SH/Renepo-A is a shell script worm targeted at the Macintosh OS X platform. If run on your computer (either accidentally or by design), it copies itself to the local startup directory (/System/Library/StartupItems) and to any other mounted volumes, including other computers on your network. SH/Renepo-A also makes infected StartupItems folders world-writeable, thus opening a dangerous backdoor on any system it infects.
Note that any attacker trying to plant this worm in your network would need to get root access on one of your boxes first, meaning that you would already be “owned”. Nevertheless, SH/Renepo-A collects into a single script a wide range of anti-security attacks. Once the worm has run on your computer, it will compromise system security in many ways, including:
– turning off system accounting and logging
– turning off the OS X firewall
– turning off software auto-updates
– turning off LittleSnitch (a security program for OS X)
– turning on filesharing
– turning on ssh
– making key system files world-writeable
– installing ohphoneX (a voice and video sharing program for OS X)
– installing John the Ripper (a password cracker)
– installing dsniff (a password sniffer)
– logging the IP numbers of infected computers to a remote server
– creating a directory in which to stash harvested data (/.info)
– harvesting application, user and system data
– collecting Windows password hashes from samba
– searching for VNC password information
– trawling for passwords in the swap file
– creating a new admin-level user (LDAP-daemon)
More info: http://www.sophos.com.au/virusinfo/analyses/shrenepoa.html
MacDailyNews Take: More information about this worm, also known as “Opener,” can be found at MacInTouch here. Remember that root access is required for this worm. Do not run your Mac OS X machine as “root” unless you know what you’re doing. More about root or superuser Mac OS X user levels here.
How does one get infected?
Oh no..!
This isn’t a virus, it can’t propagate itself
does this only work if your running as root?
do you have to give permission (is it a program)
so this is a hack? somone personally at the other end attacking your machine perposfully?
There is a long discussion of this on the Apple section of Slasdot. The general consensus is that this is not something to worry about. It most definately is not a virus.
If you have to be owned first it is not a threat, it’s another proof of concept. There is only 1 way it can infect most of us. We would have to download it an run it ourselves. For you masochists out there, have fun. For everyone else, it is just another false alarm.
Ooops. definately / definitely – sorry.
This is not good.
Apple…. what’s the story? Do we need a fix, or does the fact that it has to be run at root prove the concept of Apple’s security?
another virus from Romania > please run me so i can drop off my payload and send me to all your friends as well
Basically it’s a hack with a worm or it could be a trojan. To date, the only way to get the thing on your machine is by someone remotely hacking into your system or someone physically sitting in front of your machine and installing it.
Now the problem is, that people can be easily duped into installing things from untrusted sites, if they think it will benefit them. So if someone came along and built a “handy” little app that included the virus as a payload, your system could be compromised. Alternatively, if you let your hacker friend borrow your laptop for five minutes, you could get it.
Additionally, if you did get it on your main machine, and brought it into your network, and all your network passwords were the same, or stored in your keychain, then you could compromise your entire network.
Not to discount the severity, because the program does a lot, it just isn’t easy to get. Basically, it allows an untrained person who has access to your machine, the same ability as a trained person who has access to your machine. Which is scary enough, because, I know I let a host of people use my machine in 1-3 minute stints just to show off Mac OS X. It’s never bothered me, because, I’ve always been fairly confident that most of them had never even heard of a shell script, let alone know how to write one. Turns out now they don’t have to, all they need is a file, and a jumper drive, since I’m always logged in as Admin, but never as root.
Buffy, I believe that the “installer” of such a worm would need root access. Once that’s done, it would not matter how you run your system. However, if you don’t run your system as root and have not given root access to someone else on your system, I don’t think you need to worry.
From the sounds of this – it can only possibly affect less than 1% of OSX users. Those who don’t know nothing about the root user (Unix command base – not administrator!) will have nothing to fear.
It’s only for those who are real boffins – and they’re most likely to what they’re doing.
