Regarding the 'opener' malware script
Nov 01, '04 09:47:00AM
Contributed by: robg
Since OS X Hints is intentionally not a news site, I've stayed away from discussing the 'opener' malware that's been covered on most every major Mac site out there. The site's focus is not changing, but since there are finally some "hint related" aspects of this issue, I will take some time to cover those pieces of it this morning.
If you're not familiar with the opener malware (also known as a 'root kit'), it's basically a large shell script that, once installed, does all sorts of Really Bad Things to your machine -- nothing overt like erasing your user's directory, but much worse stuff. It installs software that disables Little Snitch (an outbound firewall, basically ... [Edit: It actually kills it before making outbound connections, and moves it to last in the boot order, but doesn't actually disable it]), it installs remote access software, it installs a password decoder app, etc. It goes by many names; Symantec calls it SH.Renepo.B, and their writeup of it covers all its evilness in great detail.
Read the rest of the hint for some tips on how to avoid Opener, and how to remove it if you do get it...
Opener is a lot of things, but it's not a worm or virus: it can't self-propagate, and it doesn't automatically infect a machine. Opener has to be installed, either during a software installation (of a package that's been intentionally infected with Opener), or by a user who has gained root access to a machine. If your machine is secure, you can't be infected accidentally -- it requires proactive action on your part. So the best ways to avoid Opener are:
- Physically secure your machine, if possible.
- Always use a screensaver/locking program when you leave your machine, even for a minute or two.
- Apply all security updates in a timely fashion.
- Use secure passwords.
- Only install software from trusted sources -- stick to places like MacUpdate, VersionTracker, HyperJeff's OS X Software page, etc. Don't download and run things from Limewire, etc., unless you really like living on the edge.
- Think twice before giving your admin password to every installer that asks for it. Personally, I only 'trust' the major names in the business (i.e. Adobe, Apple, Microsoft, etc.) when it comes to giving an admin password on install. Beyond that, I'll quit the installer and dig around inside the package to see if I can figure out why it wants my admin password. If I can't figure out why, I'll usually email the author before I try to install it. Your admin password should be protected, and that includes not letting any old application have it when it requests it.
- To be extremely cautious, don't run as 'admin' at all -- create a non-privileged user account for your day-to-day stuff. Personally, I find this a bit onerous (I tried for a while), but it definitely would give you a more secure environment (assuming you don't then just provide the admin password when requested!).
- KEEP GOOD BACKUPS! This is important in any context, but especially one in which a piece of malware could easily rm -rf * (force erase everything NOW -- do *not* try this command!). Good backups are easily worth the time they take to create.
How can you tell if you have somehow managed to get Opener installed on your machine? The fastest way is to open Terminal (in Applications -> Utilities), and type sudo ls -l /Users/*/Public/.info, then hit return. If your machine is most likely** clean, you'll see ls: /Users/*/Public/.info: No such file or directory as the result. If you see anything else, your machine is infected.
** Since this is a malware script, and it's installation requires root, you can't be 100% sure you're clean with the above command. If the hacker is really good, they can replace ls with their own version, or just rename the script components, etc -- since they have to have root access to install in the first place, they can do whatever they like! But the above command will catch all the simple 'script kiddie' installations of Opener.
The above little tidbit came from Macintouch's excellent Opener Malware Reader Reports series, which is also where you can find other monitoring tools, as well as a removal tool (all subject to the above disclaimer, of course). In particular, check out:
- Donald Hall's script on the October 22nd report to monitor for a process named John (the password decoder).
- Rams' entry on the Oct 28 page about how to create and set permissions on /Library/Statup Items, which will close one method that the Opener malware uses to accomplish its evilness.
- Harold Martin's 'Closer' script on the Oct 31 page. This will (hopefully) get rid of an installed Opener.
- Greg Guerin's Watcher script (also on the Oct 31 page), which watches the two Startup Items folders and alerts you if they are modified. Since Greg was kind enough to release his code into the public domain, I have also put a copy on macosxhints.
Finally, for a great general overview on securing OS X, read the NSA's new OS X System Configuration Guide [3.1MB PDF]. It's definitely not required for most home users to institute everything listed in its entirety, but it's a great overview of the system and some ways to make it even more secure than it already is. At nearly 100 pages, it's not a light read, but it's well worth the time.
In summary, malware can (and does) exist for any platform -- with the assumption that root access has been obtained, anything and everything is possible. Opener is not a worm, nor a virus. Spreading it requires either user intervention or a compromised machine, and it must be hand-installed on each machine to be infected. Take the basic steps necessary to secure your machine and your work habits, and you should feel quite comfortable with the safety of your system and its data -- but please, have a backup or two or three, just in case!
Comments (31)
Mac OS X Hints
http://hints.macworld.com/article.php?story=20041101050409768