Found this news over at macintouch (http://macintouch.com)

Opener (http://www.macintouch.com/opener.html), a new report, covers in much more detail the Mac malware noted yesterday. It's a very nasty piece of work ("rootkit"), designed to surreptitiously "crack" and control your computer, using Mac OS X features to maximum advantage and hiding from such programs as Little Snitch. It may not yet have an effective way to infect other Macs across a network, and may not yet be widespread "in the wild", but it's craftily designed to extract and transmit critical information from any computer on which it runs. Readers describe the program's origins and offer tips for identifying it.


Don't know the accuracy of this, but it sounds like it could be the first real example of a mac virus.

sounds like there could be yet another security update coming out from apple soon if this information is accurate.

Interesting. If true please be sure to increase your Anti-Mac defense shields to high because every Windows user on the planet is going to be rubbing it into Mac user's faces. Even though one virus does not make a platform insecure. 30, 100, 1,000, or something that can propagate from system to system with no user intervention is another matter.

Call me crazy but I actually see this as a good thing.

Stop with the bug eyed look damn it!

I mean it. This means OS X has permeated the ranks of Mac users enough to the point that it’s temping script/virus writers and is attracting enough outside attention that said writers are turning their eye to the Mac platform.

Call me crazy but I actually see this as a good thing...

Well, that's reassuring, then :)

As it is reported to do all this & more:

Opener tries to install ohphoneX, a teleconferencing program - for spying on you through your webcam I'm sure.

It kills LittleSnitch before every Internet connection it makes

It installs a keystroke recorder

Allows backdoor access in case someone deletes the hidden account

Grabs the open-firmware password

Installs OSXvnc

Grabs your office 2004 PID (serial number), as well as serial numbers for Mac OS XServer, adobe registrations, VirtualPC 6, Final Cut Pro, LittleSnitch, Apple Pro Apps, your DynDNS account, Timbuk2, and webserver users to name a few.

It tries to decrypts all the MD5 encrypted user passwords

Decrypts all users keychains.

Grabs your AIM logs, and tons of other settings and preferences with info you probably don't want folks to have... even your bash (terminal) history

Grabs stuff from your Classic preferences

Changes your Limewire settings to max out your upload and files.

The hidden user account is called LDAP-daemon instead of the name hacker used in earlier versions. Looks more innocent than hacker.

Even has your daily cron task try to get your password from the virtual memory swapfile

It installs an app called John The Ripper - a password cracker that uses a dictionary method to crack passwords

installs dsniff to sniff for passwords...


Oh god, all those poor people that we've been telling not to worry about viruses on these forums... they'll be getting twitchy now.

Eeeeehhh... I wouldn't be too scared by this. This is more of a Trojan Horse then a virus. One would still have to download the installer and enter an admin password to install it. If, those of you who are reading this, you get paranoid about this, invest some time and energy into installing and learning to use Tripwire (http://www.macguru.net/~frodo/Tripwire-osx.html).

This is more of a Trojan Horse then a virus. One would still have to download the installer and enter an admin password to install it. If, those of you how are reading this, you get paranoid about this, invest some time and energy into installing and learning to use Tripwire (http://www.macguru.net/~frodo/Tripwire-osx.html).

Dang. That has to be one of the cooler apps I've seen. Even though its not overly complex in what it does the resulting files look useful esp for building scripts on top of that that will monitor for X activity. Thanks. *adds it to his list o' apps to install whenever he gets his G5 PowerBook* :)

Is this still something that someone has to forcefully send and then forcefully open and use, or can it hide in normal files like PC viruses? This sounds more like a rogue program that does nasty stuff, a virus can propigate and spread itself to other computers. He never says how he got the virus, but it was probably P2P.

Thanks

No problem. I should add that the safest (and best time) to install tripwire is right after an fresh OS install and (to save a headache) getting all your OS updates. After that.. it's Game On!

