SH/Renepo-A is a shell script worm targeted at the Macintosh OS X platform. If run on your computer (either accidentally or by design), it copies itself to the local startup directory (/System/Library/StartupItems) and to any other mounted volumes, including other computers on your network. SH/Renepo-A also makes infected StartupItems folders world-writeable, thus opening a dangerous backdoor on any system it infects.
Note that any attacker trying to plant this worm in your network would need to get root access on one of your boxes first, meaning that you would already be “owned”. Nevertheless, SH/Renepo-A collects into a single script a wide range of anti-security attacks. Once the worm has run on your computer, it will compromise system security in many ways, including:
– turning off system accounting and logging
– turning off the OS X firewall
– turning off software auto-updates
– turning off LittleSnitch (a security program for OS X)
– turning on filesharing
– turning on ssh
– making key system files world-writeable
– installing ohphoneX (a voice and video sharing program for OS X)
– installing John the Ripper (a password cracker)
– installing dsniff (a password sniffer)
– logging the IP numbers of infected computers to a remote server
– creating a directory in which to stash harvested data (/.info)
– harvesting application, user and system data
– collecting Windows password hashes from samba
– searching for VNC password information
– trawling for passwords in the swap file
– creating a new admin-level user (LDAP-daemon)
More info: http://www.sophos.com.au/virusinfo/analyses/shrenepoa.html
MacDailyNews Take: More information about this worm, also known as “Opener,” can be found at MacInTouch here. Remember that root access is required for this worm. Do not run your Mac OS X machine as “root” unless you know what you’re doing. More about root or superuser Mac OS X user levels here.
What about just-put a switch on the computer. Turn the power OFF on the disk drive! Tell me how you can get a virus when the disk drive is not spinning??? Come on someone tell me.
y’ll here more of this.
Reality Check,
Did you actually RTFA? No? Then fuck off.
Does anyone in or out of MDN monitor these forum (or others) for links that could be misleading people. i.e.: links that are really doing something nefarious. Some time ago, while reading a discussion forum much like this one (or this one), I clicked a link for a demonstration of how clicking a link in safari would pull up the terminal and type something (allegedly innocuous for the demonstration) as root. It could be used to delete user folders, one’s system folders, etc. if used maliciously.
Curiousity got the best of me:
I created a new user
logged into that user
went back to the link and clicked.
Sure enough it launched the Terminal and entered some command (as root or as admin. — don’t recall which) seaming nothing bad occurred.
With very limited knowledge of UNIX I examined the text and felt secure that I hadn’t just infected my system, but decided that may have been pure luck, as I could have been burned badly had I been tricked. Or was I tricked? Like I said, I have very limited Unix knowledge, do I really know what happened there? NO, I don’t. I’ve lost data on an external firewire drive and an iPod in the last couple months. Older drive but just seams odd the way it went.
As a side note, I wish Apple would build the xServe type diagnostics into personal computers so that we can anticipate failure before we lose the data. Perhaps they have started this with the G5 iMac, anyone with details?
Even better, put two hard drives min. in each computer, one as Boot Disk the other as dedicated backup with incremental undo. And better even still, a “Dual” Hard Drive that has both drives built into it one. These backup drives could be left off accept for short syncing operations that would happen at user selectable intervals. This should give them far longer life span and reliability than the always on Boot drive.
Sorry, my “side note” got away from me. about the links on these forums…who whatches these for links to possible infections. Who better to trick than the savvy guys (and gals) trying to learn how to protect their systems by reading Mac specific forums, and reading up on what methods the bad guys may use. Like me, or you. So again who looks for this sort of thing?
You’ve gotta wonder how many of these “malware” programs are created by antivirus companies to spur on their sales….
“Please, give me your house keys so that I can steal all your goods.”
Actually if masqueraded as a Trojan it could be of some threat, but only if with a good dose of nonsense by users trusting in silly promises from unknown origins.
In this case they only could blame themselves, that’s all they merit.
Trojans like this one can be purposed for any OS, no matter how secure it can be, the only defense is a bit of good sense; this only proves that at today date, we (Mac users) do not need particular worries on the matter, nor spend particular time protecting our systems against the daily attacks, but just keep producing with it.
what are the odds that version tracker and mac update thouroughly scan all shareware? What about those cute konfabulator widgets? what about 3rd party imovie and Itunes plug ins? I love these things! What about a linux ISO download? or a false mp3?
tov
you’ve got it! this is where the real danger lies. I too love all the add-on’s, plug-ins and goodies. Some is hard to do without. Dragthing, indespesible, brilliant implimentation, started as small shareware group, still shareware but they have a great reputation today. Tons of shareware for Macs today. Some have been around for a while, but many are new. And that’s what we want right? More apps for Macs. They used to tell us that windows had more apps. We wanted more. We got em. We now can use Unix, x11, Mac os X, Classic. lots of new stuff for all the plug and play you can handle.
Some of the shareware that’s around is the best stuff out there. Naturally, any company trying to sell more software, doesn’t want to be caught spreading a virus by way of their installers.
But…
There has been controversy over the Unsanity preference pane APE (Application Enhancer). I don’t like it, that I must install APE to use WindowShade. That being said, I use WindowShade and therefore APE…how can I not, I must window shade…old habbits die hard.
Why did Apple take that feature out completely when we moved to OS X? Perhaps the largest feature loss is Mac upgrade history IMHO. Maybe because they saw Expos�, and true I’d rather have expos� over windowshade, but why choose? I use both. Did Apple lack the patent or something?
Again, I’ve gotten off subject.
So how so we verify the source for these shareware vendors, especially when using VersionTracker and MacUpdate, rather than going directly to the developer site. I make a habbit of using the download site to find the software then linking from there the the DEv page to see what the company seems to be all about. But even this is in no way an assurance that I’m about to download safe software. Virex is neat, but what if it’s a yeat unknown virus, etc.?
I definatley and fully understand that I was taking a risk when I ran the link from the forum (in my earlier comment). I was knowingly clicking a link to a “proof of concept” of a know “insecurity” in my system. However, other less obviously risks may be present in downloading any new or obscure software. Some may say this is not new and although this may be true, it does not address the concerns that we face with and advanced os such as OSX 10.3, not to mention 64bit 10.4. Imagine the power of a 64bit Malware App! How can we know that we are getting solid, safe software when we download from any where?