SH/Renepo-A is a shell script worm targeted at the Macintosh OS X platform. If run on your computer (either accidentally or by design), it copies itself to the local startup directory (/System/Library/StartupItems) and to any other mounted volumes, including other computers on your network. SH/Renepo-A also makes infected StartupItems folders world-writeable, thus opening a dangerous backdoor on any system it infects.
Note that any attacker trying to plant this worm in your network would need to get root access on one of your boxes first, meaning that you would already be “owned”. Nevertheless, SH/Renepo-A collects into a single script a wide range of anti-security attacks. Once the worm has run on your computer, it will compromise system security in many ways, including:
– turning off system accounting and logging
– turning off the OS X firewall
– turning off software auto-updates
– turning off LittleSnitch (a security program for OS X)
– turning on filesharing
– turning on ssh
– making key system files world-writeable
– installing ohphoneX (a voice and video sharing program for OS X)
– installing John the Ripper (a password cracker)
– installing dsniff (a password sniffer)
– logging the IP numbers of infected computers to a remote server
– creating a directory in which to stash harvested data (/.info)
– harvesting application, user and system data
– collecting Windows password hashes from samba
– searching for VNC password information
– trawling for passwords in the swap file
– creating a new admin-level user (LDAP-daemon)
More info: http://www.sophos.com.au/virusinfo/analyses/shrenepoa.html
MacDailyNews Take: More information about this worm, also known as “Opener,” can be found at MacInTouch here. Remember that root access is required for this worm. Do not run your Mac OS X machine as “root” unless you know what you’re doing. More about root or superuser Mac OS X user levels here.
There is nothing to see here…just move along…
another false alarm. Thank you apple for giving us a system that isnt affected by mail worms, viruses etc, and Spyware and adware
Just another lame attempt to try and get people to buy anti-virus software. Sophos has done this before anyway…
….as usual around here — it’s not just a river in Egypt….
OK, thank you everyone.
As I understand it, someone took every malisious script/program, bunched them into one package and said “I can get root access and run this” and then called it a mac virus?
as MDN said, if some has root access, you will already be “owned”
damn if I had a key to your office and an OS X install disk, I can erase all you data. Apple better fix that ” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
Whatever. Last look at Terminal I was up for 24 days… a little Security Update if it’s necessary (which I don’t) and move along.
Wise words below from MacFixIt. If you adhere to them, this threat will die;
“Finally, and perhaps most importantly, never provide your administrator password to an untrusted application or install routine. Make sure, when downloading applications from any source, that the author is reputable and (if possible) other users have already tested the release. Unwittingly giving arbitrary code the permission to run is perhaps the greatest current security threat for Mac OS X users.”
This is the result of everyone talking about how secure X is. No big deal though. But I bet we will see some real shit in the future.
Give me a call when something like this is actually detected in the wild. It’s not denial, it’s called reality. Since this exploit isn’t actually out in the wild, it’s not a threat.
One of the issues here is the keylogger. While changing the firewall and dealing with ssh keys and stuff require root access… does running a background keylogger require root access. Sooner or later someone is going to type in an administrator password — All administrators are in the sudoers file. If the keylogger can pick any administrator’s password, it can then execute all the other payloads as root. Thank goodness it can’t proprogate itself.
Security begins at home.
This poses NO THREAT to any system that is properly set up and maintained. It’s not even a valid “proof-of-concept”.
To anyone using a Mac in a home desktop setup: if you run your system on the Admin “Root” user account- shame on you. On a network, you are only as safe as your SysAdmin wants you to be.
Simple rule–nobody has developed a foolproof system to prevent you from hosing your own computer.
This appears to be more bark then bite.
macnn forums have plenty to say about it.
At this stage there really is nothing to concern ourselves with. (Unless you let any oldbody have access to your Mac)
Not disagreeing with the previous post by Jimbo von Winskinheimer, but that was not me. I don’t really see the need to post under someone else’s nickname on this forum. If you believe something, post it under your own nick rather than using mine.
