Renepo worm targets Mac OS X

SH/Renepo-A is a shell script worm targeted at the Macintosh OS X platform. If run on your computer (either accidentally or by design), it copies itself to the local startup directory (/System/Library/StartupItems) and to any other mounted volumes, including other computers on your network. SH/Renepo-A also makes infected StartupItems folders world-writeable, thus opening a dangerous backdoor on any system it infects.

Note that any attacker trying to plant this worm in your network would need to get root access on one of your boxes first, meaning that you would already be “owned”. Nevertheless, SH/Renepo-A collects into a single script a wide range of anti-security attacks. Once the worm has run on your computer, it will compromise system security in many ways, including:

– turning off system accounting and logging
– turning off the OS X firewall
– turning off software auto-updates
– turning off LittleSnitch (a security program for OS X)
– turning on filesharing
– turning on ssh
– making key system files world-writeable
– installing ohphoneX (a voice and video sharing program for OS X)
– installing John the Ripper (a password cracker)
– installing dsniff (a password sniffer)
– logging the IP numbers of infected computers to a remote server
– creating a directory in which to stash harvested data (/.info)
– harvesting application, user and system data
– collecting Windows password hashes from samba
– searching for VNC password information
– trawling for passwords in the swap file
– creating a new admin-level user (LDAP-daemon)

More info: http://www.sophos.com.au/virusinfo/analyses/shrenepoa.html

MacDailyNews Take: More information about this worm, also known as “Opener,” can be found at MacInTouch here. Remember that root access is required for this worm. Do not run your Mac OS X machine as “root” unless you know what you’re doing. More about root or superuser Mac OS X user levels here.

57 Comments

  1. There is a long discussion of this on the Apple section of Slasdot. The general consensus is that this is not something to worry about. It most definately is not a virus.

  2. If you have to be owned first it is not a threat, it’s another proof of concept. There is only 1 way it can infect most of us. We would have to download it an run it ourselves. For you masochists out there, have fun. For everyone else, it is just another false alarm.

  3. Basically it’s a hack with a worm or it could be a trojan. To date, the only way to get the thing on your machine is by someone remotely hacking into your system or someone physically sitting in front of your machine and installing it.

    Now the problem is, that people can be easily duped into installing things from untrusted sites, if they think it will benefit them. So if someone came along and built a “handy” little app that included the virus as a payload, your system could be compromised. Alternatively, if you let your hacker friend borrow your laptop for five minutes, you could get it.

    Additionally, if you did get it on your main machine, and brought it into your network, and all your network passwords were the same, or stored in your keychain, then you could compromise your entire network.

    Not to discount the severity, because the program does a lot, it just isn’t easy to get. Basically, it allows an untrained person who has access to your machine, the same ability as a trained person who has access to your machine. Which is scary enough, because, I know I let a host of people use my machine in 1-3 minute stints just to show off Mac OS X. It’s never bothered me, because, I’ve always been fairly confident that most of them had never even heard of a shell script, let alone know how to write one. Turns out now they don’t have to, all they need is a file, and a jumper drive, since I’m always logged in as Admin, but never as root.

  4. Buffy, I believe that the “installer” of such a worm would need root access. Once that’s done, it would not matter how you run your system. However, if you don’t run your system as root and have not given root access to someone else on your system, I don’t think you need to worry.

  5. From the sounds of this – it can only possibly affect less than 1% of OSX users. Those who don’t know nothing about the root user (Unix command base – not administrator!) will have nothing to fear.

    It’s only for those who are real boffins – and they’re most likely to what they’re doing.

  6. If this is a worm that means you have to download it and then run it yourself on purpose right? I have read that it will run if you are an admin user too (which is most users I think). It will ask for your password and if you give it then it will install itself.

    I am not an expert on this so please correct me if I am wrong in the above take.

    So the lesson seems to be that you should only download and run programs from trusted sources which is pretty much basic common sense from a security viewpoint.

    Bummer that someone came up with this since it would constitute the first malware out there for the Mac but from what I read it does not seem like it has much chance of spreading.

  7. The article plainly states you need to be logged in as root for this – so it’s no big deal. Most of us don’t even have root enabled. And the lay-person wouldn’t know where to go to even turn it on.

    I suppose the worst thing would be if someone wrote a script to toggle root on/off – but you would still need an admin pass to pull that off.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.