Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

'Opener' Malware Targets OS X

michael posted more than 9 years ago | from the laugh-it-up-fuzzball dept.

OS X 400

the_webmaestro writes "Macintouch.com is covering the "opener" malware, a new and potential vulnerability which affects Mac OS X. If true (it's not on HoaxBusters yet), this could become a Mac user's worst nightmare... Worse even than Microsoft Word macro viruses (heretofore the only real 'viruses' which threatened Mac users)! Normally, when ever I'd see virus alerts, I'd revel in the fact that as a Mac user, I was immune (except for the slow-down of the net, the loss in productivity of my colleagues, and the increase in SPAM--often coming from my friends and colleagues). [Sigh] Perhaps, my days of telling friends and family that there are no viruses for Macs may be coming to an end. There have been stories."

cancel ×

400 comments

Sorry! There are no comments related to the filter you selected.

All machines are vulnerable to this (5, Insightful)

dtolton (162216) | more than 9 years ago | (#10607618)

I'm not sure how this qualifies as a vulnerability. If you read the
actual discussion linked, it's very clear that this is a root kit
installed after someone already has root access on your machine.

How did it suddenly become a vulnerability that if you have root
access to someones machine, you can write a script that will
automatically install a bunch of malware? If this were a self
propagating system, or if it were packaged up as a program that users
might install by accident I could see the point. As it stands now,
it's a script that you have to run *after* you have root access.

Common sense should apply here. On *any* system, if you run untrusted
code with root level access, it could do *bad* things to your system.

Re: All machines are vulnerable to this (5, Funny)

Black Parrot (19622) | more than 9 years ago | (#10607638)


> I'm not sure how this qualifies as a vulnerability. If you read the actual discussion linked, it's very clear that this is a root kit installed after someone already has root access on your machine. How did it suddenly become a vulnerability that if you have root access to someones machine, you can write a script that will automatically install a bunch of malware?

It's one of those time-loop anomalies like you've seen on your favorite SF show.

Re:All machines are vulnerable to this (0)

CAIMLAS (41445) | more than 9 years ago | (#10607640)

All that you say is true.

However, how long until until someone combines this payload with the propigation engine of a win32 worm and an OS X security exploit or 3? That's how these things start. One part at a time.

Re:All machines are vulnerable to this (0)

Anonymous Coward | more than 9 years ago | (#10607652)

Let's us know when that happens. Until then you might want to change the strain you're smoking.

Re:All machines are vulnerable to this (2, Insightful)

NSash (711724) | more than 9 years ago | (#10607703)

You fucking idiot. If they can get root access on your machine, you're fucked anyway -- this stupid script is irrelevant.

Re:All machines are vulnerable to this (5, Insightful)

Anonymous Coward | more than 9 years ago | (#10607650)

Yes, to make it more clear:

The linked article ONLY talks about the things this program does to a person's computer, once it is on it, and does NOT discuss how it gets onto a computer in the first place--other than by manually installing it.

It might be malicious, but unless it is possible/easy for folks to accidentally install it (like all of the Windows spyware/malware), it is not a threat, any more than is THIS piece of Linux and MacOS Malware:

#!/bin/sh
rm -Rf /

Re:All machines are vulnerable to this (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10607782)

Lucifer did come from a computer.

Nuclear explosion in Washinghton D.C. because of a virus in theirs systems.

Signed by 6.6.6.

Re:All machines are vulnerable to this (5, Interesting)

asjk (569258) | more than 9 years ago | (#10607756)

What about this assertion from the MacIntouch page?

John C. Welch

...Using /Library/StartupItems/ for it shows some thought about Mac OS X. One of the problems with that directory is that, while items in it run as root prior to login, you don't have to be root to create startup items in that directory, nor do they have to be owned by root to run. Any admin user can use this directory to create startup items that will run as root. That's a weakness that hopefully will get fixed. ...

Could a Trojan be written to trick the user into installing a StartUp Item?

Re:All machines are vulnerable to this (5, Insightful)

WiseWeasel (92224) | more than 9 years ago | (#10607767)

Yes, a trojan could be written to do that. It would prompt you for an admin password, even if you launched the trojan executable as an admin user, but it could definitely be done, and if done correctly, a lot of users might be duped by it. Basically, if you run executables from untrusted sources, you could get bitten by this. This is true of any operating system. Trojans are always going to be a problem. Careful users probably won't be affected by it, but others might be. This is a far cry from a worm or virus, in that there is no vector that will allow this to propagate to any significant level. That being said, it's always crucial to keep updated with the latest security patches just to be safe. For now, this is not even a concern, but it could make script kiddies' lives a little easier, especially with this added publicity.

Re:All machines are vulnerable to this (5, Insightful)

marcello_dl (667940) | more than 9 years ago | (#10607927)

On a relatively up to date 10.2.8 running in a Mac on linux window as we speak, my user account cannot
write into [Volume Name]:System:Library:StartupItems nor into its subdirectories (haven't tried them all but a quick chown or chmod can be a solution in that case). That folder is owned by 'system' and group 'wheel'.

So a script that needs to be installed as root is definitely not comparable to the plethora of vulnerabilities win users are exposed to. If that were the case osx and linux should have approx 5 percent of the total viruses, according to their market share. That simply doesnt happen so I consider this /. article FUD until somebody discovers what can remotely install such script. Keep your "boxen" updated, though.

