Mac users face rare threat

A script-based threat that spies on Mac users caught the attention of some security watchers last week.

The malware, which has been dubbed Opener by Mac user groups, has the potential to disable Mac OS X's built-in firewall, steal personal information or destroy data. At the moment, however, it seems to pose little danger.

Security experts say those threatening traits are common among the thousands of online threats targeting Microsoft's ubiquitous Windows operating system but are virtually unheard of on Apple Computer's Mac OS.

Paul Ducklin, Sophos' head of technology in the Asia-Pacific region, said that the software, which Sophos calls Renepo, is designed to affect Mac OS X drives connected to an infected system and that it leaves affected computers vulnerable to further attack.

View reply Hide reply

Processing

Another concept virus...

by quantum0726 October 25, 2004 7:55 AM PDT

Another concept virus...

So this sounds a lot like the iTunes concept virus that allowed a
program to masquerade as a mp3 file. Opening the file would
run a small script in the file's header that could do possible
dammage. Of course without entering an admin password the
worst it could do was delete your home directory. Plus, like this
one, it has to be manually run. It can't be spread through some
kind of automatic method. I think this is trying to exploit the
stereotypical mac user stupidity rather than an OS X exploit.
And the virus companies are making it a big issue because they
want to get Mac users to buy virus protection software. Well,
I've been running my Mac for nearly a year with the best virus
protection software on the market...OS X 10.3! :P

Reply to this comment

Such poor coverage

by October 25, 2004 8:29 AM PDT

Such poor coverage

For some thoughts on opener, see:

http://das.doit.wisc.edu/opener.txt

And my letter to the editor, for what it's worth:

Your article, <http://www.zdnet.com.au/news/security/
0,2000061744,39164062,00.htm>, carried in syndication at
<http://news.com.com/2100-7349_3-5424883.html>,
contains some misleading inaccuracies.

First, Mac OS X has been able to run shell scripts since its
introduction over three and a half years ago. The article makes it
sound as if this is a new "threat".

Second, the script needs local administrative/root level access,
or physical access, to even be installed. There is no means or
vector of remote or automated spread or propagation of any
kind.

Third, the article incorrectly implies via a quote that there's no
way users can protect themselves, as if this is some kind of new,
devious threat. This represents the age old concept that
anything can be done to a machine if you have root-equivalent
or physical access, period. Including the installation of nefarious
scripts. Here's a piece of malware:

#!/bin/sh
sudo rm -rf ~

It deletes your home directory. The exact same methods and
mechanisms used with opener could be used to install/run this
script.

ZDNet and news.com could have taken the opportunity to
educate users about security best practices, which is EXACTLY
how you protect yourself from trojans or social engineering on
any platform: use strong passwords, don't let untrusted users
access your machine, lock your workstation when not in use,
keep your OS and antivirus software current, and don't run
software from untrusted/illegitimate sources, such as p2p/
warez networks.

Instead, you chose the path of scare-mongering and making it
appear, incorrectly, as if Macs are insecure because of this
specific script, or as if an trojan/social engineering attack is
anything new.

I'm very disappointed in your coverage. What could have been an
opportunity for accurate coverage was turned into a
sensationalized and inaccurate "Mac virus" story.

Regards,

Dave Schroeder | University of Wisconsin - Madison
Email: das@doit.wisc.edu | Division of Information
Technology
Pager: das-pager@doit.wisc.edu | B263 Computer Science and
Statistics
Pager: +1 800 449-4951 | 1210 West Dayton
Street
Phone: +1 608 265-4737 | Madison, Wisconsin
53706-1685

Reply to this comment

Re: Poor Coverage

by October 25, 2004 9:18 AM PDT

Re: Poor Coverage

You're going to be pretty disappointed if you expect a site like C|NET to provide fair and balanced or in-depth coverage of technology news like this.

C|NET is on par with Fox News for its tendency to sensationalize and offer one-sided viewpoints.

I agree exactly

by October 26, 2004 12:16 AM PDT

I agree exactly

I agree with this, it's not a virus, it's just a stupid script.

Let me write one.

---- virus.sh ----
echo Your system needs maintainance, please enter your admin password
sudo rm -r /
---- end ----

Run the file (i am not responsible for what it does.)

There, I have written something worse than the above-mentioned virus.

NOT A VIRUS

by October 25, 2004 8:59 AM PDT

NOT A VIRUS

This is NOT a virus. This is NOT a "script-based threat." It's a
script. Period. It is also an example of extremely poor reporting
by c|net - but what should we expect, when it's part owned by
Microsoft? Mac people have a term for this kind of "reporting:"
F.U.D. I forget what it stands for, fear something and something.