So now Mac apologists bend over again to suck Jobs’ dick. Mac virus? Oh no! It’s impossible!
I could make a stupid shell script that would rm -r everything, and that would require you to run it as root. I wonder if that would be given the name of “First Real Mac Virus! Deletes everything!”
says Reality check who regularly gets gang banged from all of MS top brass while wearing a ball gag
sorry, just saw Pulp Fiction, Great Movie!
It’s amazing how easy it is to get people in a frenzy over what amounts to nothing more than poor journalism.
1) There is no need to panic. This is not a virus or in any way, a breach of security or even a reflection of poor security.
2) This is not a worm. MDN, do your homework, is this piece of malware spreading like wildfire over a network? No? Then by definition, it’s not a worm.
What it is, is nothing more than a script that’s intentionally designed to do bad things. Anyone can write a script to do bad things. It still requires the user to grant permission, via manually entering your password before it can do anything! Now, if you’re dumb enough to download something from a site you don’t trust, then you’re susceptable to installing malware on a regular basis. There is no level of security which will prevent a program, which you give permission via password, from potentially doing bad things.
Anyway, poor journalism for labeling this as anything but malware or perhaps a Trojan Horse. This is not a virus or a worm and cannot automatically attack your machine unless you launch the script and also provide it with a password.
Steve
Another simple rule–ignore people who use terms without knowing their meanings:
(1)worm: 1. A computer virus capable of disrupting a computer program. [After Weik ’96] 2. A self-contained program that can propagate itself through systems or networks. Note: Worms are often designed to use up available resources such as storage or processing time. [ANSDIT] 3. [An] independent program that replicates from machine to machine across network connections, often clogging networks and computer systems as it spreads. [INFOSEC-99]
(1) virus: 1. An unwanted program which places itself into other programs, which are shared among computer systems, and replicates itself. Note: A virus is usually manifested by a destructive or disruptive effect on the executable program that it affects. 2. Self-replicating, malicious program segment that attaches itself to an application program or other executable system component and leaves no obvious signs of its presence.
The fundamental quality of both worms and viruses is that they are self-replicating and able to spread themselves–a worm by replicating itself through a network, a virus by attaching itself to other programs.
A program that cannot self-replicate is neither a worm nor a virus.
This opener thing cannot self-replicate, thus is neither a virus nor a worm. Nor, as someone else explained above, is it a trojan.
It is a script that you, or someone else with the same access to your computer as you, can install on your computer that does nasty things. Which brings us to my previous post–no one can stop you from hosing your own computer if you are smart enough or dumb enough to do it. ” width=”19″ height=”19″ alt=”smile” style=”border:0;” />
made by the ‘anti’ virus industry to sell antivirus programs. pathetic!
Buffy wrote:
“damn if I had a key to your office and an OS X install disk, I can erase all you data. Apple better fix that ” width=”19″ height=”19″ alt=”wink” style=”border:0;” />”
Already done (sort-of). Isn’t there an OpenFirmare setting to prevent single-user or CD booting?
Although nothing can withstand someone who has physical access and time. Forget wireless, we need a Reality Distortion Field emitter to ward off the bad guys. ” width=”19″ height=”19″ alt=”smile” style=”border:0;” />
-sip
About time. Now maybe windows people will take us seriously.
Why is this causing so much concern? It is a script. Scripts have been able to be run on ALL platforms for years. Let me run a script on any platform as an administrator and I will be able to do serious things to the OS and gather a lot of information. The fact that this doesn’t and can’t propagate itself AND and it somehow has to gain administrator access to work tells me that it isn’t a serious threat. Will I continue to be cautious about what I run as Admin? Yes, but no amount of security measures can prevent that without severely limiting what I can do with my computer.
“Sophos writes/releases a script and calls it a virus”
“Security firm Sophos, tired of having no real Mac support, today announced the release of “Opener” a malicious script which requires root access to run and which will turn your Mac into a mindless drone.”
I guess this is what happens when business is slow.
Expect to see variants of this script in the wild soon.