I am not too concerned (5, Informative)

mj_1903 (570130) | more than 9 years ago | (#10607623)

As this Bash script (that's all it is) needs root access or physical access to the machine to propagate, I am not too concerned. Root is disabled by default on all shipping Mac's and if anyone has physical access to your machine then you are in serious trouble anyway.

Saying this though, keeping your Mac patched is probably the best idea. Some vulnerabilities in Mac OS X can give you root privs, but having the firewall on and only services that you need enabled (none are enabled by default) will protect you from those issues.

Re:I am not too concerned (4, Interesting)

j-pimp (177072) | more than 9 years ago | (#10607670)

Root is disabled by default on all shipping Mac's and if anyone has physical access to your machine then you are in serious trouble anyway. Right, but the initial setup of every shipping mac out there has the user create an administrative account on there machine. This person can run sudo to execute a root command. The password prompt you get before installing most mac software runs sudo. So an install program effectively runs as root and if the install program silently added this script to your system then it would run.

Re:I am not too concerned (2, Insightful)

mj_1903 (570130) | more than 9 years ago | (#10607679)

Of course, but if I download and install any software that contains malicious code then I am in trouble. Similar to that incidence of a developer deleting ~/ on users machines that used a pirated serial number.

As Nelson would say. (-1, Flamebait)

richy freeway (623503) | more than 9 years ago | (#10607624)

HA-HA! ;P

Re:As Nelson would say. (0)

Anonymous Coward | more than 9 years ago | (#10607632)

You might want to read some comments before laughing. The write-up for this (non-)story is misleading. Your laughing applies right back to you.

Re:As Nelson would say. (0)

Anonymous Coward | more than 9 years ago | (#10607676)

Gosh you'r glib

Re:As Nelson would say. (5, Funny)

richy freeway (623503) | more than 9 years ago | (#10607684)

I'm taking my reading of /. to a whole new level. Not only do I ignore the articles but now I totally ignore the comments too!

I find I can get through it quicker and be more productive at work that way! :D

Re:As Nelson would say. (0)

Anonymous Coward | more than 9 years ago | (#10607702)

You go girl.

Anti-Virus (5, Funny)

Kesh (65890) | more than 9 years ago | (#10607627)

You mean my copy of Virex I get with .Mac will actually be useful now? ;)

Re:Anti-Virus (0)

Anonymous Coward | more than 9 years ago | (#10607655)

I, for one, welcome our virus writing overlords, and our snakeoil selling liberators.

FUD... (4, Interesting)

nordicfrost (118437) | more than 9 years ago | (#10607628)

This is lame. A script! -this is Slashdot, you should know tthe possibilities of bash scripting. Besides, it doesn't even spread itself, don't hide its tracks...

Re: FUD... (5, Funny)

Black Parrot (19622) | more than 9 years ago | (#10607646)


> this is Slashdot, you should know tthe possibilities of bash scripting.

And of script bashing as well.

Re: FUD... (1)

Rosco P. Coltrane (209368) | more than 9 years ago | (#10607728)

You Sir just costed me a clean shirt :-)

Re: FUD... (0, Flamebait)

metlin (258108) | more than 9 years ago | (#10607774)

And the fact that you have been modded insightful and not funny, has subtle irony written all over :-).

Re:FUD... (1)

driver_red (824677) | more than 9 years ago | (#10607789)

As he says, "...a check of my /var/log files showed that they were _all_ empty and had the same mod date.", a subtle as a sledgehammer method of hiding it's tracks, although it does attempt to.

Normal rootkit (5, Insightful)

Spider[DAC] (129824) | more than 9 years ago | (#10607635)

*chuckle*

So, this is a progression of the age-old idea of a rootkit. A program installed with administrator (root,superuser,avatar) rights to remotley control the machine.

Admitted, this one looks a bit more aggressive than some (running jack the ripper on the md5 passwords is blatant and obvious) but this is hardly any news for anyone.

What strikes me as confusing is that Mac users aren't used to this already? It's been standard issue with all Unix, Windows and some BeOS applications, that people would post "faked" binaries of some popular software that would instead own the system completely. Or for that matter, latch them on to an existing download, the same way spyware does in windows.

Overall, this isn't self-replicating, its blatantly obvious and appears quite easy to recover from. Don't fret.

Re:Normal rootkit (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10607658)

Damn, you're a bit shrill. Nervous?

security through obscurity. great move, kasparov. (-1)

User 956 (568564) | more than 9 years ago | (#10607641)

[Sigh] Perhaps, my days of telling friends and family that there are no viruses for Macs may be coming to an end.

Yes, because security through obscurity is the best way to avoid viruses. Jesus christ. You read Slashdot; isn't it obvious by now that any piece of technology created by human beings is going to have flaws? To believe otherwise is hubris-- and we all know what happened to Icarus.

Re:security through obscurity. great move, kasparo (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10607661)

> and we all know what happened to Icarus

What happened to Icarus?