Is this still something that someone has to forcefully send and then forcefully open and use, or can it hide in normal files like PC viruses? This sounds more like a rogue program that does nasty stuff, a virus can propigate and spread itself to other computers. He never says how he got the virus, but it was probably P2P.Its nothing like a PC virus. For one thing, it is not a virus. This thing is a shell script. A user with administrative privileges has to download it, install it, and execute it. In order for it to do damage, the user must use his or her administrative password to permit it. If you are that stupid, computer malware is the least of your problems.

anyone know yet what type of file this downloads as? i know there was that MS Word Trojan, but what kind of file does this hide as?

They havent yet discovered how he got it. It could be a simple as someone else walked up to his computer and installed it. But it is something that needs installing.

They did mention its a bad thing to have your email password and your Machine password the same.

Dismissing this as unimportant because it is not a virus is ridiculous, and shows the hubris of the typical Mac-o-phile (common on boards such as these). I run a Linux server and have experienced the horrors of a rootkit. We had to throw away the harddrive and have a new one installed. I'd say the cause of it is incorrectly CHMODDed root paths that were exploited, combined with inefficient firewall (and possibly an out-dated Kernel).

Does OS X support software like chkrootkit? If they don't, they should. One could setup a crontab for it to run daily and have a log placed in a special folder. This could help maximize security. Regardless, having a compromised machine is pretty bad, as it can allow for that machine to launch distributed denial of service attacks against other machines.

Bottom line from my reading:

* It's NOT a virus. Someone wrote to MacInTouch calling it that, but it's not. It can't spread.

* The person's machine was compromised by someone with admin access--maybe physically seated at the machine. Maybe the user was convinced to install it themselves under the guise of something else--a Trojan Horse. We may never know.

* This IS "malware," like lots of other rotten things you could do if you were given physical access--or an admin password--to a machine. You could be less subtle and just erase the hard drive.

* This is not new. It's been documented for months on Mac because it (actually a whole set of apps/techniques) already existed for other UNIXes.

When I first read at MacInTouch, I was alarmed enough to change my password :) Good habit anyway. But this is about doing evil AFTER a machine has been broken into, NOT about breaking in in the first place.

In other words, no news. That's good news. We'll have viruses one day (a tiny fraction compared to Windows) but this is not that day.

Now, learning HOW the person's machine was compromised would be nice--that could be important--but we may simply never hear. I hope we do, and I hope it's a user leaving a password written on a post-it note :) Maybe it was broken into by some new flaw--but there's no evidence of that so far.

Feel free to add more details/corrections to my oversimplification. But that's the layman's explanation as near as I can tell.

Dismissing this as unimportant because it is not a virus is ridiculous, and shows the hubris of the typical Mac-o-phile

Assuming that's not trolling... nobody would suggest it's entirely UNimportant. It is, however, much LESS important than a virus: capable of doing the same things PLUS actually spreading. The distinction is significant.

I think you may be seeing stereotypes because you expect them. An easy pitfall for anyone :)

(Also, do you have evidence for your theories about root paths/outdated kernel/etc.? I won't pretend to be an expert, but it seems to me that there are lots of ways someone could gain access to install these things. I don't see how we know enough to pinpoint how the user was compromised--the email report at MacInTouch was really quite brief. So what leads you to those issues vs. other ones? I'd like to know more.)

quick question ill post here instead of opening another thread

i was in the process of creating a new account on my computer, i want this to be a standard account capable of doing everything an admin can, excetp install software, is there anything special i have to do to have it set up this way?

quick question ill post here instead of opening another thread

i was in the process of creating a new account on my computer, i want this to be a standard account capable of doing everything an admin can, excetp install software, is there anything special i have to do to have it set up this way?

I thought that you needed an admin password to install any application anyway? Or logged in as admin...

I thought that you needed an admin password to install any application anyway? Or logged in as admin...

exactly, i only want my account be able to install the stuff, i dont want my roomie who is going to be using my computer a little be be able to install stuff that i dont know about, ect ect

So... I guess the answer to your question is No, you don't have to do anything special...

