"Opener" - A new form of malware for OS X?
I got this from MacInTouch and Insanely Great Mac. Here's a list of what it apparently does, taken from a post on MacInTouch:
I really don't know what to make of this. On the one hand, it may be just a hoax, perhaps a "proof-of-concept" similar to the silly "MP3 Trojan" that Intego made such a big fuss over a while ago. It seems that it needs admin access, which means it can't be installed without the user knowing. Still, who's to stop anyone from passing it around as a new Microsoft or Apple updater?
Still, I can't help but feel really skeptical about this.
[EDIT] Here's the link to the forum on Macintosh Underground, where development of this script is still very active. I still get the feeling that it's meant as more of a proof-of-concept than anything else.
Quote:
Opener tries to install ohphoneX, a teleconferencing program - for spying on you through your webcam I'm sure.
It kills LittleSnitch before every Internet connection it makes
It installs a keystroke recorder
Allows backdoor access in case someone deletes the hidden account
Grabs the open-firmware password
Installs OSXvnc
Grabs your office 2004 PID (serial number), as well as serial numbers for Mac OS XServer, adobe registrations, VirtualPC 6, Final Cut Pro, LittleSnitch, Apple Pro Apps, your DynDNS account, Timbuk2, and webserver users to name a few.
It tries to decrypts all the MD5 encrypted user passwords
Decrypts all users keychains.
Grabs your AIM logs, and tons of other settings and preferences with info you probably don't want folks to have... even your bash (terminal) history
Grabs stuff from your Classic preferences
Changes your Limewire settings to max out your upload and files.
The hidden user account is called LDAP-daemon instead of the name hacker used in earlier versions. Looks more innocent than hacker.
Even has your daily cron task try to get your password from the virtual memory swapfile
It installs an app called John The Ripper - a password cracker that uses a dictionary method to crack passwords
installs dsniff to sniff for passwords...
Opener tries to install ohphoneX, a teleconferencing program - for spying on you through your webcam I'm sure.
It kills LittleSnitch before every Internet connection it makes
It installs a keystroke recorder
Allows backdoor access in case someone deletes the hidden account
Grabs the open-firmware password
Installs OSXvnc
Grabs your office 2004 PID (serial number), as well as serial numbers for Mac OS XServer, adobe registrations, VirtualPC 6, Final Cut Pro, LittleSnitch, Apple Pro Apps, your DynDNS account, Timbuk2, and webserver users to name a few.
It tries to decrypts all the MD5 encrypted user passwords
Decrypts all users keychains.
Grabs your AIM logs, and tons of other settings and preferences with info you probably don't want folks to have... even your bash (terminal) history
Grabs stuff from your Classic preferences
Changes your Limewire settings to max out your upload and files.
The hidden user account is called LDAP-daemon instead of the name hacker used in earlier versions. Looks more innocent than hacker.
Even has your daily cron task try to get your password from the virtual memory swapfile
It installs an app called John The Ripper - a password cracker that uses a dictionary method to crack passwords
installs dsniff to sniff for passwords...
I really don't know what to make of this. On the one hand, it may be just a hoax, perhaps a "proof-of-concept" similar to the silly "MP3 Trojan" that Intego made such a big fuss over a while ago. It seems that it needs admin access, which means it can't be installed without the user knowing. Still, who's to stop anyone from passing it around as a new Microsoft or Apple updater?
Still, I can't help but feel really skeptical about this.
[EDIT] Here's the link to the forum on Macintosh Underground, where development of this script is still very active. I still get the feeling that it's meant as more of a proof-of-concept than anything else.
Comments
And further, if this thing gets out in the wild as the real deal, people will find the creator(s) and that person or persons will get hung upside down by their pinky toes from a meat hook and poked with a sharp hot stick by all Mac OS X users in turn. If it is the Mac Underground behind it, they better hope it stays a "proof of concept," or the Iraq War will look like a friendly game of Parcheesi compared to what's coming their way. Makes me wonder what the concept is that they're trying to prove.
[added]
I just read more from people who know what they're talking about at MacNN. If what they say is true, then the actual impact on Mac users will be limited aside from the hype it would generate.
Crap like this is waaaaay blown out of proportion. I mean you already need Admin! This doesn't spread itself, nor cover its tracks. It uses well known UNIX tools. It's not an issue. Pfft. We are still virus free. And basically invincible. Mac OS X is a fortress!
Originally posted by Aquatic
I never understood that warning!? I get that on GraphicConverter all the time.
Crap like this is waaaaay blown out of proportion. I mean you already need Admin! This doesn't spread itself, nor cover its tracks. It uses well known UNIX tools. It's not an issue. Pfft. We are still virus free. And basically invincible. Mac OS X is a fortress!
But C|Net is already sharpening it's knifes: 'New Virus invades Apple's OS !'.
(It doesn't belong to the Murdock group, does it ?)
Supposition only, but there are rumours connecting those dots.
And they don't even kown the difference between a virus and a trojan. Oh well ...
Originally posted by BigBlue
And they [C|net] don't even kown the difference between a virus and a trojan. Oh well ...
Heh, I bet they haven't heard that "sudo rm -rf /" exists from day one, the most malicious virus on earth, spreading itself by forcing users into typing the above command in CLI and hitting the Return key. Macs are doomed. The world is over.
Originally posted by costique
Heh, I bet they haven't heard that "sudo rm -rf /" exists from day one, the most malicious virus on earth, spreading itself by forcing users into typing the above command in CLI and hitting the Return key. Macs are doomed. The world is over.
Hm, no safe parallel world anymore
Originally posted by rampancy
Someone on /. remarked that "Viruses on OS X!" is the new "Apple is Doomed!". Pretty astute, I think, given all of the online media hype that this and the "MP3 Trojan" has gotten.
yea, you should think at least some editors research their articles before they spread fud. hehe, wait until thurrott get hold of this
Originally posted by r3dx0r
yea, you should think at least some editors research their articles before they spread fud. hehe, wait until thurrott get hold of this
Who ??