Re:security through obscurity. great move, kasparo (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10607727)

The real but abridged story of Icarus and Daedalus

Ovid wrote that Daedalus was a skilled architect-inventor-sculptor highly respected in his hometown of Athens. But human as he was, he became jealous of his nephew Talus, and killed him. Daedalus was exiled to Crete to serve King Minos, where he eventually had a son, Icarus. Minos had imprisoned Daedalus & Icarus in a great Labyrinth. To escape from the Labyrinth and from Crete, Daedalus designed sets of wings made of feathers and wax for him and his son.

Before flying to freedom he warned Icarus not to fly too low - for his wings would touch the water and get wet - nor too high - for the sun could melt the wax. But young Icarus, overwhelmed by the thrill of flying, ignored his father's warning and flew higher and higher, envisioning himself as the gods. As he flew higher and higher, the wax in his wings melted from the heat of the sun, and he fell into the sea, killing himself.

Parent is a goatse troll (-1)

Anonymous Coward | more than 9 years ago | (#10607667)

signature links to a goatse image :/ Grow up stupid kids.

Re:Parent is a goatse troll (-1, Offtopic)

metlin (258108) | more than 9 years ago | (#10607783)

Obviously!

HYBTT --> Have you been trolled today :-)

On Usenet when spent enough time you have, attain you shall enlightenment, young paduwan.

Re:security through obscurity. great move, kasparo (0)

Anonymous Coward | more than 9 years ago | (#10607681)

and we all know what happened to Icarus.

Clearly Bush does not read Slashdot.

Re:security through obscurity. great move, kasparo (1)

Rosco P. Coltrane (209368) | more than 9 years ago | (#10607730)

and we all know what happened to Icarus.
Clearly Bush does not read Slashdot.


I didn't realize Icarus had fallen off a Segway...

Re:security through obscurity. great move, kasparo (1)

BasilBrush (643681) | more than 9 years ago | (#10607784)

Flaws yes. Viruses no. I've got 10s of devices with a Microprocessor in them. By only the 2 PCs I own are susceptible to viruses.

Re:security through obscurity. great move, kasparo (0)

NoData (9132) | more than 9 years ago | (#10607788)

To believe otherwise is hubris-- and we all know what happened to Icarus.

Yeah! He became the subject of a Nintendo game [consolegameworld.com] and a kick ass Iron Maiden [ironmaiden.com] song. [darklyrics.com] Go hubris!

Not to worry then (5, Insightful)

Armchair Dissident (557503) | more than 9 years ago | (#10607644)

Normally, when ever I'd see virus alerts, I'd revel in the fact that as a Mac user, I was immune

Not to worry then, you're still immune. It's not a virus. It's not much of a vulnerability either; and no-one has ever suggested that OS/X - or any operating system for that matter - is immune to trojan horses. And this is what this is (if it's true) - a good old fashioned trojan horse.

Re:Not to worry then (3, Interesting)

wrldwzrd89 (611694) | more than 9 years ago | (#10607721)

I agree with everyone else. This is nothing more than a Trojan Horse - and in order to do anything meaningful it needs lots of privileges, like becoming root. There's nothing seriously worrying in this (Mac OS X is STILL without a virus), because, as mentioned in the article, all the stuff it does can be reversed easily (even more easily if you clone your HD daily like I do).

Worst. virus. ever (5, Insightful)

Anonymous Coward | more than 9 years ago | (#10607654)

So am I missing something, or is this really just a regular bash script that does bad things if given enough priviliges? Not surprising, I guess, since the submitter spelled "spam" using all caps...

Re:Worst. virus. ever (5, Funny)

Anonymous Coward | more than 9 years ago | (#10607678)

> Not surprising, I guess, since the submitter spelled "spam" using all caps...

... and lists "proficiency in Notepad" [mac.com] on his résumé :-).

Re:Worst. virus. ever (1, Funny)

Anonymous Coward | more than 9 years ago | (#10607748)

...Applications & Proficiencies...

XMLSpy Enterprise, BBEdit, TextPad, Photoshop, Acrobat, The GIMP, Studio MX 2004 (Dreamweaver, Fireworks, Flash & Freehand), Homesite (v1.0 beta tester!), Notepad, MS Office XP Expert, Word, Excel, PowerPoint, Mozilla/Thunderbird, InDesign, PageMaker, Quark, OpenOffice.org, Visio, Outlook/Exchange Server, vi, Shell/Batch Scripting, Search Engine Submission/Placement & Removal

Wow.

Let me add to my skills!

Switching on the computer, inserting a CD-ROM, English (written AND spoken), bathing, brushing my teeth....

Man, sheesh. Worst part is that HR people look for keywords such as this, and this guy would probably land a better job than someone who does not bother mentioning these things.

Re:Worst. virus. ever (0)

Anonymous Coward | more than 9 years ago | (#10607792)

For those that are interested, here is his Slashdot account [slashdot.org] .

Username - the_webmaestro

Flame away :-)

Burn them! (2, Funny)

Anonymous Coward | more than 9 years ago | (#10607662)

Burn the programmers who created the OS! Burn the greedy corporation who cut corners to release this junk! Burn the ignorant and clueless users who allow such things to take place! Kill 'em all! Raze their corporate HQ to the ground! No punishment is too harsh, no criticism unwarranted. Finally, definitive proof of the systematically shoddy approach taken by this company to their OS!