You could always set up the account, give it a password and try it out for yourself.

There are restrictions you can place on the account, however.

ah cool, i didnt know if that was one of the restrictions i had to put on the account when creating it

If you are that stupid

Right there is your first clue that it could succeed in the correct circumstances. It’s called social engineering my friend and can be as simple as an e-mail that looks harmless enough because it’s from someone you know but who's contents is far from.

This is what has always worried me about OS X and MOS. Overconfidence in the OS. Its a given that default rights in X is 10 times stronger, prob more, then in Windows, but a virus is simply a program that runs on a computer just like any other. It simply needs root. And if for some reason it can convince a user that yes it really does need your username password, because hey! There aren’t any viruses on X so what harm can come from it right?, it owns you which in turn makes me wonder how far it can go from there. Install a SMTP engine, read your address book, scan your files for @x.com addresses to replicate itself to? Etc.
Until an OS is smart enough to distinguish malicious intent from user made configurations and nuke it from orbit before it can do anything OS X along with every other OS on the planet will still be susceptible to viruses in one form or another.

...
I run a Linux server and have experienced the horrors of a rootkit. We had to throw away the harddrive and have a new one installed.
...

I find this statement extremely odd - a simple reformatting of the drive should have solved your problem if the system was irrecoverable. I've never heard of an OS being hacked so hard it had a degenerative effect on the physical media upon which it was installed.

New Mac Virus?
It's called Norton Anti-Viruhttp://celica.net/ubb/graemlins/hihi.gif

They did mention its a bad thing to have your email password and your Machine password the same.

Oh God, I'm doomed!! :eek:

Theres a new virex update...I am downloading and running that now. Here's hoping this is not really a problem...

FYI folks, don't look for a "patch" from Apple on this, unless someone discovers a way that this thing is installed via a security hole.

Patching layer 8 problems is quite easy. But most countries have laws against it.

Right there is your first clue that it could succeed in the correct circumstances. It’s called social engineering my friend and can be as simple as an e-mail that looks harmless enough because it’s from someone you know but who's contents is far from.

This is what has always worried me about OS X and MOS. Overconfidence in the OS. Its a given that default rights in X is 10 times stronger, prob more, then in Windows, but a virus is simply a program that runs on a computer just like any other. It simply needs root. And if for some reason it can convince a user that yes it really does need your username password, because hey! There aren’t any viruses on X so what harm can come from it right?, it owns you which in turn makes me wonder how far it can go from there. Install a SMTP engine, read your address book, scan your files for @x.com addresses to replicate itself to? Etc.
Until an OS is smart enough to distinguish malicious intent from user made configurations and nuke it from orbit before it can do anything OS X along with every other OS on the planet will still be susceptible to viruses in one form or another.What you are describing is a classic Windows exploit. On the victim's computer, it begins with autoexecuting email attachments. However, MacOS X has no autoexecuting email attachments. Neither does it have autoexecuting downloads. Therefore, any social engineering required to get the ignorant administrator to install MacOS X malware has to be external to the malware itself. As for installing an SMTP server and the other things, well MacOS X ships with an SMTP server installed. It's called sendmail. You hypothetical malware would simply have to trick sendmail to do its bidding. The fact that it has not happened should be a strong hint that it is much harder to exploit vulnerabilities in MacOS X than talking about them.

Off topic: I recently discovered a major new vector for possible Windows exploits. It's called Windows Media Player 10.

*gets scared, unplugs ethernt port...internet connection lost*

I think it will be fine if Apple acts quickly to update these things. They are usually good with these sorta things. :D

a virus is a self-propagating script or program, that requires no user intervention to spread to other computers. this, on the other hand, requires the user to a) download the program, b) run it, and c) enter their root password.

Malware, yes. Virus, no. You'll never truly be able to truly protect against this, as it's not a security issue, per se. Users just need to be more careful when installing and downloading software.

