New Mac Virus?

Discussion in 'General Mac Discussion' started by Poeben, Oct 22, 2004.

  1. Poeben macrumors 6502

    Joined:
    Jul 29, 2004
    #1
    Found this news over at macintouch

    Opener, a new report, covers in much more detail the Mac malware noted yesterday. It's a very nasty piece of work ("rootkit"), designed to surreptitiously "crack" and control your computer, using Mac OS X features to maximum advantage and hiding from such programs as Little Snitch. It may not yet have an effective way to infect other Macs across a network, and may not yet be widespread "in the wild", but it's craftily designed to extract and transmit critical information from any computer on which it runs. Readers describe the program's origins and offer tips for identifying it.


    Don't know the accuracy of this, but it sounds like it could be the first real example of a mac virus.
     
  2. Windowlicker macrumors 6502a

    Windowlicker

    Joined:
    Feb 17, 2003
    Location:
    Finland
    #2
    sounds like there could be yet another security update coming out from apple soon if this information is accurate.
     
  3. SiliconAddict macrumors 603

    SiliconAddict

    Joined:
    Jun 19, 2003
    Location:
    Chicago, IL
    #3
    Interesting. If true please be sure to increase your Anti-Mac defense shields to high because every Windows user on the planet is going to be rubbing it into Mac user's faces. Even though one virus does not make a platform insecure. 30, 100, 1,000, or something that can propagate from system to system with no user intervention is another matter.

    Call me crazy but I actually see this as a good thing.

    Stop with the bug eyed look damn it!

    I mean it. This means OS X has permeated the ranks of Mac users enough to the point that it’s temping script/virus writers and is attracting enough outside attention that said writers are turning their eye to the Mac platform.
     
  4. Blue Velvet Moderator emeritus

    Joined:
    Jul 4, 2004
    #4
    Well, that's reassuring, then :)

    As it is reported to do all this & more:

    Opener tries to install ohphoneX, a teleconferencing program - for spying on you through your webcam I'm sure.

    It kills LittleSnitch before every Internet connection it makes

    It installs a keystroke recorder

    Allows backdoor access in case someone deletes the hidden account

    Grabs the open-firmware password

    Installs OSXvnc

    Grabs your office 2004 PID (serial number), as well as serial numbers for Mac OS XServer, adobe registrations, VirtualPC 6, Final Cut Pro, LittleSnitch, Apple Pro Apps, your DynDNS account, Timbuk2, and webserver users to name a few.

    It tries to decrypts all the MD5 encrypted user passwords

    Decrypts all users keychains.

    Grabs your AIM logs, and tons of other settings and preferences with info you probably don't want folks to have... even your bash (terminal) history

    Grabs stuff from your Classic preferences

    Changes your Limewire settings to max out your upload and files.

    The hidden user account is called LDAP-daemon instead of the name hacker used in earlier versions. Looks more innocent than hacker.

    Even has your daily cron task try to get your password from the virtual memory swapfile

    It installs an app called John The Ripper - a password cracker that uses a dictionary method to crack passwords

    installs dsniff to sniff for passwords...


    Oh god, all those poor people that we've been telling not to worry about viruses on these forums... they'll be getting twitchy now.
     
  5. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #5
    Eeeeehhh... I wouldn't be too scared by this. This is more of a Trojan Horse then a virus. One would still have to download the installer and enter an admin password to install it. If, those of you who are reading this, you get paranoid about this, invest some time and energy into installing and learning to use Tripwire.
     
  6. SiliconAddict macrumors 603

    SiliconAddict

    Joined:
    Jun 19, 2003
    Location:
    Chicago, IL
    #6
    Dang. That has to be one of the cooler apps I've seen. Even though its not overly complex in what it does the resulting files look useful esp for building scripts on top of that that will monitor for X activity. Thanks. *adds it to his list o' apps to install whenever he gets his G5 PowerBook* :)
     
  7. varmit macrumors 68000

    varmit

    Joined:
    Aug 5, 2003
    #7
    Is this still something that someone has to forcefully send and then forcefully open and use, or can it hide in normal files like PC viruses? This sounds more like a rogue program that does nasty stuff, a virus can propigate and spread itself to other computers. He never says how he got the virus, but it was probably P2P.
     
  8. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #8
    No problem. I should add that the safest (and best time) to install tripwire is right after an fresh OS install and (to save a headache) getting all your OS updates. After that.. it's Game On!
     
  9. MisterMe macrumors G4

    MisterMe

    Joined:
    Jul 17, 2002
    Location:
    USA
    #9
    Its nothing like a PC virus. For one thing, it is not a virus. This thing is a shell script. A user with administrative privileges has to download it, install it, and execute it. In order for it to do damage, the user must use his or her administrative password to permit it. If you are that stupid, computer malware is the least of your problems.
     
  10. PlaceofDis macrumors Core

    Joined:
    Jan 6, 2004
    #10
    anyone know yet what type of file this downloads as? i know there was that MS Word Trojan, but what kind of file does this hide as?
     
  11. Golem macrumors 6502

    Joined:
    Jun 2, 2003
    Location:
    Sydney,Australia
    #11
    They havent yet discovered how he got it. It could be a simple as someone else walked up to his computer and installed it. But it is something that needs installing.

    They did mention its a bad thing to have your email password and your Machine password the same.
     
  12. Axeon macrumors member

    Joined:
    Oct 12, 2004
    #12
    Dismissing this as unimportant because it is not a virus is ridiculous, and shows the hubris of the typical Mac-o-phile (common on boards such as these). I run a Linux server and have experienced the horrors of a rootkit. We had to throw away the harddrive and have a new one installed. I'd say the cause of it is incorrectly CHMODDed root paths that were exploited, combined with inefficient firewall (and possibly an out-dated Kernel).