Oh wait... you said Apple, not Microsoft. Well in that case, let me just say that the user interface for this exploit is FAR more intuitive than it is for Windoze. And it's also a lot more flexible, thanks to Darwin. In fact, it wouldn't even be possible under Windoze, surely demonstrating once again how much better OS-X is. And anyway, it's not really a virus... more of a feature, really. A mal-feature.

Re:Burn them! (1, Insightful)

Anonymous Coward | more than 9 years ago | (#10607842)

Actually, it is a feature, not an exploit, and not a mal-feature either. An administrator of the computer can do whatever they want. That's all, no security vulnerability or anything. Yes, that's right-Apple is so damn good, even their negative press is about things working the way they're supposed to!

Mac owners are like Volvo drivers... (1, Interesting)

Anonymous Coward | more than 9 years ago | (#10607668)

Because they think they're perfectly safe, that must mean that they're perfectly safe and can therefore do whatever the hell they want to without thinking, or learning from the experience.

I have learned this from two years of cycling to work, and taking tech support calls from Mac owners while there.

Pride comes before a fall - just because your computer has training wheels doesn't mean you can do whatever you want to without some kind of consequence... Most of us learned this as children.

Nice script (4, Funny)

Zorilla (791636) | more than 9 years ago | (#10607674)

I don't think it's as much of a real vulnerability as it is Macintouch.com being mesmerized by looking at the code in the "new" exploit.

#!/bin/bash
:(){ :|:& };:


Oooooooh, trippy code!

Re:Nice script (2, Interesting)

beelsebob (529313) | more than 9 years ago | (#10607696)

I can't claim to know bash scripting (I'm ashamed to say I'm a slashdotter and have never looked at it)... Is this a forkbomb? defining a lambda expression ':' that runs ':' twice, and then running it once. If so, surely the process limits are going to kill it after a short while? Bob

Re:Nice script (1)

Zorilla (791636) | more than 9 years ago | (#10607707)

You know more than I do, apparently. The only bash scripting I've done is to force programs into a specific working directory. I can barely look at that code myself, I just found it under a Google search. My best guess is that it creates a function fork that is very obfuscated to the reader. There were some pretty neat obtuse examples during that "Obfuscated voting machine code contest" as well.

Re:Nice script (4, Informative)

Zocalo (252965) | more than 9 years ago | (#10607738)

Yeah, it's a fork bomb with tiny amount of obfuscation, if you can call using a non-alpha character as a function name obfuscation. Things become clearer if you format it properly, and replace the user defined function name ":" with "foo", like this:

#!/bin/bash
foo()
{
foo | foo &
};

foo
So, we define a function, "foo", which runs "foo" piped into itself as a background task, then call "foo", and off we go. Essentially you are trying to execute the infinitely long command line of:

foo | foo | foo | foo | foo...

Re:Nice script (3, Informative)

Zocalo (252965) | more than 9 years ago | (#10607764)

Damn! Forgot to cover the ampersand... Each successive call of the command *also* spawns a seperate instance of itself, behaving in the same manner. Exponential growth and recursion too!

Re:Nice script (0)

Anonymous Coward | more than 9 years ago | (#10607740)

Yup, it's a classic fork bomb. If you've set up your limits appropriately, it won't cause you any grief.

"Administration" Password Problem... (5, Insightful)

torpor (458) | more than 9 years ago | (#10607675)


Something thats always bothered me about OSX is how easy it is to write a program that prompts the user to enter their Admin password, and how many users just enter it when requested, for any old program.

I don't really know how Apple can address this.. perhaps some sort of 'certification' system for "programs which need admin access", but I've seen how that approach got dealt with by Microsoft and I don't really see it as a solution; just more problems. (App Certification is a crappy idea..)

Really, there's just no such thing as a piss-free sandbox. *sigh*

Re: "Administration" Password Problem... (3, Informative)

beelsebob (529313) | more than 9 years ago | (#10607705)

OS X does this to a certain extent in that it tells you what application is running the security dialogue and what key it's requested, but unfortunately anyone can fake that interface in seconds. One thing to sure of is that when you type in your password it is into a normal OS X password box, anything else and the program gets to see the plain text of your password and could do anything. If it's the system's password box then the system does all the authentication and the program never gets a chance to steal the password.

Bob

Re: "Administration" Password Problem... (1)

torpor (458) | more than 9 years ago | (#10607712)

So I just write an interface that clones the look and feel of the System Auth password box, and away we go ..

You can never trust computers.

Re: "Administration" Password Problem... (2, Funny)

physicsphairy (720718) | more than 9 years ago | (#10607708)

Really, there's just no such thing as a piss-free sandbox.

Uhh... gee I hope when we were kids you never invited me over to build sand castles with you.

Re: "Administration" Password Problem... (1)

torpor (458) | more than 9 years ago | (#10607719)

I never built castles in a sandbox, I'd build them on the beach, where its actually okay to piss on the sand because there's plenty .. and I mean plenty .. of fresh clean sand to move to..

Wish I could say this allegory had a parallel in the computing science realm, but it doesn't. So maybe I'll give up and go surfing for a while.

