Unix/Opener.worm

This page shows details and results of our analysis on the malware Unix/Opener.worm

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum Engine

5600.1067

File Length

46007

Description Added

2004-10-27

Description Modified

2004-10-28

Malware Proliferation

Characteristics

-- Update October 27th 2004 --
The risk assessment of this threat has been deemed Low-Profiled due to the following media attention:

http://www.arnnet.com.au/index.php/id;1771656169;fp;2;fpid;1

The worm is referred to as Renepo within the article.
--

Detection was added to cover for a malicious file originally called "opener.sh ", having a filesize of 46007 bytes.

The file is a Unix type shell script. In this case the script is specifically targeted against Macintosh systems running the OS X operating system. The latest OS X operating system has Unix type Shell Scripting support. Previous Macintosh versions, such as v9, have a different internal file/script structure and are not initially vulnerable to this worm.

The opener.sh shell script consists of many subroutines, each having malicious intent, but the main purpose is to disable the system firewall, collect user information and try to spread via shares.

This threat does not make use of an exploit, so to have the script run successfully on a system and make changes, the user account from which the script is run must have sufficient rights. If no superuser/root/admin access is available many of the subroutines will fail and generate errors.

When executed, the script tries to move itself to the /System/Library/StartupItems directory.

Symptoms

The various subroutines try to carry out the following tasks:

  • Install ohphoneX
  • Disable the OS X built in firewall
  • Disable software updating so have future fixes are not automatically downloaded/installed on the system.
  • Stop the LittleSnitch Startupitem
  • Start "krec" if that's installed.  Krec is a keyboard reader and the purpose of starting it is to capture user information.
  • Make changes so everybody can write to the hostconfig, ssh and cron files.
  • Turn on FileSharing
  • Turn on remote login
  • Gather system information like hashes and preferences and also creates a hidden folder called .info.
  • Record the computer name and IP addresses
  • Retrieve the network port configurations
  • Retrieve the stored open-firmware password
  • Retrieve the passwd file
  • Delete log files to conceal the compromise
  • Create an admin user called LDAP-daemon with password 1234
  • Have the daily cron script try to grep the password
  • Download /  install other programs such as dsniff to start sniffing for passwords

Method of Infection

Infection starts with the execution of the opener.sh file via manual execution, pretending to be something else, or automatically by sharehopping. Properly configured OS X systems, with no filesharing enabled and not running root/superuser/admin rights should not be vulnerable.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants