There is a discussion going on over at Macintouch about what they are calling "Opener" Malware. I sent a comment but unfortunately it was below the threshold of what was published. The discussion is focused on the Opener script but mostly misses the critical point - that it is a part of the OSXRK - OS X Root Kit. All of the comments I read at Macintouch are at best mis-informed. While the Opener script itself does not "infect" computers as a part of the OSXRK it can be used to exploit machines. From the readme file:
###################################
# osxrk : OS X - Rookit
#
# the burning man - Public Release 0.2.1
# Sept. 2004
#
# by g@pple
#
# greets and thanks to Dim Bulb, Dr. Springfield, Jawn Doh!, B-r00t!,
# the fbsdrk & fbsdrootkit teams for inspiration.
#This is the initial Public Release of the OS X RootKit. This type of rootkit should be easy to defend against if you really care about your computer. Keep your system up to date and patched.
A quick method of telling if this rootkit is on your system is to run the command id LDAP-daemon
on your OS X box. The output you're looking for is
id: LDAP-daemon: no such user
uid=
all is not well and you have more than just the Opener script to worry about.
Another test is telnet localhost 31337
. You should get a couple of lines, the last of which is telnet: Unable to connect to remote host
. If not you've had better days.
Recovery - If you find your machine infected the only rational thing to do is to shut it down, boot from the OS X CD and reinstall your operating system. You can't trust running find commands, or the ls command because if somebody owns your machine they will replace them.
1 Comment
Another OS X root kit...
http://neil.slampt.net/
This new one is a kernel extension instead of a bash script!