments of the original article, quite probably password weakness on the user's part).
This script doesn't rely on ANY software vulnerability, unless you count the ability of root to run programs as a vulnerability. It does so with malicious purposes, but that's hardly the OS' fault.
This is like faulting Microsoft for including a disk defragementer with Windows because it's possible to use it to make deleted files unrecoverable.
What, exactly, is the vulnerability that you want Apple to fix?
Re:All machines are vulnerable to this (Score:2, Insightful)
As a long time Mac user you do seem to be suffering under a misapprehension. In no way shape or form is this equivalent to the Microsoft macro viruss. In order to run a Windows virus you have to a) browse a web page or b) open an e-mail msg.
To run this 'malware' you have to a) download the script b) Change its mode to executable c) login as root and d) finally type something like
Oh, no! (Score:5, Insightful)
Seriously, a bash script is not a thing to cause terror and panic in the Mac community, except possibly in the folks with no Unix background who may not understand the implications.
Basically, this script can cause Bad Things to happen, but only if you are silly enough to run it in the first place. The actual exploit, as it is, would be one of social engineering (convincing you to run the malware), not a technical one.
That's pretty important. From what we've seen, this can't remotely attack you. There's no unpatched vulnerability in MacOS X that it can use to insert itself into a running system without your knowledge. Were this a worm with an appropriate method of spreading, that would be different. But it's not that far removed from the classic Unix honor system virus as it stands.
The risk, as far as I can see, is that plenty of Mac users are even less technical than a bad Windows user - because they haven't had to know what's under the hood of their shiny new Mac. So they're inclined to type their admin password for just about anything without checking at all first. But that's a user education problem more than a technical one.
When this gets tethered to a remote attack is when I start worrying about it.
Re:All machines are vulnerable to this (Score:3, Insightful)
I think the biggest security hole is this common sense that you speak of.
Re: "Administration" Password Problem... (Score:5, Insightful)
Well, it's not like it's real hard for me to spoof a Windows dialog box asking for your administrator password (and I bet most users would give it, even though Windows has no concept of 'sudo'), or even telling you that your Internet Connection is too slow.
But it's not just OS X - any OS that has a GUI equivalent of sudo (which now includes FC2, RHEL, SuSE, among others) is easy enough to spoof with a dialog box. FC2 and RHEL just have some python libraries you import, and you're all set, and you get a userhelper dialog, just like the one displayed by the system utilities (system-config-packages, for example), and off you go.
The thing is, there is no good way around this. "Certification" is a problem, since getting your program certified (well, getting the CA) costs a *shitload* of money (yes, yes, CAcert [cacert.org], I saw them at USENIX too, except I wasn't real comfortable having my driver's license scanned by a bunch of people I'd never met), and that would rule out the smaller developers. Plus, it's not like the CA used to sign the programs can ever get stolen, or anything (*cough* Microsoft/VeriSign *cough*).
A key combination (like how XP claims pressing Ctrl-Alt-Del to log in makes your computer "more secure") is a pretty stupid idea, and anything will be able to intercept it before the OS does if it tries hard enough.
The best thing I can think of is that unless the software is produced by Apple (verified via some key), the dialog box to request the admin password says something that says "Admin privileges are being requsted by foo.pkg/bar.app located at /Users/joeuser/Desktop/downloadz. According to the metadata, this is required in order to install the following files or do the following operation. This software claims to be produced by FooCorp, at the URL www.foocorp.com". And then maybe that might make the user think harder about what they're doing. Sure, there's no reason why you wouldn't be able to fake it to look like Word or iDVD or something, but hopefully users might take a second or to and think "But, wait, I *have* iDVD, why am I installing a new version". And those that don't are going to get screwed anyway by giving all their money to the son of the former president of Nigeria, or by replying to "Citibank"'s request for their account number and PIN.
Really, I'm convinced education is the only way to fix this. What would be kind of cool would be like what the Justice Department did with online pyramid schemes - setting up fake web pages that lured people in and then told them that they could have been duped and lost millions if they clicked on the "Click here to sign up" link. Apple or someone could make a package that purports to be 10.4 preview release, yet has spelling errors and l33t-speak in the installer text, and then when you give it your admin password, it tells you why you're a moron and how not to do that in the future. But I suspect that wouldn't go over well - people don't like having stupidity pointed out to them.
wow (Score:3, Insightful)
The virus is this story (Score:5, Insightful)
Re:All machines are vulnerable to this (Score:4, Insightful)
Re:Hardly news (Score:4, Insightful)
This is real. Here's how: (Score:2, Insightful)
You get fifty emails a day with various attachments that are also ways to 'root' a Windows machine, or at least zombie it. Mac users can open those attachments with impunity because the payloads are destined for Windows.
So, you get an email that has a Mac attachment. You can easily, if the user is hapless and opens the attachment, get them to execute the attached script or executable so as to take advantage of the user's root capability.
Hark, Max OS/X will then ask the user for the root password. Some will type it in, thinking it's the right thing to do. We'll have called it a special update file attachment so that they think they're doing the 'right' thing.
You can then execute any 'root'ing you want. If you're smart, it's a clean root kit and life is good. You're now in control of his/her machine. Use port 80 to talk back and forth, so that you don't have to worry about a port block.