Re: "Administration" Password Problem... (1)

Spudley (171066) | more than 9 years ago | (#10607803)

I never built castles in a sandbox, I'd build them on the beach, where its actually okay to piss on the sand because there's plenty .. and I mean plenty .. of fresh clean sand to move to..

Wish I could say this allegory had a parallel in the computing science realm, but it doesn't. So maybe I'll give up and go surfing for a while.


Oooh! You don't want to go surfing! Someone might have pissed in the sea.

Re: "Administration" Password Problem... (1)

torpor (458) | more than 9 years ago | (#10607935)

Oooh! You don't want to go surfing! Someone might have pissed in the sea.

Yeah, but at least I'd be surfing.

Re: "Administration" Password Problem... (4, Informative)

TheRaven64 (641858) | more than 9 years ago | (#10607714)

It is very easy to pop up a dialog that looks like the standard system one asking for an admin password. A simple fix for this would be to require the user to press command-option-escape (or some other OS-caught interrupt key combination) before typing in the dialog. This would identify spoofed dialogs and allow a user to check that the program popping up the dialog is the correct one, and it's asking for sensible permissions. I suspect the reason that this is not done, is that there is no reason for trojan writers no to simply use the API calls to create the dialog, and then abuse root privilege.

The best fix for this problem is to apply common sense. Do not give your admin password to any application except an installer for software acquired from a trusted source, or the OS X system utilities.

Re: "Administration" Password Problem... (1)

WiseWeasel (92224) | more than 9 years ago | (#10607776)

That's the stupidest solution I've heard all day. Just how long do you think it would take malicious coders to spoof the required key combo as well? Anything Apple can do can be imitated by other coders. The solution is to NOT RUN UNTRUSTED EXECUTABLES!!!!!! I cannot stress that enough. If you launch an executable from an untrusted source, you can get hosed.

Re: "Administration" Password Problem... (1)

raju1kabir (251972) | more than 9 years ago | (#10607806)

That's the stupidest solution I've heard all day. Just how long do you think it would take malicious coders to spoof the required key combo as well?

That's the stupidest response I've read all day. The point is that the key combo has to be one that's intercepted below the application level, just like control-alt-delete on Windows. Nobody can "spoof" anything unless they've already got their evil code into the OS itself, at which point this is all moot.

Re: "Administration" Password Problem... (1)

WiseWeasel (92224) | more than 9 years ago | (#10607820)

OK, I admit I fired off the response a bit early, without fully reading the parent. Apple will never make users launch the force quit dialog, due to the damage that can be done there (accidentally forcing a program with unsaved work to quit). It's really not even a consideration as a solution to this problem. Not entering your admin password for an untrusted executable is only common sense.

"spoof" ctrl-alt-delete (1)

jvj24601 (178471) | more than 9 years ago | (#10607831)

The point is that the key combo has to be one that's intercepted below the application level, just like control-alt-delete on Windows. Nobody can "spoof" anything...

Huh? I thought control-alt-delete on Windows *can* be sent on the application level. I mean, when I use RealVNC on my Windows box, I can remotely send control-alt-delete via any VNC client.

Re:"spoof" ctrl-alt-delete (3, Informative)

raju1kabir (251972) | more than 9 years ago | (#10607869)

Huh? I thought control-alt-delete on Windows *can* be sent on the application level. I mean, when I use RealVNC on my Windows box, I can remotely send control-alt-delete via any VNC client.

Causing the OS to respond as if to the control-alt-delete sequence is not a problem - the OS puts up its dialog box which is presumably secure.

The concern is if an application can intercept it when you do it on your keyboard, and stop the OS from putting up the box, but instead put up its own version that looks the same.

Hardly news (5, Insightful)

draxil (198788) | more than 9 years ago | (#10607683)

Yeah.. I could write a bunch of distructive shellscripts. But
#!/usr/bin/bash
rm -rf /*
Isn't an OSX/BSD/Linux vulnerability is it? It's just a shell script. The worrying thing is when you have some way of penetrating an OS's security to install these things.. The desctruction isn't the hard part gettin in to plant the bomb is.

Funny... (1, Funny)

Anonymous Coward | more than 9 years ago | (#10607739)

Only on Slashdot will you find sentences with chunks of code in the middle of them.

Re:Funny... (1)

Zorilla (791636) | more than 9 years ago | (#10607890)

Go :(){ :|:& };: yourself!

(Sorry, I had to use the joke again)

Re:Hardly news (1)

daveh_oz (697309) | more than 9 years ago | (#10607905)

Rember when Apple released an update to iTunes a few years ago (can't rember what version it was or what year), that if the system volum name had a _ in it, the update would wipe the user's hard drive - realeased by Apple of all companies. Yiu have to be careful always - as one Tech support guy told me once - often the error is caused between the seat and keyboard. David Hunter

Lame script kiddie (5, Insightful)

deafpluckin (776193) | more than 9 years ago | (#10607689)

Overall this script looks pretty lame. A good "rootkit" should do everything possible to not make itself noticeable.

Doing things like changing preferences and turning on 5 different methods of remote access is a bit obvious.

What's really obvious is running john the ripper on the machine that was hacked. Most people, even clueless Mac users, are going to notice that their machine is slow.

Even brute force DES attacks are not feasible if your passowrd is not dictionary based, so cracking the password isn't going to be quick.

