Risk: Medium
A script-based threat that spies on Mac users has caught the attention of some security industry watchers. The malware, which has been dubbed Opener by Mac user groups, can disable Mac OS X's built-in firewall, steal personal information and destroy data. It is not yet a widespread danger, however.
Security experts say those traits are common among the many online threats targeting Microsoft's ubiquitous Windows operating system but are virtually unheard of on Apple Computer's Mac OS.
Paul Ducklin, Sophos' head of technology in the Asia-Pacific region, said that the software, which Sophos calls Renepo, is designed to affect Mac OS X drives connected to an infected system and that it leaves affected computers vulnerable to further attack.
Ducklin said Opener disables Mac OS X's built-in firewall, creates a back door so the malware author can control the computer remotely, locates any passwords stored on the hard drive, and downloads a password cracker called JohnTheRipper.
Opener is a "rootkit," or a set of software tools that intruders can use to gain access to a computer; it's installed either through a known vulnerability or password-cracking. Rootkits don't spread on their own, as viruses do, and require administrator access to be installed.
According to Ducklin, Opener could try to spread by copying itself to any drive that is mounted to the infected computer. This could be a local drive, part of a local network or a remote computer. It could also be the start of a spate of attacks that use Mac OS X's scripting features against its users, he said.
"The existence of Unix shells - such as Bash, for which this virus is written - and the presence of powerful networking commands opens up the game a little bit for Mac users. It is no longer necessary to know about Mac file formats or executables. You can write your malware in script. And if you really wanted to, you could probably write a portable virus that would run on many flavors of Unix and Mac," said Ducklin.
Chris Waldrip, president of the U.S.-based Atlanta Macintosh Users Group, posted a detailed description of Opener on the MacInTouch web site. Waldrip, who acknowledges that the threat has him "a bit spooked," said Opener seems to have started out with a "legitimate purpose" but has now been developed into a replicating piece of malware.
Waldrip's site also cautions against overreacting to Opener and advises people to use proper security techniques: "As readers take pains to point out, the threat has not yet been incorporated into a widespread virus, worm or Trojan horse, but that's a fairly short step from what we've already seen, and it's important to implement good security procedures."
Mikko Hypponen, director of antivirus research at F-Secure, said that viruses targeting the Macintosh system virtually disappeared in the late 1980s.
"Things have been really quiet on Macintosh front, virus-wise. Back in the late 1980s, viruses used to be a much bigger problem on Macs than on PCs. We here at F-Secure used to have an antivirus product for Mac but discontinued it after the macro viruses died out," said Hypponen.
Symantec said users of Norton AntiVirus for Mac OS X were protected as long as they had very recently updated their signatures. A representative for the company said the relevant signature files were available.