I thought that you needed an admin password to install any application anyway? Or logged in as admin...

Exactly! You have to give the malware application your admin password to allow it to install these applications. In addition, each part of the installation may require the admin password to be re-entered.

If that doesn't raise some red flags in your book, then you deserve to have your system destroyed by this malware application.

I am going to cry "bulls--t" on the entire article, though. It sounds like FUD that some user posted. There is no proof, evidence, or furthering information that would lend to the validity of this story.

-Aaron-

It seems like a useful shell script for someone to run once they have broken in to a system. To help them gather all the good stuff such as email addresses etc.

It won't actually help them break in in the first place.

Rower_CPU: Since our server is based in Dallas, and we do not have physical access to it, the people who actually OWN the server (we lease) simply throw out harddrives instead of formatting them. The harddrives are cheap enough for this to be the easiest solution.

As for my statement about root paths/old kernel, my only justification for this is that it's the #1 reason why Linux servers are exploited via a rootkit. What this hacker did was fairly typical. Using an exploit in the OS, the hacker can place an executable file such as a rootkit (incorrect CHMOD permissions in root paths) and be able to launch it. I myself have little knowledge of how this works, as I have never tried it out, but I have suffered the consequences from it, and it is a common occurence. While one could place a malicious executable file on a computer that is exploitable, one would NOT know the passwords for the root account. That is why your friend here used John the ripper to brute-force password hashes (once again, I don't know much about Mac OS X, but I assume it encrypts passwords in a similar fashion as Linux).

As for my comment about Mac users, that was based on the comments I've read in this thread prior to my post, as well as posts I've found elsewhere regarding this subject.

That is why your friend here used John the ripper to brute-force password hashes (once again, I don't know much about Mac OS X, but I assume it encrypts passwords in a similar fashion as Linux).

Jaguar's passwords are only hashed, Panther's passwords are hashed and shadowed.

Rower_CPU: Since our server is based in Dallas, and we do not have physical access to it, the people who actually OWN the server (we lease) simply throw out harddrives instead of formatting them. The harddrives are cheap enough for this to be the easiest solution.
...

I still doubt they simply throw hard drives away. It's much more likely that they swap in a new hard drive with the OS clean and ready to go and then rebuild the old hard drive. Hard drives aren't that disposable, unless you're paying a ton for that lease, and in which case you're over paying, since it seems they did a horrible job on your security.

The number one thing I do as a Mac owner to deal with security:

When I want to download an app, unless it's from a very trusted source like Macromedia that I already have bookmarked, I do NOT click the link from where I heard about it. I go to VersionTracker or MacUpdate or MacGameFiles and find it there. Then I download IF and WHEN it has already been downloaded and tested by a lot of other people first :D Which is usually the case by the time I get around to checking a program out.

That way I'm not installing programs that are unknowns.

I use nonsense passwords that nobody knows, and I do Software Update as needed (again, after guinea pigs go first). I keep my OS X firewall on. Guests at my computer don't get admin access--I have a Guest User account.

And I check Mac news often enough that when a REAL virus comes along one day, I'll know. And then I'll get antivirus software. It doesn't seem worth the money ahead of time, since the virus definitions for Mac viruses don't exist yet anyway... by "definition" :)

As for not passing on Windows viruses to other Windows users... yes, Windows folks send me their viruses all the time. But I have no reason to forward those emails on to anyone else, so no need to do anything but delete them. (If I was the "go between" for a lot of Windows email users, then I'd get a virus-checker as a courtesy maybe.)

And then I sit back and watch with horror what my Windows friends have to go through--even the ones who DO have the time and knowledge to protect themselves. Worse yet the ones who don't.

As others have said, not a virus. Trojan maybe, but actually it just sounds like a "dial home" program. Like spyware. But you have to install it first.

