First Mac OS X malware reported

October 22, 2004 at 5:53 pm Mike 7 comments

Macintouch reports that the first instance of destructive malware for the Mac has been identified. It doesn’t appear to spread on its own, however.

It appears as an item called “Opener” in /Library/StartupItems containing a bash script. When a system starts up, this item will run and does the following:

tries to install ohphoneX, a teleconferencing program
kills LittleSnitch before every Internet connection it makes
installs a keystroke recorder
creates a hidden account
grabs the open-firmware password
Installs OSXvnc
Grabs your office 2004 PID (serial number), as well as serial numbers for Mac OS XServer, adobe registrations, VirtualPC 6, Final Cut Pro, LittleSnitch, Apple Pro Apps, your DynDNS account, Timbuk2, and webserver users.
tries to decrypts all the MD5 encrypted user passwords
decrypts all users keychains.
grabs your AIM logs, and other settings and preferences with info you probably don’t want others to have
grabs stuff from your Classic preferences
ghanges your Limewire settings to max out your upload and files.
installs dsniff to sniff for passwords
has your daily cron task try to get your password from the virtual memory swapfile
installs an app called John The Ripper – a password cracker that uses a dictionary method to crack passwords
turns on file sharing and places the information it gathers in a hidden directory called .info inside your public folder.

The hidden user account is called LDAP-daemon.

One way to see if you’re infected is by entering the following command in the terminal:

sudo ls -l /Users/*/Public/.info

If you’re NOT infected, it will show:

ls: /Users/*/Public/.info: No such file or directory

Security none

Comments

Written by Anonymous about 2010 years ago.

Opener HAD to be installed by someone with Admin access to your machine…
Sharing your admin password is already a security problem
Written by mike about 2010 years ago.

The Macintouch article points it out. However, the code is easily available and there’s a possibility that it may be made to spread in the future.
Written by Anonymous about 2010 years ago.

Highly unlikely. This is what is called a “root kit” and is a sort of secondary infection. Script kiddie exploits known hole in software, such as SSH or what-have-you and then installs this collection of hacks to gather information from the system. Most of the kit in question is simply stuff ported from Linux (the “other” secure OS) to run on Darwin/OSX.

Root kits do not self-propagate, by definition. A script kiddie can write (or have someone write) a script that installs the kit after a successful crack, but the kit will never do that work.

Keep applying security updates and you won’t have to worry about this kit.
Written by Anonymous about 2010 years ago.

If it asks for a password when you type that into the command is that a bad thing? If it is how can I fix this problem.
Written by Anonymous about 2010 years ago.

sudo -command means that the command after it (in this case ls -l /Users/*/Public/.info) is executed with admin rights. And if something is executed with admin rights you need to verify, that you indeed are the system administrator. And how do you verify that? By asking the password…
Written by Anonymous about 2010 years ago.

Non issue. It’s a trojan, it can’t propagate on it’s own, none issue.
Written by Anonymous about 2010 years ago.

It’s important to keep in mind that this script can not be “run” in the usual sense. Double-clicking it will not run it. It would have to be executed from the command line or installed as a startup item to run at all.

Most Mac users don’t know how to do either of those things.

Comment Pages:

MacMegasite

First Mac OS X malware reported

Comments

Categories

Archives

Recent Forum Posts

Meta