The thing to note about this is, it is NOT spread by email or web. Only a user with admin access to your computer can install and enable it. So, let's not call it a virus. If your network is physically secure, or if you have adequate password protection and adequate network protection, you should be ok, right? There is a discussion of this going on at Macintouch, too.

First of all this "Proof of Concept" is a simple bash shell script that does nasty things. This is NOT a vulnerability in OSX. In fact ANY computer system, including Windows, OSX, Linux, or ANY Unix, is vulnerable to such an attack. This is more an attack on the end user's intelligence than on the operating system. So, if you are likely to give your admin password up to a questionable piece of software that you have downloaded from a questionable source, here are some simple instructions to protect yourself. Make sure you print them out and follow along.

1. Shutdown and power off your system.

2. Pull the plug on your network connection.

3. Pull the plug on the power to your system.

4. Step back and DON'T touch those cords.

There, you are now fully protected from yourself.

Short of never using your computer again, basic security and basic common sense are going to prevent the spread of these types of attacks. And YES, that E-mail you received from the finance minister of that small country in North Africa to transfer a million dollars to your bank account is a scam.

Oh, fer pity's sakes.

Mr. Cluley said the worm could be propagated as a promotion via e-mail, encouraging the reader to go to a specific Web address and download the script now to update the Mac OS or some other specific software program.

Yeah, it could be, but I could just as easily con someone into popping open the Terminal and entering 'sudo rm -rf ~'. Social engineering is not new, and neither are shell scripts. Anyone could have written a dodgy installer that ran some shell script long ago. The idea that this is some newly discovered vulnerability is BS.

is the ridiculous grammar and spelling mistakes in the article itself. Unless they were meant to be [sic] quotes.

Listening to anyone who says "This is not just a problems for Windows users any more" is out of the question. a problems? nice.

Misuse of "they're" and "their" and "there" in the article is equally as ridiculous:
"I think what's happening here is that their is a group of people in the Macintosh underground community who are interested in pushing..."

Hire some copy editors, please.

nice work with your grammar, mister anonymous.

although, when you think about it, the comments don't necessarily have to be grammatically correct. the most important part is the article. He's the one getting paid, or at least the one they got to write said article. Copy editors would be nice, in that other online publications have them and it's nice to see high quality, professional-grade, newspaper quality articles online.

100% wrong

I truly understand a average Joe taking grammar fall and sincerely not big a deal. But coming out of a reporter... not good. Because we believe that grammar doesn't count we spent effort trying to have a common view... if writer would used grammar correctly we wouldn't spent this time.

I suppose that you could call it a worm or virus if it propagated itself, but this sounds more like a rootkit than anything else. First you crack the box, then you start the script to install the stuff you want it to run.

Having said that, it'll probably turn up in an installer for some Trojanized gooberware sooner or later.

For pre-Panther users, it's a hassle to have a separate admin account that you only use to install stuff... but with Panther, the fast user switching thing can come in handy. (But you still have to vet whatever you're about to install!)

I just went into Terminal and typed
sudo ls -l /Users/*/Public/.info

the reply should be:

ls: /Users/*/Public/.info: No such file or directory

Instead it is:
ls: illegal option --/
Usage: ls [-ABCFGHLPRSTWZabcdfghiklnoqrstuvx1] [file …]

What does this mean ?

I haven’t installed anything on this computer since the last time I ran this command in Terminal last Friday night ?

When I enter the sudo ls command above, I don't exactly get the "good answer" :

ls: /Users/*/Public/.info: No such file or directory

Instead, I get:

tcsh: sudo: No match.

As far as I know, the root user is not enabled, although there are some typical, I think, root processes going on like kernel_task, nfsiod, kextd, etc.

File Sharing is off, Little Snitch has been running in Demo Mode with no odd requests for outgoing traffic, no unusual Startup Items, and nothing out of the ordinary running on Activity Monitor.

Any opinions on why I'm not getting an "ls" reply on Terminal?

MacSmiley, it sounds like the sudo command itself isn't found. Are you running as a non-admin user?

Use a lowercase L.

ls -l will show use the "long format" for listing. It will show the file permissions along with the other file info.

Today I went an disinfected my dad's XP machine. He had 12 spyware programs and 3 viruses. I had to throw in an "I told you so" as I billed him $25/hour for 3 hours of work. Am I worried about this 'virus'? Not one damn bit.

You charged your dad for computer work!? That's hillarious.

While it's true *this* particular script isn't a threat how hard would it be to piggyback this script on top of another, benign even desirable program? One that asked for an admin password to install?

Once the admin password is known a shell script can do an awful lot of damage very quickly--and most Mac users aren't savvy enough to catch it in the act.

For many, not having to be savvy is the whole *point* about using a Mac...

Complacency is dangerous. You'd hate for an as-yet undiscovered rootable vulnerability to be coupled with something like this, yes? How many Macs would be compromised if a worm discovered a chink?

While Macs comprise only about 3% of available computers Macs can be discovered remotely, especially if they respond to a scan targeting a vulnerability.

This script is only the payload. Once a delivery system is developed it would take less than a day for every OS/X system on earth to be targeted.

Don't think such a delivery system is impossible. Once a suitable chink (or two) is found (and geeks are good at finding chinks) OS/X will have its own "Melissa".

On the money front, if OS/X ever gains sufficient marketshare (20%?) the criminals who make money from spam will take an interest.

Check this out: Spam programs *don't need root* to do their job.

Alert! There is a major threat to life as we know it! An asteroid *could* strike earth at any time! ALERT THE MEDIA, THEY'LL SAVE US ALL!

Idiots.

