New Mac Virus?

[Poeben]

Found this news over at macintouch

Opener, a new report, covers in much more detail the Mac malware noted yesterday. It's a very nasty piece of work ("rootkit"), designed to surreptitiously "crack" and control your computer, using Mac OS X features to maximum advantage and hiding from such programs as Little Snitch. It may not yet have an effective way to infect other Macs across a network, and may not yet be widespread "in the wild", but it's craftily designed to extract and transmit critical information from any computer on which it runs. Readers describe the program's origins and offer tips for identifying it.


Don't know the accuracy of this, but it sounds like it could be the first real example of a mac virus.

 

[Windowlicker]

sounds like there could be yet another security update coming out from apple soon if this information is accurate.

 

[SiliconAddict]

Interesting. If true please be sure to increase your Anti-Mac defense shields to high because every Windows user on the planet is going to be rubbing it into Mac user's faces. Even though one virus does not make a platform insecure. 30, 100, 1,000, or something that can propagate from system to system with no user intervention is another matter.

Call me crazy but I actually see this as a good thing.

Stop with the bug eyed look damn it!

I mean it. This means OS X has permeated the ranks of Mac users enough to the point that it’s temping script/virus writers and is attracting enough outside attention that said writers are turning their eye to the Mac platform.

 

[Blue Velvet]

Call me crazy but I actually see this as a good thing...

Well, that's reassuring, then

As it is reported to do all this & more:

Opener tries to install ohphoneX, a teleconferencing program - for spying on you through your webcam I'm sure.

It kills LittleSnitch before every Internet connection it makes

It installs a keystroke recorder

Allows backdoor access in case someone deletes the hidden account

Grabs the open-firmware password

Installs OSXvnc

Grabs your office 2004 PID (serial number), as well as serial numbers for Mac OS XServer, adobe registrations, VirtualPC 6, Final Cut Pro, LittleSnitch, Apple Pro Apps, your DynDNS account, Timbuk2, and webserver users to name a few.

It tries to decrypts all the MD5 encrypted user passwords

Decrypts all users keychains.

Grabs your AIM logs, and tons of other settings and preferences with info you probably don't want folks to have... even your bash (terminal) history

Grabs stuff from your Classic preferences

Changes your Limewire settings to max out your upload and files.

The hidden user account is called LDAP-daemon instead of the name hacker used in earlier versions. Looks more innocent than hacker.

Even has your daily cron task try to get your password from the virtual memory swapfile

It installs an app called John The Ripper - a password cracker that uses a dictionary method to crack passwords

installs dsniff to sniff for passwords...


Oh god, all those poor people that we've been telling not to worry about viruses on these forums... they'll be getting twitchy now.

 

[yellow]

Eeeeehhh... I wouldn't be too scared by this. This is more of a Trojan Horse then a virus. One would still have to download the installer and enter an admin password to install it. If, those of you who are reading this, you get paranoid about this, invest some time and energy into installing and learning to use Tripwire.

 

[SiliconAddict]

This is more of a Trojan Horse then a virus. One would still have to download the installer and enter an admin password to install it. If, those of you how are reading this, you get paranoid about this, invest some time and energy into installing and learning to use Tripwire.

Dang. That has to be one of the cooler apps I've seen. Even though its not overly complex in what it does the resulting files look useful esp for building scripts on top of that that will monitor for X activity. Thanks. *adds it to his list o' apps to install whenever he gets his G5 PowerBook*

 

[varmit]

Is this still something that someone has to forcefully send and then forcefully open and use, or can it hide in normal files like PC viruses? This sounds more like a rogue program that does nasty stuff, a virus can propigate and spread itself to other computers. He never says how he got the virus, but it was probably P2P.

 

[yellow]

Thanks

No problem. I should add that the safest (and best time) to install tripwire is right after an fresh OS install and (to save a headache) getting all your OS updates. After that.. it's Game On!

 

[MisterMe]

Is this still something that someone has to forcefully send and then forcefully open and use, or can it hide in normal files like PC viruses? This sounds more like a rogue program that does nasty stuff, a virus can propigate and spread itself to other computers. He never says how he got the virus, but it was probably P2P.

Its nothing like a PC virus. For one thing, it is not a virus. This thing is a shell script. A user with administrative privileges has to download it, install it, and execute it. In order for it to do damage, the user must use his or her administrative password to permit it. If you are that stupid, computer malware is the least of your problems.

 

[PlaceofDis]

anyone know yet what type of file this downloads as? i know there was that MS Word Trojan, but what kind of file does this hide as?

 

[Golem]

They havent yet discovered how he got it. It could be a simple as someone else walked up to his computer and installed it. But it is something that needs installing.

They did mention its a bad thing to have your email password and your Machine password the same.

 

[Axeon]

Dismissing this as unimportant because it is not a virus is ridiculous, and shows the hubris of the typical Mac-o-phile (common on boards such as these). I run a Linux server and have experienced the horrors of a rootkit. We had to throw away the harddrive and have a new one installed. I'd say the cause of it is incorrectly CHMODDed root paths that were exploited, combined with inefficient firewall (and possibly an out-dated Kernel).