Re:Lame script kiddie (0)

Anonymous Coward | more than 9 years ago | (#10607745)

That's why you copy the password file over to your own computer and run it there.

Then once you have some passwords and come back.

Of course people failed to realise that it's pointless to try to crack passwords:
BECAUSE THE GUY HAD TO HAVE ROOT IN ORDER TO INSTALL THE SOFTWARE IN THE FIRST PLACE.

Which makes it even more pathetic.

Security in Mac OS/X Tiger (3, Insightful)

jededeck (798190) | more than 9 years ago | (#10607706)

I do not think this could be classified as a virus. I am concerned however with the next release of Mac OS/X. It seems to contain a new feature that is integrated throughout the system called "Automator". It allows users to easily create and run scripts that perform cross-application batch-jobs. I wonder how it is integrated with mail and if it could pose a security risk in the same way Visual Basic Scripts do in Windows...

Re:Security in Mac OS/X Tiger (1)

Anonymous Coward | more than 9 years ago | (#10607736)

Automator is just a GUI interface for creating AppleScripts, which have been around a long time.

It's about as relevant to this as vi is for creating bash scripts.

Re:Security in Mac OS/X Tiger (3, Informative)

michaeldot (751590) | more than 9 years ago | (#10607775)

Automator won't do much more that AppleScript couldn't already do (which is quite a lot, since you can AppleScript the Terminal and give it shell commands), it will just give scripting a point & click interface.

As a poster above said, a script by itself, whether it be Bash, AppleScript or Automator, is not really much of an exploit, it's the manner of getting on to the system that is.

Re:Security in Mac OS/X Tiger (3, Informative)

HeghmoH (13204) | more than 9 years ago | (#10607799)

Automator is just a friendly GUI on top of AppleScript, which has been around since System 7.

It's a lame virus, but YOUR MISSING THE POINT (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10607710)


Yes they can.

Of course all you Fanboys say "it's not a virus!" is so and so.

So and so, so what?

It is what it is. A virus. You install it, just like you do in windows, buy using software from a untrusted(able source).

How the fuck do you think you get infected from word macros?

It's a virus that once installed allows attackers access to your computer.

It's NOT a trojen, it downloads bunches of software to build a trojen. It doesn't do it itself. It uses stuff like VNC to do it.

It's not a worm, it doesn't do automated attacks.

It's a virus. Plan and simple. A VIRUS.

A simple one, a retarded one, but one non-the-less.

Oh and BTW, on OS X your ROOT ACCOUNT ISN'T DISABLED. It simply doesn't have a password. It's still running, it's still their. You system depends on root in order to even freaking function.

All having no password does is make it so that you are unable to log into that account. That's all.

Need proof?

open up a terminal.
type:
sudo su -

There you go. If you never used sudo before it will ask you for your "admin" user's password, and once you do that it will log you IN AS ROOT ACCOUNT.

I've done it before, I'll do it again.

Look. Before you all jump all over yourselves on what is, and what is not a virus, think about it:

HOW THE FUCK DID THE BASH SCRIPT GET INSTALLED ON THE OS X COMPUTER IN THE FUCKING FIRST PLACE?

that's what you should be asking. That's what you need to worry about.

Remember in Unix/Linux/BSD/OS X, ONCE YOU HAVE ROOT YOU ARE GOD.

Dear Dumbass (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#10607800)

A bash script is not a virus.

Because IT MUST HAVE r00t PRIVILAGES TO RUN.

Secondly, IT CAN NOT PROPAGATE unless it has root access ON ANOTHER MACHINE.

Re:It's a lame virus, but YOUR MISSING THE POINT (2, Insightful)

Anonymous Coward | more than 9 years ago | (#10607860)

More FUD from an illiterate who doesn't know the difference between "your" and "you're", "there" and "their", "by" and "buy". If you want to get a message across, either FUD or non-FUD, it helps you gain credibility if your words don't read like they've been written by a 12 year old in need of Ritalin.

It is what it is. A virus. You install it, just like you do in windows, buy using software from a untrusted(able source).


No, a virus is quite simply a piece of code, often malicious (though not necessarily so), that replicates itself onto other machines. Viruses replicate - did anyone tell you that this replicates itself? Until that's proven, it's silly to call it a virus. Malware is the most approrpiate word.

By your definition, any program i pick up from versiontracker, form a source i've never heard of, is a virus.

Oh and BTW, on OS X your ROOT ACCOUNT ISN'T DISABLED. It simply doesn't have a password. It's still running, it's still their. You system depends on root in order to even freaking function.

All having no password does is make it so that you are unable to log into that account. That's all.

Need proof?

open up a terminal.
type:
sudo su -

There you go. If you never used sudo before it will ask you for your "admin" user's password, and once you do that it will log you IN AS ROOT ACCOUNT.



No, The root account isn't disabled, just that you have to enable it to be able to log in from a login prompt as 'root'. What you demonstrated is a user logging in having already logged in with a password - oh, and everytime you sudo, you'll require your password, unless you've sudo'ed very recently - unless you've messed with that (Which would be DUM).

HOW THE FUCK DID THE BASH SCRIPT GET INSTALLED ON THE OS X COMPUTER IN THE FUCKING FIRST PLACE?


