"Opener" - A new form of malware for OS X?

Posted:
in Mac Software edited January 2014
I got this from MacInTouch and Insanely Great Mac. Here's a list of what it apparently does, taken from a post on MacInTouch:



Quote:

Opener tries to install ohphoneX, a teleconferencing program - for spying on you through your webcam I'm sure.



It kills LittleSnitch before every Internet connection it makes



It installs a keystroke recorder



Allows backdoor access in case someone deletes the hidden account



Grabs the open-firmware password



Installs OSXvnc



Grabs your office 2004 PID (serial number), as well as serial numbers for Mac OS XServer, adobe registrations, VirtualPC 6, Final Cut Pro, LittleSnitch, Apple Pro Apps, your DynDNS account, Timbuk2, and webserver users to name a few.



It tries to decrypts all the MD5 encrypted user passwords



Decrypts all users keychains.



Grabs your AIM logs, and tons of other settings and preferences with info you probably don't want folks to have... even your bash (terminal) history



Grabs stuff from your Classic preferences



Changes your Limewire settings to max out your upload and files.



The hidden user account is called LDAP-daemon instead of the name hacker used in earlier versions. Looks more innocent than hacker.



Even has your daily cron task try to get your password from the virtual memory swapfile



It installs an app called John The Ripper - a password cracker that uses a dictionary method to crack passwords



installs dsniff to sniff for passwords...



I really don't know what to make of this. On the one hand, it may be just a hoax, perhaps a "proof-of-concept" similar to the silly "MP3 Trojan" that Intego made such a big fuss over a while ago. It seems that it needs admin access, which means it can't be installed without the user knowing. Still, who's to stop anyone from passing it around as a new Microsoft or Apple updater?



Still, I can't help but feel really skeptical about this.



[EDIT] Here's the link to the forum on Macintosh Underground, where development of this script is still very active. I still get the feeling that it's meant as more of a proof-of-concept than anything else.

Comments

  • Reply 1 of 12
    buonrottobuonrotto Posts: 6,368member
    From what I've read at MacNN, people there are claiming that you need physical access to the machine, i.e., you have to be sitting in front of it, and that you need to have the root password. I mean, if that's true, then this seems like another user-is-the-weakest-link issue. There's no such thing as foolproof security, not even on OS X.
  • Reply 2 of 12
    Actually, this would be more like a Trojan, that is someone sends an "installer" program that contains the Trojan to an unsuspecting mac owner, the mac owner runs the installer, inputing the administrator password when required, and the Trojan gets secretely installed along with the actual "legitimate" program. The obvious way to avoid that is to not install a program that is packaged this way if you don't trust the source from which you obtained this program.
  • Reply 3 of 12
    buonrottobuonrotto Posts: 6,368member
    ?and thus runs into the security measure Apple created from the last big scare, the confirmation of an application's first-run.



    And further, if this thing gets out in the wild as the real deal, people will find the creator(s) and that person or persons will get hung upside down by their pinky toes from a meat hook and poked with a sharp hot stick by all Mac OS X users in turn. If it is the Mac Underground behind it, they better hope it stays a "proof of concept," or the Iraq War will look like a friendly game of Parcheesi compared to what's coming their way. Makes me wonder what the concept is that they're trying to prove.



    [added]



    I just read more from people who know what they're talking about at MacNN. If what they say is true, then the actual impact on Mac users will be limited aside from the hype it would generate.
  • Reply 4 of 12
    aquaticaquatic Posts: 5,602member
    I never understood that warning!? I get that on GraphicConverter all the time.



    Crap like this is waaaaay blown out of proportion. I mean you already need Admin! This doesn't spread itself, nor cover its tracks. It uses well known UNIX tools. It's not an issue. Pfft. We are still virus free. And basically invincible. Mac OS X is a fortress!
  • Reply 5 of 12
    bigbluebigblue Posts: 341member
    Quote:

    Originally posted by Aquatic

    I never understood that warning!? I get that on GraphicConverter all the time.



    Crap like this is waaaaay blown out of proportion. I mean you already need Admin! This doesn't spread itself, nor cover its tracks. It uses well known UNIX tools. It's not an issue. Pfft. We are still virus free. And basically invincible. Mac OS X is a fortress!




    But C|Net is already sharpening it's knifes: 'New Virus invades Apple's OS !'.

    (It doesn't belong to the Murdock group, does it ?)
  • Reply 6 of 12
    More FUD from Intego. A cookie says they'll be linked to it like the last one.

    Supposition only, but there are rumours connecting those dots.
  • Reply 7 of 12
    bigbluebigblue Posts: 341member
    Correction, C|net made it: 'Mac users face rare virus' !

    And they don't even kown the difference between a virus and a trojan. Oh well ...
  • Reply 8 of 12
    costiquecostique Posts: 1,084member
    Quote:

    Originally posted by BigBlue

    And they [C|net] don't even kown the difference between a virus and a trojan. Oh well ...



    Heh, I bet they haven't heard that "sudo rm -rf /" exists from day one, the most malicious virus on earth, spreading itself by forcing users into typing the above command in CLI and hitting the Return key. Macs are doomed. The world is over.
  • Reply 9 of 12
    Quote:

    Originally posted by costique

    Heh, I bet they haven't heard that "sudo rm -rf /" exists from day one, the most malicious virus on earth, spreading itself by forcing users into typing the above command in CLI and hitting the Return key. Macs are doomed. The world is over.



    Hm, no safe parallel world anymore
  • Reply 10 of 12
    Someone on /. remarked that "Viruses on OS X!" is the new "Apple is Doomed!". Pretty astute, I think, given all of the online media hype that this and the "MP3 Trojan" has gotten.
  • Reply 11 of 12
    r3dx0rr3dx0r Posts: 201member
    Quote:

    Originally posted by rampancy

    Someone on /. remarked that "Viruses on OS X!" is the new "Apple is Doomed!". Pretty astute, I think, given all of the online media hype that this and the "MP3 Trojan" has gotten.



    yea, you should think at least some editors research their articles before they spread fud. hehe, wait until thurrott get hold of this
  • Reply 12 of 12
    Quote:

    Originally posted by r3dx0r

    yea, you should think at least some editors research their articles before they spread fud. hehe, wait until thurrott get hold of this



    Who ??
Sign In or Register to comment.