The SH/Renepo "worm" (also known as Opener) scare

Over the weekend, MacInTouch and Slashdot posted information regarding a shell script dubbed "opener" that, if installed with proper authentication on a Mac OS X system, can trigger several vulnerabilities including password compromising and activity tracking. Several publications have since sounded the alarm, with headlines like "Mac users face rare virus" and "Destructive Mac virus spies on Apple users".

Fortunately, there is no immediate threat posed by this, or any other malicious shell script currently in circulation -- running the "opener" script and allowing it to do any damage requires root authentication, which must be locally entered by a Mac OS X administrator. There is currently no vector for this or any other malicious Mac OS X script, i.e. no way for the script to autonomously take hold of the system or propagate itself to other systems without express administrator permission. In other words, it is not spreading, and cannot spread without a vector that is capable of gaining root access.

Source: MacFixIt

Say this with me:

must be locally entered by a Mac OS X administrator
must be locally entered by a Mac OS X administrator
must be locally entered by a Mac OS X administrator
must be locally entered by a Mac OS X administrator

There. Do you feel better? I sure do. People need to settle down. There have been many similar malware scripts over the short history of OS X that could compromise a computer, but the password must be locally entered by a Mac OS X administrator.

But since OS X has historically has been virus free, when a potential virus shows up all the moron news agencies start to cry wolf. They all want to be there to break the story when the Teflon coating of Mac OS X is broken and a virus starts wrecking havoc on a mass scale. Well that hasn't happened yet, and its not going to happen with the "Opener" worm unless people just type their administrator password in for no good reason at all.

Sophos, as usual, has a good explanation of what this worm tries to do. Be sure to read it if you want more information.

Sure, its a scary sounding startup script. And Mac users should not feel as if they are 100% safe from virus attatcks, but lets get a grip people! Unwittingly giving arbitrary code the permission to run is perhaps the greatest current security threat for Mac OS X users.

Welcome to using a Unix based Operating System: the OS thinks you know what the [bleep] you are doing.

How did it suddenly become a vulnerability that if you have root access to someones machine, you can write a script that will automatically install a bunch of malware?

Comments (4)

Dan Kohler:

This isn't even a worm. Sophos latched on to a few lines in the script that copy the script to other mounted volumes but it requires that the volume ALREADY be mounted when the script runs at startup before any user is logged in.

And the network volume would have to have an OS X System on it - have you tried to share a drive in OS X lately? There is no feature in the GUI that allows you to do so.

And even if the script runs as root locally, access to the mounted volume would not permit installing the script into it's StartupItems folder since it is not possible to connect to a shared volume as the root user of the remote machine.

In other words, it's not a virus, not a worm, not a trojan and not a threat. It's a shell script. Sophos and the other AV companies are just pumping the story up to sell their software and the media is happy to help them apparently.

Thanks for the post Dan!

I put "worm" in quotes just because everyone is calling it a worm, and it is not even close.

It is a shell script, its a root kit, but thats a nasty unixy name that the normal people would not know what it was.

I agree that all these AV companies are just trying to pump their product, but I give Sophos more credit then the rest. They have a great product and they do not pepper their PR releases about viruses too badly. I remember they had a great write up about that MP3 "virus" that came to OS X a little while ago.

Is it really possible to spread this anyway? And what good can come out of a "trojan" on a Mac anyway? People blow these things way out of the water to protect Microsoft from all the ill feelings regarding their security holes. The problem is that it isn't really a security hole in OS's asking you to supply the password! Wouldn't it be great if all viruses were "password protected"?

Although, I do have to say that *some* users in our organization have already downloaded and installed this thing. Never hit any of our servers. We run Novell for our Mac file-share. Nobody ever said that Mac users were smarter than Windows users!

> Nobody ever said that Mac users were smarter than Windows users!

If that aint the truth, I don't know what is!

Neither Mac or PC users are smarter then the other.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Warning: include(/home/meancode/public_html/breakingwindows/footer.php): failed to open stream: Permission denied in /home/breaking/public_html/2004/10/the_shrenepo_worm_also_known_a.php on line 299

Warning: include(): Failed opening '/home/meancode/public_html/breakingwindows/footer.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/breaking/public_html/2004/10/the_shrenepo_worm_also_known_a.php on line 299

Blogcritics Magazine

Social Networking

Mac Headlines

Read up-to-date headlines on everything Mac.

Content provided by prMac.

ESRB Search

Creative Commons License
This weblog is licensed under a Creative Commons License.
Enhanced with Snapshots