Opener Malware: The Straight Deal

4 minute read

After days of reporting about this story, I’m still rather disappointed by the coverage. Most writers have been pouring out pages of worthless hyperbole. Of most note and worthy of the most criticism are Cnet with Mac users face rare threat and ZDnet with Destructive OS X malware spies on Apple users. Leave sensationalism to the tabloids, boys.

Let’s get down to what Opener, or as Sophos calls it, SH/Renepo-A, is. First notice that Sophos reversed its name. Clever. Anyway, as linked to from the MacInTouch article, the script itself can be viewed at the Macintosh Underground Forum. The current latest version known is 2.3.8. Let’s lay out exactly what it does:

  • Copies itself into /System/Library/StartupItems forcing it to run at startup as root
  • Copies itself into the same directory for any bootable disk mounted (this includes Carbon Copy Cloner backups)
  • Installs ohphoneX and runs it at startup silently
  • Disables built-in firewall
  • Disables Software Update’s automatic schedule
  • Kills LittleSnitch
  • Installs krec (keystroke recorder) (disabled in latest version because of visibility)
  • Turns on SSH
  • Turns on FileSharing
  • Turns on Windows File Sharing (disabled by default)
  • Turns on Apache (disabled by default)
  • Creates .info directory to store data gathered
  • Gets the name of the computer
  • Gets private and public IP addresses (in case behind router)
  • Gets OpenFirmware password
  • Gets OSXvnc password if installed
  • Gets a series of files with passwords and user information
  • Gets serials for several commercial software packages
  • Copies .info directory (full of information) to every Public user folder
  • Modifies Limewire settings
  • Creates admin user named “LDAP-daemon” for login
  • Attempts to grab password from virtual memory files (known exploit)
  • Uses John the Ripper to decode passwords
  • Installs dsniff

Sounds scary. For the most part it is. However, all of these things are individually acceptable when running them as root. None of this is a security exploit. Also note that nowhere in there is a way for it to initially install itself on other machines. In fact, it doesn’t even copy itself to the .info directory! It keeps itself in StartupItems. Therefore, you would have to install this onto your machine yourself (or run a malicious installer and give it permission to install it).

What’s totally absurd about this situation is that Sophos, supposed virus experts, have classified this as a worm! Wikipedia defines a computer worm as:

A computer worm is a self-replicating computer program, similar to a computer virus. A virus attaches itself to, and becomes part of, another executable program; however, a worm is self-contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file transmission capabilities found on many computers.

Well, we’ve already established that Opener doesn’t attach itself to anything as it is a simple shell script (nothing more). The next aspect is that it propagates itself. The only time it replicates itself is in the first two steps. The first step is local. The second copies itself to the StartupItems directory of a mounted volume. As we are assuming root, any local hard disks would be automatically be infected. However, these are still local disks, and therefore, this is not worm behavior as it is still contained within the same machine.

We finally discover the only way one could possibly construe this piece of malware as a worm when we think about what else a mounted volume can be. It can also be a network share. This is where we run the danger of wild speculation and try to force the title of worm upon this script. We need two things in a network share in order for it to be installed onto that remote filesystem. First, it must be a full boot disk (which is not a typical share to be using anyway). Second, the user that you log in as must have permissions to /System on that remote file system. This means you must be an admin or root on that remote machine. The natural reaction is to jump all over this and immediately conclude that is not important because the script is already running as root. This is wrong. Having root power in the local filesystem does not bestow root privileges in the remote share. You are still constrained by the username you mounted that share with. This does not qualify this as a worm.

The problem with the reporting of this malware is that it ignores the real lesson to be learned from the software. That is simply that once your computer is compromised and you’ve given root permissions to an errant program, the game is over. You’ve lost. What this script lacks is a strong propogation vector. Without that, this script is simply a reminder of what may happen if you are compromised.

Users can protect themselves by staying up to date with security fixes (coming through Software Update) and by being careful about what they give administrative power to (when the system probes you for your password). Don’t use shares that are entire boot disks. Finally, and this is how most users get bit, get your software from reputable sources such as software retailers and use version tracking services to get user feedback before you install it yourself. Do not use Limewire or any other P2P service to download your software. That’s how the last trojan (the Microsoft Office 2004 installer trojan) was spread. Trying to get software without paying for it is bad karma. Let this be another reason to not even try it.