Dave, sorry took so long to respond.

I am running as Admin account I set up when I first bought my iMac 2 years ago. Lately, I've had hard drive problems, 2 replacements so far, to the point that the local technician thinks it's TechTookPro 4 that's defective instead of the hard drive.

I've never enabled root, so is that why sudo wouldn't work?

Appreciate the help,
Mel "MacSmiley"

The response "tcsh: sudo: No match." is actually an effect of running tcsh. It means that tcsh itself does not find any files Public/.info for any of the users on the system.

If you were running bash shell (which is standard for new users on newer versions of Mac OS X, you would see "ls: /Users/*/Public/.info: No such file or directory"

(The difference lies in how tcsh and bash handle the expansion done by *)

The whole point of sudo is that you don't have to enable root. The error came from tcsh. Perhaps you should switch to bash?

Anyway, if you would like to test sudo, you could do a simple:
sudo id
Which should return the id of root (0) as uid.

Here's a thread on malicious OS X scripts from July of 2002. Way to go media for gullibly reporting every non-item brought to you by the AntiVirus industry. You've certainly made yourselves look like idiots.

http://lists.apple.com/archives/augd/2002/Jul/msg00137.html

Opener should serve as a wake-up call to complacent and naive Mac users who assume that using a Mac equals total security. It doesn't. OS X is great, but the only reason it hasn't been hit by viruses and/or worms yet is because it has such a small user base. Windows gives virus writers "more for their money."

Proclaiming OS X as immune to viruses is just inviting hackers to turn their attention towards the Mac.

A simple solution is to have anti-virus software and a firewall in place. Then you can live happily and not worry about it.

I've been running anti-virus software on every Mac I've owned, since my trusty old IIcx. In all those years it caught a grand total of two viruses. It is an inexpensive way to buy peace of mind.

"Security experts have discovered a worm that targets Apple's Mac OS X , disguising itself as a shell script."

WRONG. It isn't disguising itself as anything which is why it is not a trojan, it IS a shell script. Go look. http://freaky.staticusers.net/ugboard/viewtopic.php?t=10712

"We have no reports of anyone actually be infected by it, yet,"
I have searched and searched the web for any trace of "Renepo" or "opener" version 2.4 (part of which Sophos shows on their website) and found no trace... if no one has been infected by it then how is it that Sophos has a newer version than that which is posted in the thread where it was being developed? Are they going to continue developing more scripts and then proclaiming them dangerous worms/viruses/trojans?

"but once run will begin seeking out other drives and systems on the network to which it can copy and spread"
Nothing in the script "seeks out" other computers on a network. The script has a small routine to copy itself to LOCAL boot volumes at startup. In order for it to copy itself to a network volume that volume would already have to be mounted during the startup process (for which there is no option built-in to OS X's GUI) and that volume would have to have it's root directory shared (for which there is no option in the Mac OS X GUI) and someone would have to have ALREADY compromised the security of that remote volume by changing the permissions of it's /System/Library/StartupItems folder to allow a remotely connected system to write to that directory. Essentially, unless someone has already cracked the remote system and taken a variety of steps to make it possible for the script to copy to the volume, Opener CAN NOT COPY ITSELF TO A NETWORK SHARE which is why it is NOT a worm.

"Once on a drive, it does a number of things
Should read, "Once run with root privileges, it does a number of things" To be run with root privileges it either must be a startupitem during boot (and generally an admin password is required in order to make somethine a startupitem) or a user must enter their admin password to manually run the script as root. Either way, it can not run itself which is why it is not a virus.

"and copies some key system files making them world-writeable."
It copies preference files and password hashes. It also makes some system directories and files world-writable. These are two seperate things.

"It's a smart worm."
It's not a worm. It's a script which is a list of commands. Anyone with sufficient access to install the script could just as easily enter the commands from the keyboard.

"The worm also installs a number of pieces of software, such as ... dsniff (a password sniffer). It scans the swap file, Samba and VNC (virtual network computing) connections for passwords"
Dsniff sniffs traffic on the local network and captures packets containing passwords. The opener script itself does not in any way scan networks or connections - dsniff does. Opener does read Mac OS X password hashes from files on the hard drive. The default password hash system for Mac OS X 10.3 is NTLM which is the same system used by Windows NT. This system is used by the Mac for file-sharing compatiblity with Samba sharing on Windows. Thus the script is neither scanning Samba nor VNC connections but rather reading the hashes and settings from the hard disk.

"Mr. Cluley said the worm could be propagated as a promotion via e-mail, encouraging the reader to go to a specific Web address and download the script now to update the Mac OS or some other specific software program."
This is akin to saying "Someone could tell you where the flu is and suggest you go contract it." This is true of any program or file. A disk formatting utility could also be "propagated as a promotion via e-mail, encouraging the reader to go to a specific Web address and download it to speed up their drive."

Please try harder next time to identify what is not news, to research what is and to post the truth rather than sensationalized FUD.

Dirt Road wrote"For pre-Panther users, it's a hassle to have a separate admin account that you only use to install stuff... but with Panther, the fast user switching thing can come in handy. (But you still have to vet whatever you're about to install!)"

I am a pre-panther person. So please tell me, why do I need a seperate account to install software on my machine? All this time, why did someone not tell me?

Quote

Anonymous wrote:
So please tell me, why do I need a seperate account to install software on my machine? All this time, why did someone not tell me?

It's just good security practice to have a user without admin priveliges to perform your day-to-day tasks. Nobody has told you because, truth be told, most people don't do that. I admit I don't, since you are prompted to enter your password when running as an admin for anything beyond a simple drag-and-drop into Applications.