This script (and any script which could harm your system)
requires root authorization to take effect, which means that the
user has to run it himself. I'll repeat that: the user has to run it
himself. Now, if you run executable programs that damage your
own computer, I don't think the program is the security threat - I
think you are.

Reply to this comment

Of course it is

by October 25, 2004 10:28 AM PDT

Of course it is

Of course it is a virus

View reply Hide reply

Processing

Root kit, not malware

by chassoto--2008 October 25, 2004 9:42 AM PDT

Root kit, not malware

Malware implies that the thing is presented as something
beneficial, but is in fact malicious. This guy got hacked,
someone stringed together existing Unix-based code (opener
and john the ripper) to create a little root kit. This further
emphasized the fact that all computer systems require
information security management techniques to remain secure.

Reply to this comment

Not even a "rootkit"

by October 25, 2004 10:13 AM PDT

Not even a "rootkit"

A rootkit is something that *gains* access the attacker wouldn't
otherwise have, such as elevating privileges when there is some
other lower level of access to the machine.

Conversely, this *requires* root/admin or physical access to
even install it! So it's not even a rootkit...it shares some other
features with rootkits, but not the primary one, which is a tool to
elevate privileges or otherwise obtain access.

View reply Hide reply

Processing

Yes, you're correct

by October 25, 2004 12:32 PM PDT

Yes, you're correct

By default, the primary user or owner of a Mac OS X machine
would be in a group called "admin", which has the ability to have
root- and root-like access to the machine. And yes, a trojan
horse that is masquerading as something else could prompt for
such access and install a script like this. But that's the point: if
you don't get your software from untrusted sources (e.g., warez
and p2p networks - the chances of a "legitimate" piece of
software being compromised are vanishingly small, and it would
be discovered quickly; therefore, any impact would be
negligible overall) and don't allow untrusted users access to your
machine, and follow normal security practices, this is a non-
issue.

Reply to this comment

Whoops

by October 25, 2004 12:32 PM PDT

Whoops

This should have been posted as a reply to the previous
comment, titled "MAC".

View reply Hide reply

Processing

New Mac Virus? LOL!

by d0ul0s98 October 25, 2004 10:01 PM PDT

New Mac Virus? LOL!

Just so everyone is on the same page, a SCRIPT exists that could
damage your mac. How exciting. This ASSUMES that you decided
that you needed to RUN the scipt on your computer (an action
that directly requires your password and EXPRESS authorization
in order to run). However, according to the article, the script
isn't even a threat yet, but COULD be. oh no, all mac users
should be afraid and switch back to WINDOZE and update
antivirus software for virus v1.xx to attack your computer
without you even knowing it. CNET might be a tad biased in this
article, what do you think?

Reply to this comment

Tabloid Scary

by jbelkin October 26, 2004 12:40 AM PDT

Tabloid Scary

Yea, everyone wants to be the first to break the news there's a virus, spyware,malware or trojan on the mac but if someone can sit down at your machine and load this, you have bigger problems than a keystroke recorder. If they can sit down at your machine and log on - why not just steal the whole Mac or take the HDD? It's NOT a REAL virus, malware, trojan if it cannot be transmitted through the internet or by disc - just like identity theft is different than robbery where they stand there holding a gun to your head.

I know it's much more fun to run bold headlines so Windows users might feel better but unless you run an internet cafe and do your work on the same public machine, your odds of getting robbed are actually worse - no MAc OSX user has been jobbed by this but I'm sure some of us out there have been robbed.

Reply to this comment

Basic security

by krosha--2008 October 26, 2004 2:40 AM PDT

Basic security

Virus? Nah. Face it, if you don't know what something is or does, don't run it. Anyone downloading stuff off P2P or warez sites gets what they deserve anyway.

That this needs admin acces to install takes 95% of the bite out of it. No-one who is not IT savvy should be running as an admin anyway. Ideally, no-one not IT savvy should even know the admin password for their mac, or if they do, they should have been thoroughly terrified into never wanting to use it. But that's the province of BOFH's.

If it was a genuine worm, I'd be more concerned. As it requires user-stupidity, I'm concerned enough to warn my users, at least those with portables. As it requires admin access, I'm not concerned for the rest of them, cos they can't install it, even if they are stupid enough to try.

