 |
Search |
|
|
|
|
Classic 2 Guys |
|
10 Random Stories:
|
|
|
|
Not a Worm, Just a Gnat |
|
 Ah, it has happened again. Another so-called "worm" has appeared on the radar for Mac OS X. At least that's what "they" want you to believe. (And yes, I'm making quote with my fingers as I write this, just for effect.)
According to Trend Micro, the latest vulnerability for Mac OS X is called Opener, or Renepo. (Cleverly, that's "Opener" spelled backwards. And no I did not use finger quotes for that one. Would have been overkill.) It's described as a worm, and it does some some pretty nasty stuff once executed, like installing and executing a remote access program (OSXvnc), logging user keystrokes, stealing passwords, and opening up all sorts of ports and enabling file sharing to let someone easily log in remotely. It even looks at your password hashes (encrypted versions of your passwords) and compares them to hashed dictionary words looking for matches. (This is why it's a good idea to have some numbers in your passwords)
A lot of PC-related sites are taking this news and proclaiming that OS X isn't secure, it's just as bad as Windows, basically the whole sky-is-falling thing. Some even use it as proof that Windows is only slightly more insecure than OS X and/or Linux only because that's what almost everyone uses.
Well that's simply not true. While the Opener "worm" can do some pretty nasty things, it's not really that big of an issue. Here's why:
First of all Opener is not actually a worm at all. It's not a virus either. It's just a shell script that cannot replicate itself. Wikipedia defines a computer worm as:
"...a self-replicating computer program, similar to a computer virus. A virus attaches itself to, and becomes part of, another executable program; however, a worm is self-contained and does not need to be part of another program to propagate itself."
Opener could be labeled a Trojan, if it is contained as part of another program. But Opener would still require the user to actually run the file, I.E., you've got to double-click on it then enter your admin password. (We've seen this before with the shell script disguised as Microsoft Word thing.)
The Opener script would then perform all it's nasty stuff. This is why you shouldn't run as the root user, and also why Apple disables the root user by default. It's also why you don't give administrator privileges to just anyone, and why you never ever enter your admin password for a program that you're not sure about.
So, to recap, Opener would need to be put on the machine either through physical access (like a CD), via a software vulnerabilitiy (make sure you've performed all your security updates), or via a trojan program. If the script made it that far, you would then have to launch it yourself and then enter your administrator password.
Contrast this with how Windows handles security, i.e. Spyware/Malware installing itself automatically in the background without the user's permission, then opening up ports for hackers to remotely gain access. Granted, Windows SP 2 has fixed some holes, but there's still a huge amount left to be fixed.
OS X is still much more secure than Windows, and it isn't just because it's not as widely used. There are still no Mac OS X viruses, despite what some of the mainstream media would want you to believe. And I am still an idiot despite stringing together sentences that formed an article around a few coherent thoughts. (Hey, even a blind dog gets a bone now and again.)
P.S. The Opener script has yet to be found "in the wild". And I did the finger quote thing there.
|
|
October 28 2004, 6:36 PM EDT, by
 |
Comments:
|
| matty |
10/28/04, 8:58 PM EDT |
Interesting, what I really want to know is how you manage to type while doing the finger quote thing...
|
| Jonahan |
10/28/04, 9:05 PM EDT |
Dude... you don't wanna know.
|
| speedyrev |
10/28/04, 9:17 PM EDT |
I think I'm going to download, launch, and enter my password to infect my computer. Just because I'm getting nostalgic for the ole days when I had to work on a PC.
|
| matty |
10/28/04, 11:31 PM EDT |
For the protection of my virginal brain i'll just assume you use speech recognition.
|
| Jonahan |
10/29/04, 9:11 AM EDT |
Um... yes, actually that was it, speech recognition. I don't know why I implied that it was bad.
|
| dab2 |
10/29/04, 9:21 AM EDT |
Great coherent article! I've enjoyed telling my friends about this so called "worm" and having a good laugh at just how preposterous it really is. The sad thing is that there may be some poor schmuck who will actually type in their admin password and… oops!
Thank you for pointing out that it has yet to be found “in the wild” but that makes me ask then where was it found and who wrote it. Could this be a construct of a company who wants us to pay them to protect us? Hmmmmmm.
|
| nhmacusr |
10/29/04, 10:01 AM EDT |
Actually, these root kits are quite commen. It isn't that difficult to put one together. This one contained classic Unix tools (John the Ripper - password cracker, etc.). These things have been around for eons. Someone portedit to Mac OS X and now it is big news. Go figure. Smart computing practices will defeat this one every time. One additional note here, I still think this one is miss-classified, for effect, as a worm. It does not actively seek out computers to infect. It won't spread on its own (it needs user intervention) and it is not self replicating.
|
| Readthescript |
10/29/04, 11:21 AM EDT |
Nothing in the opener script installs or runs VNC. Where is the press getting this?
|
| nhmacusr |
10/29/04, 1:00 PM EDT |
clamAV is a free open source virus scanner. Interestingly enough, I came across this today:
http://developer.apple.com/server/virusfiltering.html
|
| Coombs |
10/29/04, 1:04 PM EDT |
I found this at Macintouch (link below). This person found two of his Macs infected and he does not know how.
Some cause of concern?
http://www.macintouch.com/opener02.html#oct29
|
| Lachlan |
10/29/04, 11:15 PM EDT |
It's always interesting to read "the script is not in the wild" ...
How was it discovered then?
Am I the only one who thinks Sophos wrote/modified a Unix shell script and put it out as FUD to help sell product?!
|
| Jonahan |
11/2/04, 9:52 PM EDT |
Coombs I saw that too, and no one has been able to explain how it might infect other Macs on it's own.
atAT has a scene about it too.
|
| Jonah |
11/5/04, 11:13 AM EDT |
"(We've seen this before with the shell script disguised as Microsoft Word thing.)"
Actually that one was an AppleScript.
|
This article is archived, so you may not comment on it.
(The good news is there's always the shoutbox, the forums or the contact form if you're socially-inclined at the moment!)
|
|
|
|
Site Links |
|
|
|
|
Deep Thoughts |
|
|
If you ever have to steal money from your kid, and later on he discovers it's gone, I think a good thing to do is to blame it on Santa Claus.
|
|
Around Da Web |
|
| iProng: |
iPhone steals show at CTIA Wireless 2007
|
DLO offers dual cover fashion case for iPod
|
AT&T received 1M inquiries on iPhone
|
| MacDailyNews: |
Ars Technica in-depth review: Apple TV ?impressed all those who touched it?
|
Inside Apple?s Mac OS X 10.5 Leopard Server OS
|
The chips inside Apple TV
|
| Think Secret: |
Adobe Creative Suite 3 pricing revealed
|
|
|
We Like: |
|
|
|
|
Side Projects |
|
Jonahan
- JediPoker.net
- Jonahan.com
- iProng
- MacProng
iKen
Jedbeck
J.P.
|
|