Does OS X support software like chkrootkit? If they don't, they should. One could setup a crontab for it to run daily and have a log placed in a special folder. This could help maximize security. Regardless, having a compromised machine is pretty bad, as it can allow for that machine to launch distributed denial of service attacks against other machines.

 

[nagromme]

Not a virus, nor a flaw

Bottom line from my reading:

* It's NOT a virus. Someone wrote to MacInTouch calling it that, but it's not. It can't spread.

* The person's machine was compromised by someone with admin access--maybe physically seated at the machine. Maybe the user was convinced to install it themselves under the guise of something else--a Trojan Horse. We may never know.

* This IS "malware," like lots of other rotten things you could do if you were given physical access--or an admin password--to a machine. You could be less subtle and just erase the hard drive.

* This is not new. It's been documented for months on Mac because it (actually a whole set of apps/techniques) already existed for other UNIXes.

When I first read at MacInTouch, I was alarmed enough to change my password Good habit anyway. But this is about doing evil AFTER a machine has been broken into, NOT about breaking in in the first place.

In other words, no news. That's good news. We'll have viruses one day (a tiny fraction compared to Windows) but this is not that day.

Now, learning HOW the person's machine was compromised would be nice--that could be important--but we may simply never hear. I hope we do, and I hope it's a user leaving a password written on a post-it note Maybe it was broken into by some new flaw--but there's no evidence of that so far.

Feel free to add more details/corrections to my oversimplification. But that's the layman's explanation as near as I can tell.

 

[nagromme]

Dismissing this as unimportant because it is not a virus is ridiculous, and shows the hubris of the typical Mac-o-phile

Assuming that's not trolling... nobody would suggest it's entirely UNimportant. It is, however, much LESS important than a virus: capable of doing the same things PLUS actually spreading. The distinction is significant.

I think you may be seeing stereotypes because you expect them. An easy pitfall for anyone

(Also, do you have evidence for your theories about root paths/outdated kernel/etc.? I won't pretend to be an expert, but it seems to me that there are lots of ways someone could gain access to install these things. I don't see how we know enough to pinpoint how the user was compromised--the email report at MacInTouch was really quite brief. So what leads you to those issues vs. other ones? I'd like to know more.)

 

[PlaceofDis]

quick question ill post here instead of opening another thread

i was in the process of creating a new account on my computer, i want this to be a standard account capable of doing everything an admin can, excetp install software, is there anything special i have to do to have it set up this way?

 

[Blue Velvet]

quick question ill post here instead of opening another thread

i was in the process of creating a new account on my computer, i want this to be a standard account capable of doing everything an admin can, excetp install software, is there anything special i have to do to have it set up this way?

I thought that you needed an admin password to install any application anyway? Or logged in as admin...

 

[PlaceofDis]

I thought that you needed an admin password to install any application anyway? Or logged in as admin...

exactly, i only want my account be able to install the stuff, i dont want my roomie who is going to be using my computer a little be be able to install stuff that i dont know about, ect ect

 

[Blue Velvet]

So... I guess the answer to your question is No, you don't have to do anything special...

You could always set up the account, give it a password and try it out for yourself.

There are restrictions you can place on the account, however.

 

[PlaceofDis]

ah cool, i didnt know if that was one of the restrictions i had to put on the account when creating it

 

[SiliconAddict]

If you are that stupid

Right there is your first clue that it could succeed in the correct circumstances. It’s called social engineering my friend and can be as simple as an e-mail that looks harmless enough because it’s from someone you know but who's contents is far from.

This is what has always worried me about OS X and MOS. Overconfidence in the OS. Its a given that default rights in X is 10 times stronger, prob more, then in Windows, but a virus is simply a program that runs on a computer just like any other. It simply needs root. And if for some reason it can convince a user that yes it really does need your username password, because hey! There aren’t any viruses on X so what harm can come from it right?, it owns you which in turn makes me wonder how far it can go from there. Install a SMTP engine, read your address book, scan your files for @x.com addresses to replicate itself to? Etc.
Until an OS is smart enough to distinguish malicious intent from user made configurations and nuke it from orbit before it can do anything OS X along with every other OS on the planet will still be susceptible to viruses in one form or another.

 

[Rower_CPU]

...
I run a Linux server and have experienced the horrors of a rootkit. We had to throw away the harddrive and have a new one installed.
...

I find this statement extremely odd - a simple reformatting of the drive should have solved your problem if the system was irrecoverable. I've never heard of an OS being hacked so hard it had a degenerative effect on the physical media upon which it was installed.

 

[J.Allen]

New Mac Virus?

It's called Norton Anti-Viru

 

[Abstract]

They did mention its a bad thing to have your email password and your Machine password the same.

Oh God, I'm doomed!!

 

[aswitcher]

Theres a new virex update...I am downloading and running that now. Here's hoping this is not really a problem...

 

[yellow]

FYI folks, don't look for a "patch" from Apple on this, unless someone discovers a way that this thing is installed via a security hole.