More on the "opener" malware

Yesterday we noted a shell script dubbed "opener" that, if installed with proper authentication on a Mac OS X system, can trigger several vulnerabilities including password compromising and activity tracking.

While there is no immediate threat posed by this, or any other malicious shell script currently in circulation -- running the "opener" script and allowing it to do any damage requires root authentication, which must be locally entered by a Mac OS X administrator -- we did note a few precautions that lessen the chances of another individual gaining the ability to install and run a threatening script. These include generating a strong password, applying all recent security updates, and most importantly, only providing your administrator password to trusted applications.

Some MacFixIt users have decided to take their security precautions a step further and limit the amount of time they spend using an administrator account. One reader writes:

"Realistically, running as an administrator is the first major "right" you need to give up if you're worried about this hitting you. A common UNIX anthem regarding administration is 'never run as root.' Administrator access on a mac puts you in a position to get too close to root than is necessary for most tasks."

Some applications can compromise security by automatically echoing root password Also, as noted by a few readers, some applications echo your root password to perform certain tasks, leaving your password clearly printed in the process log, and temporarily enabling root access without explicit permission.

These applications include several of the popular maintenance utilities that can automatically repair permissions, perform cron tasks, and other duties that require an administrator password

A reader writes "Other programs have poor design choices which can do worse things than direct damage. For instance, I found a program the other day which made it easy to repair permissions. Not wanting to deal with the program each time, I figured I'd check out the process list and see what it was actually doing. It was programmed to echo my root password to a script which then executed the repair permissions utility. The problem with this is, my root password was clear, plain as day, in the process list."

The safest bet regarding this concern (which is a bit overstated) is simply not to use these applications, instead performing manual maintenance.

Using Little Snitch A number of users noted the use of Little Snitch, a shareware utility that monitors program attempts to initiate server communication, and only allows such attempts to proceed with your express approval. As one reader writes "With Little Snitch operating, you can rest assured no installer or application will surreptitiously 'phone home.'"

Unfortunately, this particular piece of malware ("opener") disables Little Snitch, but this means is still effective for potentially preventing other scripts from doing harm.

Finally, a number of readers are asking "How do I know if the "opener" malware is on my system?

Some makers of Mac virus protection software, including Symantec, have updated their definitions to include the "opener" malware, so you can run a quick scan to see if the script is present.

The user who originally reported this problem found the file "opener" in his /Library/StartupItems/ folder.

Most likely, however, you've got nothing to worry about. This malicious script is not currently spreading, and until someone develops an effective vector for disseminating it, there's no immediate threat of it popping up on your system.

Concern for future malware Some readers expressed concern that while no threat currently exists, the publicity generated by the "opener" malware could trigger a wave of attempts to develop an effective delivery vector, and perhaps more malicious scripts.

David Bills writes "I'm especially concerned about the knowledge that Opener reveals to the world- namely that MacOSX can be manipulated very easily from the shell and now the code to do so is right out in the open- including how to break the system keychain. [...]"

"To most users (the process of entering an administrator password) is misunderstood and annoying. If the system prompts for a password, they enter it."

Bills' comments re-emphasize the fact that only providing your administrator password to trusted applications is essential for blocking this or any other malicious script.

Feedback? Late-breakers@macfixit.com.

Resources