Destructive OS X malware spies on Apple users

A malicious script that spies on Apple Mac users was discovered over the weekend. The malware, which has been dubbed 'Opener' by Mac user-groups, disables Mac OS X's built-in firewall, steals personal information and can destroy data.

A malicious script that spies on Apple Mac users was discovered over the weekend. The malware, which has been dubbed 'Opener' by Mac user-groups, disables Mac OS X's built-in firewall, steals personal information and can destroy data.

Security experts say these traits are common among the thousands of viruses targeting Microsoft's ubiquitous Windows operating system but are virtually unheard of amongst the Apple Macintosh community.

Paul Ducklin, Sophos' head of technology in the Asia Pacific, told ZDNet Australia that the malware, which Sophos calls Renepo, is designed to infect any Mac OS X drives connected to the infected system and it leaves affected computers vulnerable to further hacker attack.

Ducklin said Opener disables Mac OS X's built in firewall, creates a back door so the malware author can control the computer remotely, locates any passwords stored on the hard drive and downloads a password cracker called JohnTheRipper.

According to Ducklin, Opener tries to spread by copying itself to any drive that is mounted to the infected computer. This could be a local drive, part of a local network or a remote computer.

Most worryingly, according to Ducklin, this could be the start of a spate of malware that uses Mac OS X's scripting features against its users.

"The existence of Unix shells -- such as Bash for which Opener is written -- and the presence of powerful networking commands opens up the game a little bit for Mac users. It is no longer necessary to know about Mac file formats or executables you can write your malware in script and if you really wanted to you could probably write a portable virus that would run on many flavours of Unix (and Mac)," said Ducklin.

Chris Waldrip, president of the US-based Atlanta Macintosh Users Group, posted a detailed description of Opener on the MacInTouch Web site.

According to Waldrip, who admits the malware has him "a bit spooked," Opener seems to have started out with a "legitimate purpose" but has now been developed into a replicating piece of malware.

"I'm not sure how this could be guarded against," he said.

Mikko Hyppönen, director of antivirus research at F-Secure, said that viruses targeting the Macintosh system virtually disappeared in the late 80s.

"Things have been really quiet on Macintosh-front, virus-wise. Back in the late 1980s, viruses used to be a much bigger problem on Macs than on PCs. We here at F-Secure used to have an antivirus product for Mac but discontinued it after the macro viruses died out," said Hyppönen.

Symantec said users of Norton AntiVirus for Mac OS X were protected as long as they had updated their signatures over the weekend. A spokesperson for the company said the relevant signature files had been available since Friday evening.