Dammit, I thought you said it was a virus! surely if it's a virus it came via some software you installed!

Oh, and good to see your caps-lock works.

You're not immune, just too little to care about (-1, Troll)

llZENll (545605) | more than 9 years ago | (#10607717)

"Normally, when ever I'd see virus alerts, I'd revel in the fact that as a Mac user, I was immune (except for the slow-down of the net, the loss in productivity of my colleagues, and the increase in SPAM--often coming from my friends and colleagues)."

The ONLY reason you are immune is because your platform of choice is the minority (which may even be too little of a word, how about almost non existant), percentage of the computer base, which is why Macs AREN'T targeted for viruses, spam, and malware.

So maybe the Mac platform truley is better, well it really doesn't matter when 95% of the PCs are Windows. Mac users can be happy in the fact that they are the minority (an understatement) and can live virus free, well at least until now...

Re:You're not immune, just too little to care abou (0)

Anonymous Coward | more than 9 years ago | (#10607733)

What a sad and pathetic little post.

Re:You're not immune, just too little to care abou (3, Insightful)

mkirsten (685241) | more than 9 years ago | (#10607928)

Since you capitalize the word "only" I'm afraid you actually mean that. Do you also think that the ONLY reason IE has more security holes then Mozilla is because more people run IE? I'm quite certain that there's more then one reason why Macs don't have as much viruses as the Windows world and the market share being one of the reasons. And how does the email address tell wheter you're on a Mac or PC so Macs don't get spam? I thought people were the targets of spam, not computers.

The only truly safe computer on the Internet (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10607737)

The SafeIC achieves this by making it impossible for malware to affect modifications to the system. Every time you restart your Safe Internet Computer, it is wiped clean of any malware and reset to factory settings. A clean slate, every day.

http://www.cyber.com.au/cyber/product/safe_interne t_computer/ [cyber.com.au]

Re:The only truly safe computer on the Internet (0)

Anonymous Coward | more than 9 years ago | (#10607741)

I hear Safe Internet Computer infests your computer with spyware and viruses everytime you bootup.

protocol and jpeg were more interesting (0)

Anonymous Coward | more than 9 years ago | (#10607766)

root kit

Uninformed. (0)

Ash-Fox (726320) | more than 9 years ago | (#10607773)

> [Sigh] Perhaps, my days of telling friends and family that there are no viruses for Macs may be coming to an end. There have been stories."

Jeeze, you really don't know much about macs, there have always been viruses for macintoshes, even back on the old macintosh classics. I'm not very happy that you're lying to people spreading fake information about Macintoshes.

By the way, the fact that Macintosh had anti-virus scanners, even back when they had macintosh classics (see: Agax, Autostart Hunter, Dr. Solomons Virex, VirusScan, WormFood, WormScanner) shows that there were problems

Since I haven't been using much of the MacOSX I don't know much about it, but even I, who barely knows about it, knows about the virus scanner availible for it: VirusBarrier.
I could probably come up with more if I googled, but I'll leave that with you.

Now, if you want a platform that doesn't have viruses, I suggest you look into Amiga OS 4.0 PR :P.. At least, not yet.

Re:Uninformed. (1)

spiralscratch (634649) | more than 9 years ago | (#10607854)

By the way, the fact that Macintosh had anti-virus scanners, even back when they had macintosh classics (see: Agax, Autostart Hunter, Dr. Solomons Virex, VirusScan, WormFood, WormScanner) shows that there were problems

Also, Disinfectant, one of the original and best-known all-purpose anti-virus programs for the Mac. Simple, effective, and unobtrusive. And it was free.

Re:Uninformed. (4, Informative)

Anonymous Coward | more than 9 years ago | (#10607875)

Yes, there were viruses in the pre-OS X days. But the crappy article summary was obviously talking about OS X. Do you have any examples of OS X viruses? Without one, you have no point, and sound like a troll.

Sure, virus scanners are proof of viruses. It's definitely not possible that the company behind VirusBarrier is just trying to trick people into buying a product they don't need. Because corporations don't want profit, right? They'll just try to justify the program's existence by adding features for non-virus stuff and claiming they're building an infrastructure for fast response if there ever is a virus. So mod parent down -1 Troll!

Re:Uninformed. (0, Troll)

polecat_redux (779887) | more than 9 years ago | (#10607947)

It really is amazing how you could string so many distinct words together and still manage to come up with blind, Mac-loving rhetoric. The point of the original poster was that if there were viruses in previous versions, it is quite likely that there will be viruses in subsequent versions. It's called deductive reasoning - try it sometime, troll.

On a side-note, it's absolutely hilarious how rabid Mac-users are about their little toys. It just goes to show you that you can throw a shiny, colorful veneer on just about any piece of junk and still convince the braindead masses that it's the best thing since frontal lobotomies.

Use sudo (0)

Anonymous Coward | more than 9 years ago | (#10607777)

Use sudo [hmug.org] and this will never be a problem.

Never log in as root!

