Regarding the 'opener' malware script

Nov 01, '04 09:47:00AM

Contributed by: robg

Since OS X Hints is intentionally not a news site, I've stayed away from discussing the 'opener' malware that's been covered on most every major Mac site out there. The site's focus is not changing, but since there are finally some "hint related" aspects of this issue, I will take some time to cover those pieces of it this morning.

If you're not familiar with the opener malware (also known as a 'root kit'), it's basically a large shell script that, once installed, does all sorts of Really Bad Things to your machine -- nothing overt like erasing your user's directory, but much worse stuff. It installs software that disables Little Snitch (an outbound firewall, basically ... [Edit: It actually kills it before making outbound connections, and moves it to last in the boot order, but doesn't actually disable it]), it installs remote access software, it installs a password decoder app, etc. It goes by many names; Symantec calls it SH.Renepo.B, and their writeup of it covers all its evilness in great detail.

Read the rest of the hint for some tips on how to avoid Opener, and how to remove it if you do get it...

Opener is a lot of things, but it's not a worm or virus: it can't self-propagate, and it doesn't automatically infect a machine. Opener has to be installed, either during a software installation (of a package that's been intentionally infected with Opener), or by a user who has gained root access to a machine. If your machine is secure, you can't be infected accidentally -- it requires proactive action on your part. So the best ways to avoid Opener are:

How can you tell if you have somehow managed to get Opener installed on your machine? The fastest way is to open Terminal (in Applications -> Utilities), and type sudo ls -l /Users/*/Public/.info, then hit return. If your machine is most likely** clean, you'll see ls: /Users/*/Public/.info: No such file or directory as the result. If you see anything else, your machine is infected.

** Since this is a malware script, and it's installation requires root, you can't be 100% sure you're clean with the above command. If the hacker is really good, they can replace ls with their own version, or just rename the script components, etc -- since they have to have root access to install in the first place, they can do whatever they like! But the above command will catch all the simple 'script kiddie' installations of Opener.

The above little tidbit came from Macintouch's excellent Opener Malware Reader Reports series, which is also where you can find other monitoring tools, as well as a removal tool (all subject to the above disclaimer, of course). In particular, check out: Finally, for a great general overview on securing OS X, read the NSA's new OS X System Configuration Guide [3.1MB PDF]. It's definitely not required for most home users to institute everything listed in its entirety, but it's a great overview of the system and some ways to make it even more secure than it already is. At nearly 100 pages, it's not a light read, but it's well worth the time.

In summary, malware can (and does) exist for any platform -- with the assumption that root access has been obtained, anything and everything is possible. Opener is not a worm, nor a virus. Spreading it requires either user intervention or a compromised machine, and it must be hand-installed on each machine to be infected. Take the basic steps necessary to secure your machine and your work habits, and you should feel quite comfortable with the safety of your system and its data -- but please, have a backup or two or three, just in case!

Comments (31)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20041101050409768