If this is a worm that means you have to download it and then run it yourself on purpose right? I have read that it will run if you are an admin user too (which is most users I think). It will ask for your password and if you give it then it will install itself.
I am not an expert on this so please correct me if I am wrong in the above take.
So the lesson seems to be that you should only download and run programs from trusted sources which is pretty much basic common sense from a security viewpoint.
Bummer that someone came up with this since it would constitute the first malware out there for the Mac but from what I read it does not seem like it has much chance of spreading.
The article plainly states you need to be logged in as root for this – so it’s no big deal. Most of us don’t even have root enabled. And the lay-person wouldn’t know where to go to even turn it on.
I suppose the worst thing would be if someone wrote a script to toggle root on/off – but you would still need an admin pass to pull that off.
This is the post from the guy that discovered the hole and notified Apple a month ago about it!
http://www.carrel.org/dhcp-vuln.html
Abstract
A series of seemingly innocuous default settings can cause an affected Mac OS X machine to trust a malicious machine on a network for user, group, and volume mounting settings.
What does this mean to the average user
Anyone who can gain access to your network can gain administrator (root) access to your computer and therefore steal your data or launch attacks upon others as soon as you reboot your machine. System administrators and users of affected software should read the section “Workarounds” for immediate actions to protect their machines. It is important to note that WEP security in 802.11b/g (AirPort/AirPort Extreme) wireless networks is generally not sufficient to protect your network from access by an attacker.
Answers to Frequently Asked Questions
Is there a patch available from Apple to resolve this issue?
Yes! Apple’s security update of 19 December 2003 resolves this issue for Mac OS X 10.2 and 10.3 operating systems by changing the default setting to not having DHCP enabled for locating LDAP sources.
Do I have to necessarily boot into the malicious environment to fall prey to this vulnerability?
Contrary to the original versions of this advisory, it turns out that you don’t in fact have to boot into the malicious environment for its LDAP and NetInfo server to be used by your machine. In the default configuration, Mac OS X will add these servers to your authentication path in Directory Access as soon as a DHCP lease is obtained or renewed by a malicious DHCP responder.
Is my machine safe if I have the root account “turned off”?
No. The account attacking can be uid 0 and have any other name in the universe that is a valid account name.
Once again, As the Apple Turns has a pretty good take on this whole silly escapade…
http://www.appleturns.com/
Hmmmmmmmm….. Maybe that was an earlier vulnerability…
I was linked to it from MacSlash…
Well, darn…. I never thought I’d have to worry about this type of thing with the Mac… Guess it was just a matter of time.
I just read about this… isn’t this “John the Ripper” used by sys admins to re-access lost passwords and such? This is not a computer vandal’s play toy??
What is the issue? According to the person who discovered it, the vulnerability was updated 10 months ago. It is fixed. No problem. Still no malware for the Mac.
Mike
Korko: Why another virus from Romania? What do you know? Why not Ukraine or Russia, for example, where macs are more widespread than in Romania?
This is ABSOLUTELY NOTHING.
ANYBODY could write a script, for any platform, that could do BAD THINGS if he already had root access. That’s the whole point of root access, that you can do anything from there, for good or bad.
You could just as well call Terminal a trojan horse.
On the other hand, it’s insidious that the script gathers all of these little modifications into one place. The danger is that, if anybody ever DOES develop a virus for Mac OS X, one fools an administrator user into granting it root access, they’ll be able to install something like this with it, and then the Hounds of Hell will be loosed.
More realistically though, by the time this happens, every Windows machine will already have melted down into radioactive sludge long ago from its constant barrage of viruses and other malware.
Ya bunch of morons. It HAS ALWAYS BEEN POSSIBLE TO DO THIS.
I think these Saphos people wrote it. Seems they are always harping on OS X security problems… then getting upset when they aren’t taken seriously.
Now MDN is spreading FUD?!?! What the heck! I did not expect this from you MDN not ever!!!
I agree with theloniusMac.