Re:Use sudo (0)

Anonymous Coward | more than 9 years ago | (#10607888)

What are you babbling about? This is Mac OS X, root is not an account you can log into. There's only administrator accounts which can use sudo, or use other tools built into the os that work the same way sudo does, but more prettily. You can't actually be logged in as root unless you somehow break the way Apple handles user accounts.

mac immune? (0)

RIP (3540) | more than 9 years ago | (#10607785)

erhm.. when did macs get immune to viruses? most intriguing statement ;)

I got a virus on my LC back in the days. and I'm pretty sure a lot of other mac users can testify that they're not immune..

no os will ever be immune to viruses

Re:mac immune? (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#10607815)

Retard, it's late 2004. Mac means OS X.

Feel free to name one virus for OS X dumbfuck.

Re:mac immune? (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#10607825)

I'm not a retard you crap-head.

What I meant was that there are viruses for Macs too. Can't understand proper language, can you fucktard.

Go suck, you dumbshit sob. Retard, indeed.

Fuck off you asshole.

-RIP

Re:mac immune? (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#10607853)

Don't wet your panties just because I made you look like an idiot.

advanced software! (2, Funny)

rixdaffy (138224) | more than 9 years ago | (#10607859)

It tries to decrypts all the MD5 encrypted user passwords

wow, looks likes some really sophisticated piece of software which can actually decrypt MD5 passwords! ;-)

Ricardo.

"OS X virus" is the new "Apple is dying" (5, Insightful)

inkswamp (233692) | more than 9 years ago | (#10607872)

I wish people would just get off Apple's back. OS X has no viruses yet but it seems that people are all hot and bothered by the idea of finding the first one. What gives?

Anyone care to tell me how this so-called virus spreads? How does it propagate itself? Until we get to that point, I'm not going to accept that this is for real. And until then, those shouting that the sky has officially fallen on Cupertino can shut the hell up. I've heard this a dozen or so times over the last year-and-a-half and it's getting tiresome.

What is it about Apple that non-Apple users hate so much that requires this constant vigil for anything that could be a virus? And then the subsequent shouts of "Yep, take that smarmy Mac users... it's finally happened!" And this usually coming from people who beforehand would argue that the only reason Macs have no viruses is because of low market share. That argument disappears when it becomes inconvenient.

I've used Macs for over a decade now and most of that time was dominated by two phrases repeated ad nauseum. "Apple is dying" and "But there's no software!"

And now those have been replaced by this ongoing Quest for the Holy Virus.

I'm not saying OS X is invincible or that a virus will never hit Mac users, but when it happens, there will be little doubt about it. Until then, can we all just lay off the panic button?

Real Virus (2, Funny)

BarryNorton (778694) | more than 9 years ago | (#10607895)

Worse even than Microsoft Word macro viruses (heretofore the only real 'viruses' which threatened Mac users)!
I'm going to find a Mac user and sneeze on them... then they'll know what a real virus is!

(Seriously, we seem to have forgotten this is an analogy... don't make me communicate some worms!)

would only be for a mac (0, Troll)

Anonymous Coward | more than 9 years ago | (#10607902)

not only is it just a bash script, but one that could only be written by a mac user. they need to take a look at the ABS [tldp.org] guide and learn a thing or two.

Another thing that kills me is that Linux users are becoming more and more like Mac users every day. They expect everything to be done for them from 1 little click of a button.

GO LEARN SOMETHING PEOPLE
thank you, come again

I looked up "virus for the Mac" (5, Interesting)

adzoox (615327) | more than 9 years ago | (#10607926)

... and came up with Intego and FUD.

Make no doubt about it. There is a French company that writes Mac software called Intego.

THEY ARE the ones spreading this new rumor, just as they spread the "trojan horse" myth a few months back.

It's time to sell some more software - so it's time spread some more FUD.

A previous story I had done on this [jackwhispers.com]

Anti-Mac FUD? (3, Informative)

MilenCent (219397) | more than 9 years ago | (#10607941)

Something about the writing style of this story really strikes me as sensationalist.

"Oh woe is me! I have a Mac but someone might (cringe) hack it! And think of all those people who trusted me when I recommended Macs as safe! The world should be ending around 3pm today Eastern Time...."

And it's not even a vulnerability! Geez, it's almost enough to make me think this is just someone grinding an axe.

Macs have always had viruses (3, Insightful)

jd (1658) | more than 9 years ago | (#10607951)

I can remember downloading lists of known viruses when I was at University, between 1990 and 1994. Sure, the Mac was doing well (the total of all known viruses was under a hundred, compared to those for DOS/Windows, which exceeded 22,000.) But the number was certainly not zero.


OS X has the advantage of being BSD-based, which means that there are greater protections against malware. Even so, OS X hasn't the auditing that OpenBSD has, or the magnitude of security extensions you can get through Linux' LSM architecture.


Which brings me to Linux. Sure, I'll tell people that there are no Linux viruses. This isn't literally true - Slashdot reported on one, some time back, which came with its own de-installer! - but it's near-enough true.


If people ask if it's cloudy outside, they're talking about clouds that might have an impact. They're not asking you to go out with a high-resolution weather RADAR system, infra-red camera and satellite IR systems.


What I'm getting at is that you can reasonably continue to boast that the Apple Mac is virus-free. "Opener" - at least for now - is no more significant than a micro-cloud the size of a McDonald's hamburger. For now. Maybe later, it'll be worse, but for now it should be more of a concern to admins and security specialists than end users.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>