TMO Reports - Renepo Worm Targets Mac OS X

by , 11:30 AM EDT, October 25th, 2004

Security experts have discovered a worm that targets Apple's Mac OS X , disguising itself as a shell script. There are currently no reports of the virus in the wild, but experts are concerned that if it spreads, its effects could be serious.

Graham Cluley, Senior Technology Consultant at security software maker Sophos Plc, told the Mac Observer the virus entitled 'Opener', or 'Renepo' (opener spelled backwards), was discovered Friday and is being sent round the antivirus community for analysis.

"We have no reports of anyone actually be infected by it, yet," he said. "We're not expecting that to happen at the moment. I think what's happening here is that their is a group of people in the Macintosh underground community who are interested in pushing the Mac OS to its limits and seeing if they can crack it and investigate what kind of problems they could cause in the future."

Mr. Cluley said Renepo is a self-propagating worm that doesn't use e-mail as a carrier. Instead, it first needs to get root access to a system, but once run will begin seeking out other drives and systems on the network to which it can copy and spread.

"Once on a drive, it does a number of things including turning off system accounting and logging, the OS X firewall, software auto-updates, and the OS X security program LittleSnitch," said Mr. Cluley. "It also creates a new admin-level user which can be used for subsequent system access. It turns on filesharing, and copies some key system files making them world-writeable. It creates a huge back door. It's a smart worm."

The worm also installs a number of pieces of software, such as ohphoneX (a voice and video sharing program for OS X), John the Ripper (a password cracker) and dsniff (a password sniffer). It scans the swap file, Samba and VNC (virtual network computing) connections for passwords and creates a folder in which to store this, IP numbers of other infected computers and other data found on the hard drive.

Mr. Cluley said the worm could be propagated as a promotion via e-mail, encouraging the reader to go to a specific Web address and download the script now to update the Mac OS or some other specific software program.

Mr. Cluley believes the worm is not an enormous problem and doesn't believe Mac users should panic.

"Be vigilant about these things and don't get complacent," he said. "This is not just a problems for Windows users any more."

Mr. Cluley doubts there is much Apple could do to stop the worm from causing damage on a Mac because most worms do not exploit holes in an operating system, but rather "exploit bugs in people's brains by relying on humans to do something dumb and install viruses."

Mr. Cluley said he is confident a number of major virus protection companies will release a virus update to scan and detect Renepo in the coming few days.