Focus on Virus
Back to list
RE: MacOSX worm
Oct 27 2004 12:47PM
M. Shirk (shirkdog_linux hotmail com)
This is not a virus, it has to be execute by the victum. This is a rootkit
as you said.
However, reading through this description I see that it is not a good
"Runs as root, as no "sudo" commands are needed."
Root is not enabled by default. People like myself go in and of course
enable the root account, but you need to be an admin to do so.
Therefore it can not run as root without first getting an administrator
password and then enabling root.
"Launches a keystroke-mapping application (if installed) called Krec, to
record the keyboard entry of passwords."
Uh, I will check my iBook when I get home because I was not away a keystroke
logger was installed
by default :-)
Then there is this:
"There appears to be no attempt by the script to send the passwords to an
email address or FTP site. However, the computer's state is compromised to
the extent that anyone with knowledge of the script could login and access
the log files containing serial numbers and passwords."
So aside from hoping to getting an administrator password, there is no
network traffic and no backdoor processes or communication. Even if an
account is compromised, the information is not sent to a remote location
(kinda defeats the purpose of using a keylogger). If anything, its an
annoying rootkit. I would compare this activity to some administrator
screwing up his XServe. Maybe this is a good joke for a couple of your
friends using Mac OS X.
One thing does deserve analysis:
"Modifies the LimeWire settings, deletes log files, and creates an admin
level user named:
so the machine can then be accessed in the future by a hacker who knows
about this script. This user name will appear in the NetInfo Manager. "
Mac OS X defines file system domains:
I would have to test this, or hopefully someone can setup a lab and see what
information you could possibly pilfer. People have been dying to have a
MacOSX virus to throw at Apple, but in this case its just a shell script.
My 2 cents.
From: keydet89 (at) yahoo (dot) com [email concealed] [mailto:keydet89 (at) yahoo (dot) com [email concealed]]
Sent: Tuesday, October 26, 2004 12:09 PM
To: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: MacOSX worm
SF has a Register article about Opener/Renepo-A. The article describes this
as a "rootkit" (the term is, in fact, used in the title of the article), yet
Sophos (linked in the article) classifies it as a worm. Neither the
Register article nor the Sophos write up describe any rootkit-like
Here's the Symantec writeup:
The Register article calls the "rootkit" "destructive", yet doesn't describe
any destructive capabilities. However, the Symantec writeup does.
So...what's the real deal? Is the media spreading FUD, or is the A/V
community downplaying the effectiveness of this bit of malware?
"Windows Forensics and Incident Recovery"
Get ready for school! Find articles, homework help and more in the Back to
School Guide! http://special.msn.com/network/04backtoschool.armx
[ reply ]
Copyright 2010, SecurityFocus