Not saying it's not a problem overall, but not something you can't already do on any computer. It's not the fact that you can do something like this, it's getting on to the computer in the first place. Then self executing or propagating. If the program can't get on the computer and run, it can't do any harm. The only part that really worries me is the fact that it disables or goes under the radar of programs like Little Snitch. That's scary. Hopefully a patch for that is coming soon. Though I'm not sure exactly what more Apple could do for future problems like this.

I run a Linux server and have experienced the horrors of a rootkit. We had to throw away the harddrive and have a new one installed.

Then you are a fool or at least woefully ignorant. Simply re-writing the boot sector and re-partitioning will erase any and all remnants of malicious code from a drive. There is nothing a hacker can do to a drive with code that will permanently alter the drive so as to allow a re-infection after the drive is cleaned. Period.
In most cases, simply removing any "infected" files will eliminate the problem.
If you are running a Linux based server and are using ext2/3 filesystems, then I strongly suggest you learn about the lsattr and chattr commands which allow you to make file immutable (they can't be changed). While immutable files are not 100% guaranteed safe, the method of removing the immutable flag is quite restricted.

... then I strongly suggest you learn about the lsattr and chattr commands which allow you to make file immutable (they can't be changed).

Speaking of that... why hasn't Apple or Micro$oft or anyone else put the CORE of their operating system on a read-only partition? It only makes sense. If viruses cannot get into the core of the operating system (Apple = Mach Kernel; Windows = Ring Zero) then they cannot do so much damage.

Funny thing is, when Windows 95 came out, they initially blocked access to Ring Zero-level access (as they did in Windows NT 3.51 and 4.0). However, Micro$oft succumbed to pressure from device driver authors and allowed access to Ring Zero. This opened the floodgates for virii.

-Aaron- :)

Then you are a fool or at least woefully ignorant. Simply re-writing the boot sector and re-partitioning will erase any and all remnants of malicious code from a drive. There is nothing a hacker can do to a drive with code that will permanently alter the drive so as to allow a re-infection after the drive is cleaned. Period.
In most cases, simply removing any "infected" files will eliminate the problem.
If you are running a Linux based server and are using ext2/3 filesystems, then I strongly suggest you learn about the lsattr and chattr commands which allow you to make file immutable (they can't be changed). While immutable files are not 100% guaranteed safe, the method of removing the immutable flag is quite restricted.

Oh, okay. So if the malicious hacker gained root access, rewrote every single system file on the harddrive, and then setup scripts to store login passwords, we should've just used these two commands? I guess the linux experts we consulted, as well as the staff at EV1 disagree. But I guess they are all "woefully ignorant," but then again, what does this have to do with the topic?

Oh. Right. Nothing.

well we have to be greatful this isnt a windoze forum as ther would probably be a thread like this everyday saying "ooh look another virus" :D

Earthlink has been catching my messages lately at least 2 - 3 per week. It comes from an individual, but they say that there is no message inside. I just delete them. Just updated my Norton Antivirus last evening.

Speaking of that... why hasn't Apple or Micro$oft or anyone else put the CORE of their operating system on a read-only partition?
-Aaron- :)

You mean like a boot rom?:)

Operating system arent 100% bugfree, never changing. Even if they put more of the operating system on rom you need some method of patching it and if apple can patch it then theoritically a third party can patch it. Microsoft has hinted about heading this way with encryption but then you dont really own your computer any more. Ie if the operating system is set to allways use Internet explorer and you are prevented from changing that because of read only/encryption whatever then its not yours.

Having said that in a way that is how it works now. The operating system is root and wheel. You the user can not write to this as User unless you type your password!

hey yellow thanks for that linky to Tripwire. looks interesting, i'll check it out. :)

LOL. this whole things is kinda funny... here it goes again, people overstating the problem...

but reading about what that script does, it seems it would be useful to certain corporations... ;) :eek:

but nothing to be scared about, leave your ethernet cables where they are, leave your AirPort turned on. :p best just to educate yourself about these things, which of course is a continueing process, then you'll have nothing to worry about. :cool: