"Opener" malware for Mac OS X: more details posted

Mark Ingles quoted a MacInTouch reader report as saying:
>There's now a real virus out there for Mac OS X that can do some real damage.

Greg Merritt correctly pointed out:
>Virus? Not really. More like a trojan/rootkit.

And Rusty Wright asked:
>How is it propogated?

   Since Mark posted his original note, MacInTouch readers have
contributed many more details, which have been posted to the original
page covering this topic:

   http://www.macintouch.com/opener.html

   It appears from the descriptions that this is a script written for
the 'bash' shell that - as Greg noted - acts as a rootkit. And as
Greg noted, the existence of this rootkit doesn't necessarily suggest
any new vulnerabilities in Mac OS X. Rather, it underscores the fact
that as an OS with BSD Unix underpinnings, Mac OS X is at risk from
variants of the same types of malware that have long been used to
attack other Unix and Linux systems.

   Overviews of what types of components are often included in
rootkits and what they attempt to allow someone to do include:

<http://netsecurity.about.com/cs/generalsecurity/g/def_rootkit.htm>
and
<http://searchsecurity.techtarget.com/gDefinition/0,294236,sid14_gci547279,00.html>

   Regarding Rusty's question about how you might get this script onto
your computer in the first place, several comments in the MacInTouch
discussion note:

(quoting from a comment in the "opener" script itself):
>You need an admin level user name and password or physical access
>(boot from a CD or firewire, ignore permissions on the internal
>drive) to install this ...

and

>The attacker might be a local user, or it might be someone who
>gained access via a vulnerable network service, program, or other
>system vulnerability.

and

>I guess it could be installed secretly by a less than scrupulous
>shareware program.

   I haven't yet seen any claims that a trojan which installs this
script currently exists in the wild. It wasn't evident how the
script got onto the machine of the person who originally posted to
the MacInTouch discussion.

Greg also noted:
>Generally, OS X machines are hackable like any other FreeBSD machine.

   Very true. What appears to be interesting about "opener" is that
it was written specifically with Mac OS X in mind.

Aron Roberts
Workstation Software Support Group

------------------------------------------------------------------------
The following was automatically added to this message by the list server:

For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://magnet.berkeley.edu/>.
Received on Fri Oct 22 15:58:31 2004