Macintouch reports that the first instance of destructive malware for the Mac has been identified. It doesn’t appear to spread on its own, however.
It appears as an item called “Opener” in /Library/StartupItems containing a bash script. When a system starts up, this item will run and does the following:
- tries to install ohphoneX, a teleconferencing program
- kills LittleSnitch before every Internet connection it makes
- installs a keystroke recorder
- creates a hidden account
- grabs the open-firmware password
- Installs OSXvnc
- Grabs your office 2004 PID (serial number), as well as serial numbers for Mac OS XServer, adobe registrations, VirtualPC 6, Final Cut Pro, LittleSnitch, Apple Pro Apps, your DynDNS account, Timbuk2, and webserver users.
- tries to decrypts all the MD5 encrypted user passwords
- decrypts all users keychains.
- grabs your AIM logs, and other settings and preferences with info you probably don’t want others to have
- grabs stuff from your Classic preferences
- ghanges your Limewire settings to max out your upload and files.
- installs dsniff to sniff for passwords
- has your daily cron task try to get your password from the virtual memory swapfile
- installs an app called John The Ripper – a password cracker that uses a dictionary method to crack passwords
- turns on file sharing and places the information it gathers in a hidden directory called .info inside your public folder.
The hidden user account is called LDAP-daemon.
One way to see if you’re infected is by entering the following command in the terminal:
sudo ls -l /Users/*/Public/.info
If you’re NOT infected, it will show:
ls: /Users/*/Public/.info: No such file or directory
Opener HAD to be installed by someone with Admin access to your machine…
Sharing your admin password is already a security problem
The Macintouch article points it out. However, the code is easily available and there’s a possibility that it may be made to spread in the future.
Highly unlikely. This is what is called a “root kit” and is a sort of secondary infection. Script kiddie exploits known hole in software, such as SSH or what-have-you and then installs this collection of hacks to gather information from the system. Most of the kit in question is simply stuff ported from Linux (the “other” secure OS) to run on Darwin/OSX.
Root kits do not self-propagate, by definition. A script kiddie can write (or have someone write) a script that installs the kit after a successful crack, but the kit will never do that work.
Keep applying security updates and you won’t have to worry about this kit.
If it asks for a password when you type that into the command is that a bad thing? If it is how can I fix this problem.
sudo -command means that the command after it (in this case ls -l /Users/*/Public/.info) is executed with admin rights. And if something is executed with admin rights you need to verify, that you indeed are the system administrator. And how do you verify that? By asking the password…
Non issue. It’s a trojan, it can’t propagate on it’s own, none issue.
It’s important to keep in mind that this script can not be “run” in the usual sense. Double-clicking it will not run it. It would have to be executed from the command line or installed as a startup item to run at all.
Most Mac users don’t know how to do either of those things.