[ISN] Mac users face rare threat

InfoSec News isn at c4i.org
Tue Oct 26 02:42:45 EDT 2004


By Munir Kotadia
ZDNet Australia 
October 25, 2004

A script-based threat that spies on Mac users caught the attention of
some security watchers last week.

The malware, which has been dubbed Opener by Mac user groups, can
disable Mac OS X's built-in firewall, steals personal information and
can destroy data. It is not yet a widespread danger, however.

Security experts say those traits are common among the thousands of
online threats targeting Microsoft's ubiquitous Windows operating
system but are virtually unheard of on Apple Computer's Mac OS.

Paul Ducklin, Sophos' head of technology in the Asia-Pacific region,
said that the software, which Sophos calls Renepo, is designed to
affect Mac OS X drives connected to an infected system and that it
leaves affected computers vulnerable to further attack.

Ducklin said Opener disables Mac OS X's built-in firewall, creates a
back door so the malware author can control the computer remotely,
locates any passwords stored on the hard drive, and downloads a
password cracker called JohnTheRipper.

Opener is a "rootkit," or a set of software tools that intruders can
use to gain access to a computer; it's installed either through a
known vulnerability or password-cracking. Rootkits don't spread on
their own, as viruses do, and require administrator access to be

According to Ducklin, Opener could try to spread by copying itself to
any drive that is mounted to the infected computer. This could be a
local drive, part of a local network or a remote computer.

It could also be the start of a spate of attacks that use Mac OS X’s
scripting features against its users, he said.

"The existence of Unix shells--such as Bash, for which this virus is
written--and the presence of powerful networking commands opens up the
game a little bit for Mac users. It is no longer necessary to know
about Mac file formats or executables. You can write your malware in
script. And if you really wanted to, you could probably write a
portable virus that would run on many flavors of Unix" and Mac, said

Chris Waldrip, president of the U.S.-based Atlanta Macintosh Users
Group, posted a detailed description of Opener on the MacInTouch Web

Waldrip, who acknowledges that the threat has him "a bit spooked,"  
said Opener seems to have started out with a "legitimate purpose" but
has now been developed into a replicating piece of malware.

Waldrip's site also cautions against overreacting to Opener and
advises people to use proper security techniques: "As readers take
pains to point out, the threat has not yet been incorporated into a
widespread virus, worm or Trojan horse, but that's a fairly short step
from what we've already seen, and it's important to implement good
security procedures."

Mikko Hypponen, director of antivirus research at F-Secure, said that
viruses targeting the Macintosh system virtually disappeared in the
late 1980s.

"Things have been really quiet on Macintosh front, virus-wise. Back in
the late 1980s, viruses used to be a much bigger problem on Macs than
on PCs. We here at F-Secure used to have an antivirus product for Mac
but discontinued it after the macro viruses died out," said Hypponen.

Symantec said users of Norton AntiVirus for Mac OS X were protected as
long as they had updated their signatures over the weekend. A
representative for the company said the relevant signature files had
been available since Friday evening.

Munir Kotadia of ZDNet Australia reported from Sydney.

More information about the ISN mailing list