Reply to this comment

the development process etc...

by November 21, 2004 1:23 PM PST

the development process etc...

when you configure your mac the account that you first set up is
an admin account, so most users DO in fact, have access to
admin accounts. Did you mean root? because if so, then yes, non
computer savy folk should not mess around with the root
account, and most dont even know there IS such a thing (Which
could be good for them). Also, I havent seen any links to the
source on this thread, maybe im just blind, but here it is: http://
freaky.staticusers.net/ugboard/viewtopic.php?
t=10712&postdays=0&postorder=asc&start=15

origianaly created by DimBulb, but he had loads of help from
ktheman and lots of others... go to page 13 to see the final, as
the copy on page 1 has loads of flaws. Enjoy.

lastly, this article should include that macs are, in fact,
amazingly secure, as the only working mac virus is for OS 7. And
if you have OS 7, you deserve it.

-Charre

(22 Comments)

• prev
• 1
• next

Add a comment

Comment SUBMIT

Click here to add another comment.

Popular discussions on CNET:

1. First iPhone, now Droid. Who needs Windows?

   November 8, 2009 5:45 AM PST

   (145 recent comments)

2. New Verizon ad calls iPhone 'misfit toy'

   November 8, 2009 2:50 PM PST

   (114 recent comments)

3. Apple updates Mac OS X Snow Leopard

   November 9, 2009 4:20 PM PST

   (94 recent comments)

4. Al Gore: It's not just about the planet

   November 8, 2009 7:50 AM PST

   (89 recent comments)

5. Verizon's iPhone insults have only just begun

   November 9, 2009 7:01 AM PST

   (89 recent comments)

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

[quantum0726]

Another concept virus...

So this sounds a lot like the iTunes concept virus that allowed a
program to masquerade as a mp3 file. Opening the file would
run a small script in the file's header that could do possible
dammage. Of course without entering an admin password the
worst it could do was delete your home directory. Plus, like this
one, it has to be manually run. It can't be spread through some
kind of automatic method. I think this is trying to exploit the
stereotypical mac user stupidity rather than an OS X exploit.
And the virus companies are making it a big issue because they
want to get Mac users to buy virus protection software. Well,
I've been running my Mac for nearly a year with the best virus
protection software on the market...OS X 10.3! :P

Such poor coverage

For some thoughts on opener, see:

http://das.doit.wisc.edu/opener.txt

And my letter to the editor, for what it's worth:

Your article, <http://www.zdnet.com.au/news/security/
0,2000061744,39164062,00.htm>, carried in syndication at
<http://news.com.com/2100-7349_3-5424883.html>,
contains some misleading inaccuracies.

First, Mac OS X has been able to run shell scripts since its
introduction over three and a half years ago. The article makes it
sound as if this is a new "threat".

Second, the script needs local administrative/root level access,
or physical access, to even be installed. There is no means or
vector of remote or automated spread or propagation of any
kind.

Third, the article incorrectly implies via a quote that there's no
way users can protect themselves, as if this is some kind of new,
devious threat. This represents the age old concept that
anything can be done to a machine if you have root-equivalent
or physical access, period. Including the installation of nefarious
scripts. Here's a piece of malware:

#!/bin/sh
sudo rm -rf ~

It deletes your home directory. The exact same methods and
mechanisms used with opener could be used to install/run this
script.

ZDNet and news.com could have taken the opportunity to
educate users about security best practices, which is EXACTLY
how you protect yourself from trojans or social engineering on
any platform: use strong passwords, don't let untrusted users
access your machine, lock your workstation when not in use,
keep your OS and antivirus software current, and don't run
software from untrusted/illegitimate sources, such as p2p/
warez networks.

Instead, you chose the path of scare-mongering and making it
appear, incorrectly, as if Macs are insecure because of this
specific script, or as if an trojan/social engineering attack is
anything new.

I'm very disappointed in your coverage. What could have been an
opportunity for accurate coverage was turned into a
sensationalized and inaccurate "Mac virus" story.

Regards,

Dave Schroeder | University of Wisconsin - Madison
Email: das@doit.wisc.edu | Division of Information
Technology
Pager: das-pager@doit.wisc.edu | B263 Computer Science and
Statistics
Pager: +1 800 449-4951 | 1210 West Dayton
Street
Phone: +1 608 265-4737 | Madison, Wisconsin
53706-1685

Re: Poor Coverage

You're going to be pretty disappointed if you expect a site like C|NET to provide fair and balanced or in-depth coverage of technology news like this.

C|NET is on par with Fox News for its tendency to sensationalize and offer one-sided viewpoints.

I agree exactly

I agree with this, it's not a virus, it's just a stupid script.

Let me write one.

---- virus.sh ----
echo Your system needs maintainance, please enter your admin password
sudo rm -r /
---- end ----

Run the file (i am not responsible for what it does.)

There, I have written something worse than the above-mentioned virus.