Or check to see if they're using Apache on their machine. Apache is a wonderful engine to allow various kinds of mayhem.
Port blocks are good, and the lack of RPC responders in Macs is also good. But Macs are by no means exempt from user stupidity. They're often worse than Windows users because they've not been bruised up to this point.
Apple's biggest fix for this would be to offer a software update that simply demotes the user (with the user's knowledge via an explanation) away from root, and to warn them that using an Admin account as a user account might cause them problems.
In the meantime, you'll do Mac users (civilians, not
Re:This is real. Here's how: (Score:4, Insightful)
The "malware" described here is really nothing more than a rootkit someone discovered on a compromised machine. So far as I know, no evidence has surfaced as to how it got there. So we have no evidence that a trojan, worm or virus is at work spreading this thing. Given that, I think this story is awfully alarmist.
Not a vulnerability (Score:3, Insightful)
Having an OS and applications that follow good security procedures doesn't mean you can neglect elementary precautions like "don't trust unexpected email attachments".
Here's what prevents it... (Score:5, Insightful)
That's not true. Windows contains many components that operate on or are exposed to untrusted objects and are not inherently secure.
An inherently secure design is one in which there are no APIs that depend on the ability to perform trusted operations from potentially untrusted objects. The MS HTML control, for example, depends on tha ability for a document in the most trusted zone to launch arbitrary code without restructions. That means that if an attacker can get any application (ANY application that uses the HTML control) to open a document that's in that zone, it's in.
Fixing a vulnerability of this type requires modifying the definition of the trusted zone. The result is that previously working code breaks. So the vulnerability is only fixed when there's evidence that it's known and likely to be exploited.
Any time you have an inherently insecure design, you get this problem.
So. Mac OS X requires normal levels of vigilance to remain secure. The most likely exploit is the same as it has ever been: social engineering. If a guy comes up to the door and asks to come in on some flimsy excuse, do you invite him in? No. If someone in your office has a habit of inviting strangers into the back rooms, do you treat that as a problem? Yes. Apply the same level of caution on your computer, remind your co-workers if they seem likely to do something unwise, and you should be safe.
On Windows that's not true, because the design of IE and related applications is not inherently secure. It's like having a lock on your front door that will open if someone says "please".
Re:I am not too concerned (Score:5, Insightful)
Hey! Mac developers! Quit requiring privileged steps during install!
Seriously. The Mac app architecture is designed so you can put all your files into a single bundle without littering crap all over the user's system folders.
I, for one, tend to kill any install that asks for my admin password (which is why I'm still using Preview instead of Adobe Acrobat).
If people get used to entering their admin password on every damn install, trojans like this will be all too easy. It's like software requiring a root install on Unix -- it's suspicious.
Re:All machines are vulnerable to this (Score:4, Insightful)
Someone mod up parent!! This is clear example of where 3rd party driver/install software can break the "sane" security model of Unix. Windows has had this problem for a long time; it's only due to the relatively recent popularity of OSX that we'll the the issues with unix/linux.
No, it's Win vs EVERYONE. (Score:5, Insightful)
Local communication channels come down to physical access: it doesn't matter if a computer system has firewire ports or not, for example, because firewire is a local resource. If you have physical access then you can compromise the computer... that's pretty much an axiom.
So you need to look at any remote communication channels that can be compromised, and if are there mechanisms that can be used to launch malicious code.
What incoming connections are accepted, then? Well, there's far fewer on just about any operating system than a Windows-based personal computer. So:
The number of transoms on a Mac is about the same as an average PC.
I don't know whether you're just counting physical ports (which is irrelevant), or you're suggesting that there's as many logical ports open on the Mac. If the latter, no, that's just not true. Windows installs and runs with half a dozen wide open ports, and you can not close them down without breaking basic functionality that the OS requires. The *only* way to secure it is with a firewall. What should be an extra protective layer... part of a defense in depth... becomes the whole of the security system.
I don't know any other operating system that leaves its fly open like this.
But IE is also available on the Mac
Irrelevant. It's got the same name, but it's not even vaguely the same program. IE on Windows is a thin wrapper about a core part of the OS... and that core part is almost criminally badly designed. IE on the Mac is a standalone application. As is IE on Solaris.
You get the same reaction every time people see a backdoor kit like this and immediately jump all the way to this proves 'other OS' is as open as Windows!. It ain't true, and it won't ever be true, until (and unless) Microsoft makes some deep and fundamental changes in Windows' networking and user interface design.
MOD STORY DOWN!! (Score:1, Insightful)
MOD STORY DOWN -1: Troll
Re:All machines are vulnerable to this (Score:5, Insightful)
It will be created if you install any 3rd party extensions that require startup services. For example on my machine, it was created by installing the Wacom tablet driver.
The permissions of
Repairing permissions doesn't help, since that mechanism looks at the permissions in/Library/Receipts/*.pgk/.../*.bom to make the repairs, and will just restore whatever bad permissions the installer was using.
Re:(MOD UP!) (Score:3, Insightful)
Are you saying your Unix user account has no way to switch into a root context? You're not in wheel (on your home computer that you admin, that is, not on some random system where you're just a user)? Do you actually log out and log in as root when you need to install something or access protected data? That's more insecure than using sudo.
Or do you just never edit any configurations/install new software?
If you have a single user computer, then your single user has to have some way to become root, or it's useless.