    Does OS X support software like chkrootkit? If they don't, they should. One could setup a crontab for it to run daily and have a log placed in a special folder. This could help maximize security. Regardless, having a compromised machine is pretty bad, as it can allow for that machine to launch distributed denial of service attacks against other machines.
     
  13. nagromme macrumors G5

    nagromme

    Joined:
    May 2, 2002
    #13
    Not a virus, nor a flaw

    Bottom line from my reading:

    * It's NOT a virus. Someone wrote to MacInTouch calling it that, but it's not. It can't spread.

    * The person's machine was compromised by someone with admin access--maybe physically seated at the machine. Maybe the user was convinced to install it themselves under the guise of something else--a Trojan Horse. We may never know.

    * This IS "malware," like lots of other rotten things you could do if you were given physical access--or an admin password--to a machine. You could be less subtle and just erase the hard drive.

    * This is not new. It's been documented for months on Mac because it (actually a whole set of apps/techniques) already existed for other UNIXes.

    When I first read at MacInTouch, I was alarmed enough to change my password :) Good habit anyway. But this is about doing evil AFTER a machine has been broken into, NOT about breaking in in the first place.

    In other words, no news. That's good news. We'll have viruses one day (a tiny fraction compared to Windows) but this is not that day.

    Now, learning HOW the person's machine was compromised would be nice--that could be important--but we may simply never hear. I hope we do, and I hope it's a user leaving a password written on a post-it note :) Maybe it was broken into by some new flaw--but there's no evidence of that so far.

    Feel free to add more details/corrections to my oversimplification. But that's the layman's explanation as near as I can tell.
     
  14. nagromme macrumors G5

    nagromme

    Joined:
    May 2, 2002
    #14
    Assuming that's not trolling... nobody would suggest it's entirely UNimportant. It is, however, much LESS important than a virus: capable of doing the same things PLUS actually spreading. The distinction is significant.

    I think you may be seeing stereotypes because you expect them. An easy pitfall for anyone :)

    (Also, do you have evidence for your theories about root paths/outdated kernel/etc.? I won't pretend to be an expert, but it seems to me that there are lots of ways someone could gain access to install these things. I don't see how we know enough to pinpoint how the user was compromised--the email report at MacInTouch was really quite brief. So what leads you to those issues vs. other ones? I'd like to know more.)
     
  15. PlaceofDis macrumors Core

    Joined:
    Jan 6, 2004
    #15
    quick question ill post here instead of opening another thread

    i was in the process of creating a new account on my computer, i want this to be a standard account capable of doing everything an admin can, excetp install software, is there anything special i have to do to have it set up this way?
     
  16. Blue Velvet Moderator emeritus

    Joined:
    Jul 4, 2004
    #16
    I thought that you needed an admin password to install any application anyway? Or logged in as admin...
     
  17. PlaceofDis macrumors Core

    Joined:
    Jan 6, 2004
    #17
    exactly, i only want my account be able to install the stuff, i dont want my roomie who is going to be using my computer a little be be able to install stuff that i dont know about, ect ect
     
  18. Blue Velvet Moderator emeritus

    Joined:
    Jul 4, 2004
    #18
    So... I guess the answer to your question is No, you don't have to do anything special...

    You could always set up the account, give it a password and try it out for yourself.

    There are restrictions you can place on the account, however.
     
  19. PlaceofDis macrumors Core

    Joined:
    Jan 6, 2004
    #19
    ah cool, i didnt know if that was one of the restrictions i had to put on the account when creating it
     
  20. SiliconAddict macrumors 603

    SiliconAddict

    Joined:
    Jun 19, 2003
    Location:
    Chicago, IL
    #20
    Right there is your first clue that it could succeed in the correct circumstances. It’s called social engineering my friend and can be as simple as an e-mail that looks harmless enough because it’s from someone you know but who's contents is far from.

    This is what has always worried me about OS X and MOS. Overconfidence in the OS. Its a given that default rights in X is 10 times stronger, prob more, then in Windows, but a virus is simply a program that runs on a computer just like any other. It simply needs root. And if for some reason it can convince a user that yes it really does need your username password, because hey! There aren’t any viruses on X so what harm can come from it right?, it owns you which in turn makes me wonder how far it can go from there. Install a SMTP engine, read your address book, scan your files for @x.com addresses to replicate itself to? Etc.
    Until an OS is smart enough to distinguish malicious intent from user made configurations and nuke it from orbit before it can do anything OS X along with every other OS on the planet will still be susceptible to viruses in one form or another.
     
  21. Rower_CPU Moderator emeritus

    Rower_CPU

    Joined:
    Oct 5, 2001
    Location:
    San Diego, CA
    #21
    I find this statement extremely odd - a simple reformatting of the drive should have solved your problem if the system was irrecoverable. I've never heard of an OS being hacked so hard it had a degenerative effect on the physical media upon which it was installed.
     
  22. J.Allen macrumors member

    Joined:
    Oct 12, 2004
    Location:
    Adelaide, South Australia
    #22
    It's called Norton Anti-Viru[​IMG]
     
  23. Abstract macrumors Penryn

    Abstract

    Joined:
    Dec 27, 2002
    Location:
    Location Location Location
    #23
    Oh God, I'm doomed!! :eek:
     
  24. aswitcher macrumors 603

    aswitcher

    Joined:
    Oct 8, 2003
    Location:
    Canberra OZ
    #24
    Theres a new virex update...I am downloading and running that now. Here's hoping this is not really a problem...
     
  25. yellow Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #25
    FYI folks, don't look for a "patch" from Apple on this, unless someone discovers a way that this thing is installed via a security hole.
     

Share This Page