NOT A VIRUS

This is NOT a virus. This is NOT a "script-based threat." It's a
script. Period. It is also an example of extremely poor reporting
by c|net - but what should we expect, when it's part owned by
Microsoft? Mac people have a term for this kind of "reporting:"
F.U.D. I forget what it stands for, fear something and something.

This script (and any script which could harm your system)
requires root authorization to take effect, which means that the
user has to run it himself. I'll repeat that: the user has to run it
himself. Now, if you run executable programs that damage your
own computer, I don't think the program is the security threat - I
think you are.

Of course it is

Of course it is a virus

[chassoto--2008]

Root kit, not malware

Malware implies that the thing is presented as something
beneficial, but is in fact malicious. This guy got hacked,
someone stringed together existing Unix-based code (opener
and john the ripper) to create a little root kit. This further
emphasized the fact that all computer systems require
information security management techniques to remain secure.

Not even a "rootkit"

A rootkit is something that *gains* access the attacker wouldn't
otherwise have, such as elevating privileges when there is some
other lower level of access to the machine.

Conversely, this *requires* root/admin or physical access to
even install it! So it's not even a rootkit...it shares some other
features with rootkits, but not the primary one, which is a tool to
elevate privileges or otherwise obtain access.

Yes, you're correct

By default, the primary user or owner of a Mac OS X machine
would be in a group called "admin", which has the ability to have
root- and root-like access to the machine. And yes, a trojan
horse that is masquerading as something else could prompt for
such access and install a script like this. But that's the point: if
you don't get your software from untrusted sources (e.g., warez
and p2p networks - the chances of a "legitimate" piece of
software being compromised are vanishingly small, and it would
be discovered quickly; therefore, any impact would be
negligible overall) and don't allow untrusted users access to your
machine, and follow normal security practices, this is a non-
issue.

Whoops

This should have been posted as a reply to the previous
comment, titled "MAC".

[d0ul0s98]

New Mac Virus? LOL!

Just so everyone is on the same page, a SCRIPT exists that could
damage your mac. How exciting. This ASSUMES that you decided
that you needed to RUN the scipt on your computer (an action
that directly requires your password and EXPRESS authorization
in order to run). However, according to the article, the script
isn't even a threat yet, but COULD be. oh no, all mac users
should be afraid and switch back to WINDOZE and update
antivirus software for virus v1.xx to attack your computer
without you even knowing it. CNET might be a tad biased in this
article, what do you think?

[jbelkin]

Tabloid Scary

Yea, everyone wants to be the first to break the news there's a virus, spyware,malware or trojan on the mac but if someone can sit down at your machine and load this, you have bigger problems than a keystroke recorder. If they can sit down at your machine and log on - why not just steal the whole Mac or take the HDD? It's NOT a REAL virus, malware, trojan if it cannot be transmitted through the internet or by disc - just like identity theft is different than robbery where they stand there holding a gun to your head.

I know it's much more fun to run bold headlines so Windows users might feel better but unless you run an internet cafe and do your work on the same public machine, your odds of getting robbed are actually worse - no MAc OSX user has been jobbed by this but I'm sure some of us out there have been robbed.

[krosha--2008]

Basic security

Virus? Nah. Face it, if you don't know what something is or does, don't run it. Anyone downloading stuff off P2P or warez sites gets what they deserve anyway.

That this needs admin acces to install takes 95% of the bite out of it. No-one who is not IT savvy should be running as an admin anyway. Ideally, no-one not IT savvy should even know the admin password for their mac, or if they do, they should have been thoroughly terrified into never wanting to use it. But that's the province of BOFH's.

If it was a genuine worm, I'd be more concerned. As it requires user-stupidity, I'm concerned enough to warn my users, at least those with portables. As it requires admin access, I'm not concerned for the rest of them, cos they can't install it, even if they are stupid enough to try.

the development process etc...

when you configure your mac the account that you first set up is
an admin account, so most users DO in fact, have access to
admin accounts. Did you mean root? because if so, then yes, non
computer savy folk should not mess around with the root
account, and most dont even know there IS such a thing (Which
could be good for them). Also, I havent seen any links to the
source on this thread, maybe im just blind, but here it is: http://
freaky.staticusers.net/ugboard/viewtopic.php?
t=10712&postdays=0&postorder=asc&start=15

origianaly created by DimBulb, but he had loads of help from
ktheman and lots of others... go to page 13 to see the final, as
the copy on page 1 has loads of flaws. Enjoy.

lastly, this article should include that macs are, in fact,
amazingly secure, as the only working mac virus is for OS 7. And
if you have OS 7, you deserve it.

-Charre